<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

—A—

Active Directory Domain Services, Install – FKA: “ADUC” or “Active Directory Users and Computers”

Server Manager → Manage → Installation Type: Role-based or feature-based installation → Add Roles and Features → Server Selection: leave default (local server) → Server Roles: Check “Active Directory Domain Services”

Active Directory Sites and Services – Open Active Directory Sites and Services (Administrative tools, Active Directory Sites and Services from control panel).  If you can’t find it listed, run dssite.msc. This normally only works on Windows Server unless you install a plug-in

Active Directory, back up info to a – this is part of the regular Microsoft system and file backup.  One way of doing this is to run “ntbackup” from a command line.  At some point choose between backing up all the files or just the System State data.

Active Directory, manage from Windows 8 or other non-server OS – Windows Server Administration Tools Pack - see RSAT (Remote Server Administration Tools)

Advanced Group Policy Management (AGPM) - you must have a license from MS and set up a dedicated server

—B—

back up Active Directory and domain information to a file so you can restore – see Active Directory, back up info to a file

back up domain to a mirrored server – see domain, back up

—C—

compare group policies to each other - see policy analyzer tool

“Could not find any available Global Catalog in forest <yourdomain.net>” – see also Group Policy problem network connectivity

determine which DC in your domain computers are looking to as the PDC (Primary Domain Controller)

nltest /dcname:yourdomain

Check to see whether your PDC – as determined from the step above is set as a Global Catalog (see domain controller, determine whether it’s set as a global catalog)

verify that the server servername has a valid trust relationship with your PDC

nltest /server:servername /sc_query:yourdomain

should return something like:

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\ dcs2.mydomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

—D—

dcdiag, failed test frsevent – see frsevent

DHCP servers, get rid of obsolete - see remove old DHCP servers

  1. Start Adsiedit.msc
  2. Open the configuration Container
  3. Expand Services
  4. Expand Net Services
  5. On the right hand side you will find a record named CN=DHCPRoot
  6. Right Click the CN=DhcpRoot entry and then click Properties
  7. Highlight DhcpServers Attribute and click Edit

directory service on xxx has not finished initializing (during dcdiag)

repadmin /showreps

DNS info

dig utility (from BIND)

nslookup

DNS name servers

From command line, nslookup.  That will show your name server.  Then type in a FQ domain name and it will return an IP address.

Control panel, Network and Internet Connections, Network Connections bottom right, right click Local Area Connection and select "Properties", Highlight "Internet Protocol (TCP/IP)", click Properties
or, see IP Address, find
DNSMGMT.MSC
Location: C:\WINDOWS\system32\config\netlogon.dns

DNS out of date when pinging

Let’s say you’ve recently updated a DNS entry for “bob” on your domain server from 192.168.0.51 to 192.168.0.52

Now, on your client PC, when you

nslookup bob

you get 192.168.0.52 – as expected.  But when you

ping bob

you still get 192.168.0.51  What to do?  Try

Ipconfig /flushdns

And then ping again.  That should fix.

DNS problems

look in C:\WINDOWS\system32\config\netlogon.dns for anomalies.  Note: doesn’t matter how you edit netlogon.dns or netlogon.dnb.  You can actually delete them and then restarting the netlogon service recreates them with whatever was in there before.

Netdiag below doesn’t work anymore in Windows 7 or Windows Server 2008/2012.  But back in the day, it worked OK.

netdiag /fix

For domains:

(or all by itself without the /fix)

dcdiag /fix

(or all by itself without the /fix) and

dcdiag /test:registerindns /dnsdomain:domain

or

dcdiag /e /test:DNS

or

nltest /dsregdns

if this is a domain controller

You could try nslookup.  For instance,

nslookup yourlocalserver.yourdomain.net

or

nslookup someoutsidedomain.com

if success,

Server: yourdomainserver.yourdomain.net
Address: 192.168.0.1
 
Name: yourlocalserver.yourdomain.net
Address: 192.168.0.2

If success on a server with IPv6

Server: yourdomainserver.yourdomain.net
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
       primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
       responsible mail addr = (root)
       serial = 0
       refresh = 28800 (8 hours)
       expire = 604800 (7 days)
       default TTL = 86400 (1 day)
Server: Unknown
Address: ::1
 
Name: yourlocalserver.yourdomain.net
Address: 192.168.0.2

if problems,

Server: yourdomainserver.yourdomain.net
Address: 192.168.0.1
 
*** yourdomainserver.yourdomain.net can’t find yourlocalserver.yourdomain.net: Non-existent domain

DNS OK but can’t ping – you can sometimes look up outside servers but you can’t ping them.  For instance,

nslookup yourdomainserver

or

nslookup someoutsidedomain.com

work OK but pinging won’t.

The following might work

1. Go to device manager.  Disable the NIC, enable again.  If this works for a little bit but then problem again, consider replacing your NIC.

The following actions do NOT solve this problem:

IPConfig /FlushDNS

netsh interface tcp show global

to show

and then

netsh int tcp set global autotuninglevel=disabled

to change and

netsh int tcp set global autotuninglevel=nromal

to change back

3. net stop dnscache followed by net start dnscache

4. netsh winsock reset catalog (which requires a restart afterwards)

DNS, set up from command line

netsh interface ip add dns name="NIC1" 192.168.0.123

netsh interface ip add dns name="NIC1" 192.168.0.124 index=2

DNS, split – see split DNS here

Documents and Settings directory, change to a different drive – Go to Start>Run>Regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. On this entry you will see an entry on the right for %systemdrive%\Documents and Settings. You should be able to substitute %systemdrive% for whichever drive letter you want.

Make sure you create a Documents and Settings folder in the location you specify and that correct permissions are applied. You can also change that entire path to "Y:\TerminalS\Stuff\Documents and Settings" or whatever you want. If you browse the registry entries under ProfileList you will notice that is where information on each entry is kept. You may need to delete each entry for the users so their profile is created again at the new location.

Also, if you decided to move a profile from one place to the other to keep all settings, manually copy the folder then update the path in the ProfileImagePath entry for the profile, listed under the ProfileList.

Alternatively, using Vista, need to make a junction:

mklink /J “C:\Users\Bob User” “E:\Profiles\Bob User”

or you can make a junction under WindowsXP/Windows 2000.  Junction is not part of these OS and must be downloaded.

Junction “C:\Documents and Settings\<original folder name>” “G:\Profiles\<original folder name>”

documents, remove record of most recently used - In Windows XP Professional, the Start menu contains a My Recent Documents folder that contains 15 of your recently used documents.

To remove the record of recently accessed documents:

Right-click Start, click Properties, and then click Customize.

Click the Advanced tab, and then click Clear List. If you're using the Classic Start menu, click Clear.

Clicking Clear List empties the My Recent Documents folder. It doesn’t delete the documents from your computer.

If you don’t want to include anything in the My Recent Documents folder:

On the Advanced tab, click Customize, and then clear the List my most recently opened documents check box.

In Windows XP Home Edition, My Recent Documents is not automatically listed on the Start menu. You can turn on this feature by right-clicking Start, clicking Properties, clicking Customize, and then selecting the List my most recently opened documents check box.

Also MRU-Blaster utility

domain, back up information to a file so you can restore – see Active Directory, back up info to a file

domain, back up to a mirrored server - create an additional domain controller by running dcpromo (an optional /adv switch is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network)

On the Domain Controller Type page, click Additional domain controller for an existing domain

On the Copying Domain Information page, click Over the network

If you get ‘The operation failed because: The attempt to join this computer to domain mydomain.com failed.’ “The specified user already exists”’ it’s probably because the server you’re trying to make into an additional domain controller already was listed as a domain controller on the domain controller you’re trying to replicate from.  Assuming this new server was broken somehow and you’ve recreated it from the ground up, solve this by deleting this new domain controller (which at one time in the past was a valid alternate domain controller) from the list of domain controllers on the source domain controller.

domain controller, change – see FSMO roles, view and transfer from 2003 or Transferring FSMO Roles

domain controller, determine whether it’s set as a global catalog - see also global catalog servers, list

First way to check: make sure that the Domain Controller is set as a Global Catalog in Active Directory Sites and Services.

From the left side pane, expand Sites > Default-First-Site-Name > Servers

expand the server that you want to check whether it’s a Global Catalog and right Click its NTDS Settings then click on Properties.  You should see its “Global Catalog” checked.

Another way to check: open group policy management console.  This might be a bit more involved since the group policy management console is not installed by default for 2003 servers but must be downloaded and installed.

domain controllers, list of (including which one is primary domain controller)

this will list all the domain controllers and indicate which one is your primary domain controller

nltest /dclist:yourdomain

or this will just list your primary domain controller all by itself

nltest /dcname:yourdomain

Short command to find out all this stuff:

netdom query fsmo

should return something like:

Schema master               yourmainserver.yourdomain.net
Domain naming master        yourmainserver.yourdomain.net
PDC                         yourmainserver.yourdomain.net
RID pool manager            yourmainserver.yourdomain.net
Infrastructure master       yourmainserver.yourdomain.net
The command completed successfully.

To change these, follow instructions here.

This will list DCs along with whether they have the global catalog role:

dsquery server -domain genetic-id.com | dsget server -isgc -dnsname

should return something like:

  dnsname               isgc
  ad2.yourdomain.com    yes
  AD1.yourdomain.com    yes
  ad3.yourdomain.com    yes
  ad0.yourdomain.com    yes
dsget succeeded

domain, demote

When I ran

dcdiag /test:connectivity /s:myPDCserver.mydomain.net

I got:

Domain Controller Diagnosis

 

Performing initial setup:

   [myPDCserver.mydomain.net] LDAP bind failed with error 8341

   A directory service error has occurred

So I decide to demote:

dcpromo /forceremoval

When I re-run

dcdiag /test:connectivity /s:myPDCserver.mydomain.net

OK

domain demotion unsuccessful, remove data in Active Directory after – see here

domain diagnostics –

netdiag /fix (or all by itself without the /fix) for any member of a domain

dcdiag /fix (or all by itself without the /fix) and dcdiag /test:registerindns /dnsdomain:domain if this is a domain controller

gpotool

nltest /dclist:yourdomain

or, which domain does this machine belong to

nltest /dsgetsite

Domain Functional Level using PowerShell

Get-ADDomain | fl Name, DomainMode

domain, join -

First I tried the following from here:

netdom /domain:<domain name> /user:adminuser /password:apassword MEMBER MYCOMPUTER /JOINDOMAIN

returned

parameter domain was unexpected

this one

netdom add <computername> /domain:<domain name> /UserD:<domain admin> /PasswordD:<password>

succeeds in doing something, but it didn't really seem to add the machine to the domain because

nltest /dsgetsite

failed with

Getting DC name failed: status = 1919 0x77f ERROR_NO_SITENAME

This works

netdom join <computername> /domain:<domain name> /UserD:<domain admin> /PasswordD:<password>

If you get

The specified domain either does not exist or could not be contacted

then maybe look at your DNS.

Other things which you might try in powershell, try (from here)

Add-Computer

in powershell, try

net localgroup administrators /add <DomainName>\<UserName>

domain, rename – see Windows Server 2003 Active Directory Domain Rename Tools (a detailed, 81-page word document)

Before you do this, rename the computer name of the server itself which hosts the domain to its new domain name.  Although they touch on this on page 14, they never actually mention renaming the computer name itself.  Seems obvious in retrospect…

After you do this, download and install the Group Policy Management Console add in – especially if you get “Windows cannot bind to olddomain.com domain. (Local Error). Group Policy processing aborted.” (event ID 1006) errors every 5 minutes in the event viewer.  Again, this is something I didn’t see addressed in pages 57-67.

domain, which domain does this machine belong to

nltest /dsgetsite

short version (NetBIOS)

nbtstat -n

—E—

—F—

Forest Functional Level using PowerShell

Get-ADForest | fl Name, ForestMode

FrsEvent, failed test – you might see this when running dcdiag

This puts some info to a file. What to do with it? Not sure.

ntfrsutl ds > somefile.txt

try testing DNS:

Dcdiag /test:DNS

FSMO roles, view and transfer from 2003 (from here)

Short command to find out all this stuff:

netdom query fsmo

should return something like:

Schema master               yourmainserver.yourdomain.net

Domain naming master        yourmainserver.yourdomain.net

PDC                         yourmainserver.yourdomain.net

RID pool manager            yourmainserver.yourdomain.net

Infrastructure master       yourmainserver.yourdomain.net

The command completed successfully.

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

Click Start, and then click Run.

Type regsvr32 schmmgmt.dll in the Open box, and then click OK.

Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

Click Start, click Run, type mmc in the Open box, and then click OK.

On the File, menu click Add/Remove Snap-in.

Click Add.

Click Active Directory Schema, click Add, click Close, and then click OK.

In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.

Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.

In the console tree, right-click Active Directory Schema, and then click Operations Master.

Click Change.

Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

Do one of the following:

In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

-or-

In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

Click Change.

Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

Do one of the following:

Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

or-

n the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.

In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.

Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.

Click OK to confirm that you want to transfer the role, and then click Close.

fully qualified domain name, can’t resolve – try netsh int ip reset reset.log.  You’ll need to reboot and then reset your network settings.  This may or may not help.

—G—

global catalog servers, list -

from PowerShell prompt:

Get-ADForest yourdomain.com | FL GlobalCatalogs

should return something like:

GlobalCatalogs : {ad2.yourdomain.com, od1.subdomain.colo, od2.subdomain.colo, AD1.yourdomain...}

or, from command prompt:

nslookup gc._msdcs.%USERDNSDOMAIN%

should return something like:

Addresses: 192.168.0.11
   192.168.0.10
   192.168.0.13
   192.168.0.15

which, unfortunately, does not include the server names

or, from the command prompt

nslookup

Set the type to server.

>set type=srv

Find the Global Catalog Server(s).

>_gc._tcp.<DnsForestName>

Example:

>_gc._tcp.yourdomain.com

This will list a bunch of stuff:

Server: ad1.yourdomain.com
Address: 192.168.0.11

_gc._tcp.yourdomain.com SRV service location:
   priority       = 0
   weight         = 100
   port           = 3268
   svr hostname   = bk3.subdomain.colo
_gc._tcp.yourdomain.com SRV service location:
   priority       = 0
   weight         = 100
   port           = 3268
   svr hostname   = ad3.yourdomain.com
bk3.subdomain.colo      internet address = 192.168.100.172
ad3.yourdomain.com      internet address = 192.168.0.18

to me, this last listing is better than the 1st two

or, from command prompt:

dsquery server -domain yourdomain.com | dsget server -isgc -dnsname

this lists all your domain controllers along with the isgc

  dnsname               isgc
  ad2.yourdomain.com    yes
  AD1.yourdomain.com    yes
  ad3.yourdomain.com    yes
  ad0.yourdomain.com    yes
dsget succeeded

group policies, compare to each other - see policy analyzer tool

group policy editor (local) (not to be confused with the more global Active Directory group policy management console) - immediately below - see also Advanced Group Policy Management (AGPM)

gpedit.msc

which brings up the GUI

To instead see the results displayed in the command console

gpresult /R

group policy hierarchy

group policies with at least one link

Group Policy Management → Forest → Domains → your domain → right-click → Search… → this action will bring up the Search for Group Policy Objects dialog box.

Click on the Search Item dropdown and select the GPO-links. This search item will search for GPOs that are linked to an OU. Change the Condition dropdown to be Exist In and the domain to be your domain.

When you’re complete, click on Add to add the criteria. It will show up under the All search criteria section.

group policy management console (for all of active directory) (not to be confused with the complementary local group policy management editor) immediately above

to run:

gpmc.msc

On older systems, it's not automatically installed. And even on newer systems, I usually have to install RSAT first before it's available.

group policy problem

Windows cannot bind to yourcompany.com domain. (Local Error). Group Policy processing aborted. – try (from here):

PDCe points to himself and himself only for DNS

replica DCs point to PDC for preferred, themselves as alternates (for simple standardization)

clients in site with PDCe point to PDCe for preferred DNS, and replicas as alternates

clients in remote sites point to their local DC for DNS, and other DCs as alter

Search through registry for yourcompany.com entries.

Once you think you’ve fixed everything, then run: gpupdate /force and look in the event viewer to see if you really fixed anything.  gpresult might also yield clues.

What finally cleared it for me was by downloading and installing the Group Policy Management Console add in.  Once I did that, a bad Group Policy object stood out under my domain.  I deleted it and created a new one and finally the problem went away.

Other hints at EventID.net

Group Policy Object Editor from Active Directory Users and Computers

  1. Open Active Directory Users and Computers
  2. In the console tree, right-click the domain or organizational unit for which you want to set Group Policy
  3. Click Properties, and then click the Group Policy tab
  4. Do one of the following:

Group Policy problem network connectivity – “ The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.” – event ID 1129 – even though you can ping the domain server

First, verify problem by running the following command at the command line

gpupdate

You might the same problem.  But you might also get a generic:

Refreshing policy...

User Policy Refresh has completed
Computer Policy Refresh has completed.

To check for errors in policy processing, review the event log.

Run

netdiag

or

dcdiag

Pay particular attention to the DNS test.  Once, I ran netdiag on the problem machine and saw:

DNS test . . . . . . . . . . . . : Failed
    [WARNING] The DNS entries for the DC are not registered correctly on DNS server ‘192.168.0.1’ and other DCs also have some of the names registered.
    [WARNING] The DNS entries for the DC are not registered correctly on DNS server ‘192.168.0.1’ and other DCs also have some of the names registered.

    [FATAL] No DNS servers have the DNS records for this DC registered

on the problem server.  But on another server (which was not having problems) I found no problems whatsoever

DNS test . . . . . . . . . . . . : Passed
    PASS – All the DNS entries for the DC are registered on DNS server ‘192.168.0.1’.  Please wait 30 minutes for DNS server replication.
    PASS – All the DNS entries for the DC are registered on DNS server ‘192.168.0.2’ and other DCs also have some of the names registered.

So that was curious.  Running

netdiag /fix

did not fix this problem.

Follow it up with

dcdiag /test:connectivity /s:myPDCserver.mydomain.net

I got:

Domain Controller Diagnosis

Performing initial setup:
   [myPDCserver.mydomain.net] LDAP bind failed with error 8341
   A directory service error has occurred

Determine which DC in your domain computers are looking to as the PDC (Primary Domain Controller)

nltest /dcname:yourdomain

Check to see whether your PDC – as determined from the step above – is set as a Global Catalog (see domain controller, determine whether it’s set as a global catalog) - see also global catalog servers, list

Then try:

nltest /sc_query:yourdomain

or, more specifically

nltest /server:servername /sc_query:yourdomain

If no problems, you should get something like:

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If problems:

Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

Then try (from an elevated administrator command prompt):

nltest /sc_verify:yourdomain

If no problems, you should get something like:

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

If problems:

Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
Trust Verification Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

If that returns success, run

nltest /sc_reset:yourdomain

should return something like

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

To determine the cause of trust relationship problems

1. Log on with a local account.

2. Set Net Logon flags by using the Nltest tool as follows:

nltest /dbflag:0x2000ffff

3. Run nltest as follows:

nltest /sc_reset:yourdomain

The % windir %\debug\netlogon.log explains why the secure channel setup is not possible. One possible reason is that SYSVOL isn't ready on the computer. By examining the Netlogon.log file, you can find the following error:

08/30 10:15:19 [MAILSLOT] Returning paused to 'Reskit1' since: SysVol not ready

—H—

—I—

In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server's writeable domain. (in DCDIAG results)

repadmin /showreps

IP address, find -

for XP, Win 2000, Windows 7 - “ipconfig /all” from DOS window

for Win9x - type “winipcfg” from “start/run” command” line - only works in Win9x, not XP or Win2000

winipcfg for XP - see utilities, Doug Knox or Microsoft's site

netsh interface ip show config

IP address, configure from command line

netsh interface ip show config

The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:

netsh interface ip set address id=Local Area Connection static 192.168.0.100 255.255.255.0 192.168.0.1 1

more here

to set up DNS

netsh interface ip add dns name="NIC1" 192.168.0.123

netsh interface ip add dns name="NIC1" 192.168.0.124 index=2

—J—

—K—

KDC (Key Distribution Center) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate (event ID 29)

You could start by running

certutil -dcinfo verify

from a command line which should return a list of certificate details for all your domain controllers.

Or for a GUI format, run pkiview.msc

Microsoft suggested barging ahead and removing certificates willy-nilly before verifying using the “certutil -dcinfo verify” at the end of their article.  But I tried that command at the beginning and nothing seemed amiss.  So why would I delete them if nothing’s wrong?

One thing I did notice was when I went into Server Manager/Active Directory Certificate Services/Certificate Templates that it said they were all bad and gave me a choice to fix.  So I did.

Kerberos client received a KRB_AP_ERR_MODIFIED error from the server MYPC$. The target name used was cifs/MYPC.yourdomain.net.  This indicates that the target server failed to decrypt the ticket provided by the client.” – event ID 4 coupled with “The session setup from the computer MYPC failed to authenticate. The name(s) of the account(s) referenced in the security database is MYPC$.  The following error occurred: Access is denied.” – event ID 5722

This only appears for one client in the domain. I tried lots of things

nltest /sc_query:yourdomain

from the client results in

Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED

The command completed successfully

So obviously something’s wrong.  And only with this client; other clients return

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\2ndof2servers.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

With no problem.  So what’s wrong?  I try a specific domain server:

nltest /sc_query:yourdomain /server:1stof2servers

from the client results in

Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\2ndof2servers.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Huh?  If I specify a server, it’s happy?  But if I specify another domain server (which is actually the PDC)

nltest /sc_query:yourdomain /server:2ndof2servers

from the client I get

I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

So it’s OK with one server but not the other.  Strange and inexplicable, but I get the same result from any other, normal client on the network.  So this was not much help.

Creating a new SID on the client machine using NewSID.exe failed with “NewSID was unable to change the computer’s SID”

Reset the machine account in ADUC GUI on the domain server did nothing.  Only later did I find out that “You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool.”

Use the Netdom.exe tool to reset the account password

The Netdom.exe tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

You must run the tool locally, from the Windows-based computer whose password you want to change. Additionally, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.exe.

Remove the Kerberos ticket cache on the domain controller (or local PC?) where you receive the errors.

klist

To show the cache.  I notice I see other PCs trying to connect to my little client.  Can’t figure out why.  It’s not as if I’m running this on a domain controller.  Anyway, I proceed to purge.

Klist purge

To purge.  Then

netdom resetpwd /s:myserver /ud:mydomain\administrator /pd:*

where “server2” in this case is the domain server and “administrator” is the user who has rights.  ‘Course, this didn’t work ‘cause netdom is deprecated in Windows 7!

C:\>netdom resetpwd /s:myserver /ud:mydomain\administrator /pd:*
'netdom' is not recognized as an internal or external command,
operable program or batch file.

So let’s try one if its replacements:

Test-ComputerSecureChannel -repair

Which I have to run in PowerShell instead of a DOS window.  Well that didn’t go so well

PS C:\Users\carol> Test-ComputerSecureChannel -repair

Test-ComputerSecureChannel : This command cannot be executed on target computer('MYPC') due to following error: Access is denied.
At line:1 char:27
+ Test-ComputerSecureChannel <<<<  -repair
    + CategoryInfo          : InvalidOperation: (MYPC:String) [Test-ComputerSecureChannel], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand

Even though I was running as administrator.  This seems to work inconsistently on different machines.  On one machine where I don’t have any problems, I started PowerShell as administrator.  Or at least I thought I did.  But there was no hesitation and blacked out screen asking if I really wanted to run this.  And it failed.  Next time I tried on that same machine, it did hesitate and ask me if I really wanted to run and the command worked:

PS C:\Windows\system32> Test-ComputerSecureChannel -repair
True

But on the problem PC, PowerShell always came up right away without that hesitation and asking if I really wanted to run no matter how many times I tried to run as administrator.  And it always came up with the same error message.  Even if I log on as an administrator, same result.  However for both machines when I try

PS C:\Windows\system32> Test-ComputerSecureChannel -confirm

I get

Confirm
Are you sure you want to perform this action?
Performing operation "Test-ComputerSecureChannel" on Target "MYPC".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
True

The last thing I tried is probably the first thing I should have tried: simply remove the PC from the domain and then add it back again.  ‘Course, for this to work, you need to activate the invisible local administrator ID and know its password.

Key Distribution Center (KDC) cannot find a suitable certificate – see KDC (Key Distribution Center) cannot find a suitable certificate

—L—

local group polity – see group policy editor (local)

gpedit.msc

local security polity

secpol.msc

local users and groups

lusrmgr.msc

—M—

multiple accounts with name xxx@yourdomain.net of type DS_USER_PRINCIPAL_NAME – try

ldifde –f check_UPN.txt –d “dc=yourdomain,dc=net”et”

or

ldifde –f check_UPN.txt –t 3268 –d “” –l userPrincipalName –r “xxx@yourdomain.net” –p subtree

"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again." – especially when trying to join a PC to a domain

best: disconnect the Ethernet cable, reboot, stick the cable in and try again

not so good: from a command prompt, type: net use * /del –this isn’t enough.  But it does seem to find and kill some connections.  This command removes any mappings/connections that were statically made on the workstation to the server. Use login scripts to map drives, including /persistent:no at the end of the net use command, so they won't be cached.

—N—

name of the computer you're on - see also rename computer

hostname

name of the domain you're on -

systeminfo | findstr /B /C:Domain

or, of course, just

systeminfo

and look for the domain name

name servers (DNS ), see IP Address, find

nbtstat

Displays the names registered locally by NetBIOS applications such as the server and redirector.  The output of this is a little strange.  Once, I was looking for duplicate IPs.  I ran the above command per the error message’s suggestion

nbtstat -n

and got:

Local Area Connection 2:
Node IpAddress: [192.168.254.206] Scope Id: []
 
                NetBIOS Local Name Table
 
       Name          Type     Status
    ------------------------------------
    MAIL3     <00>  UNIQUE  Registered
    MYDOMAIN  <00>  GROUP   Registered
    MYDOMAIN  <1C>  GROUP   Registered
    MAIL3     <20>  UNIQUE  Registered
 
Local Area Connection:
Node IpAddress: [192.168.254.6] Scope Id: []
 
                NetBIOS Local Name Table
 
       Name          Type     Status
    ------------------------------------
    MAIL3     <00>  UNIQUE  Registered
    MYDOMAIN  <00>  GROUP   Registered
    MYDOMAIN  <1C>  GROUP   Registered
    MAIL3     <20>  UNIQUE  Registered

Other variants on this command are

nbtstat -r

Which gives similar output

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------
 
    Resolved By Broadcast     = 1860
    Resolved By Name Server   = 0
 
    Registered By Broadcast   = 8
    Registered By Name Server = 0
 
    NetBIOS Names Resolved By Broadcast
---------------------------------------
           TIMBXP         <00>
           THEZDRIVE
           THEZDRIVE
           BRAD-PC        <00>
           TIMBXP         <00>
           TANNER-WIN7    <00>
           THEZDRIVE
           THEZDRIVE

As you can see, there are at least a couple apparent duplicates.  So I focus on 000000C55FBE.  I pinged, and it resolved to

Pinging TIMBXP [192.168.0.90] with 32 bytes of data:

Reply from 192.168.0.90: bytes=32 time=1ms TTL=64

I recognize it as a PC and unplug its Ethernet, and run “nbtstat -n” again and get the same thing!  So it appears to simply hold a stash of recently resolved requests.  Whether or not the devices are still present seems irrelevant.  Also, just ‘cause you see an entry there twice doesn’t mean there really are two such or any duplicate.  It probably means the same device made 2 inquires recently.

Then there’s

nbtstat -c

option shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings.  It gives something like this:

Local Area Connection 2:
Node IpAddress: [192.168.0.206] Scope Id: []
 
                  NetBIOS Remote Cache Name Table
 
        Name              Type  Host Address    Life [sec]
    -----------------------------------------------------
    BRAD-PC        <00>  UNIQUE     192.168.0.41      370
    TANNER-WIN7    <00>  UNIQUE     192.168.0.52      232
    TIMBXP         <00>  UNIQUE     192.168.0.74      325
 
Local Area Connection:
Node IpAddress: [192.168.0.6] Scope Id: []
 

    No names in cache

Then

nbtstat -s

and

nbtstat -S

are supposed to give different results.  “s” is supposed to list the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names  whereas “S” is supposed to list the current NetBIOS sessions and their status, with the IP address. But they both yield

Local Area Connection 2:

Node IpAddress: [192.168.0.206] Scope Id: []
 
    No Connections
 
Local Area Connection:
Node IpAddress: [192.168.0.6] Scope Id: []
 
    No Connections

so not sure about the supposed difference

netdiag – command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network; a client support tool part of Windows Server 2003.  On disk 1, go to \support\tools\, Double click the suptools.msi

can also run netdiag /fix

netdiag hangs – use the “-v” option for verbose to find out where it dies

network - see IP Address, Find

start, run, command,

netsh

At the netsh prompt, type

netsh> diag

and press enter (must be something else; “command not found”).  Type gui and press enter.

See IP address, find

ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. Recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

Well, I wanted to transfer some roles from a 2003 server to a 2008.  But since this dang command below doesn’t even work on 2008, I was forced to try it on 2003.

Click Start, click Run, type ntdsutil in the Open box, and then click OK.  This worked OK.  Brought up a nice “C:\WINDOWS\system32\ntdsutil.exe:” prompt.

Type roles, and then press ENTER.  So far, so good.  Brings up “fsmo maintenance:” prompt.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.

Type connections, and then press ENTER.  Still OK.  Brings up “server connections:” prompt.

Type

connect to server servername

and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.  Well this is where it came to a screeching halt.  I got

Binding to servername2…

Ldap_bind_sW failed with 0x51(81  (Server Down).

Even though the server wasn’t really down.  But when I tried another server:

server connections: connect to server servername3

I got:

Disconnecting from server1...

Binding to server3

Connected to server3 using credentials of locally logged on user.

server connections:

At the server connections prompt, type q, and then press ENTER.

Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.

At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

—O—

—P—

password complexity, enable/disable password must meeet complexity requirements

Group Policy Management (gpmc.msc) → find your domain there → right click Default Domain Policy → edit (brings up a new window) → Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy

policy analyzer tool - see also Advanced Group Policy Management (AGPM)

Compare two (or more) group policies. Export group policies by backing them up from Group Policy Manager (GPM). Each policy you back up gets a whole directory named by some sort of a GUID. But that GUID has no relationship to the policy's GUID. Rather, I think these GUIDs come somehow from how each is stored in GPM

author Arnaud Loos' Introduction to Microsoft Policy Analyzer

download - this Microsoft Security Compliance Toolkit 1.0 offers 6 different components to download. All we care about is PolicyAnalyzer.zip and ignore the other 5.

—Q—

—R—

recycle bin - Tools → Active Directory Administrative Center or

dsac.exe

Navigate to "yourDomain(local)" → Deleted Objects

rename computer

netdom renamecomputer WIN-IAKDINN28SU /newname:HV0

RSAT (Remote Server Administration Tools)

Windows 7 SP1ows 7 SP1

Windows 8

Windows 8.1

for Windows 2003 Server

For Windows 10 version 1903 and later, need to go to Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1903 using SCCM (System Center Configuration Manager) and Powershell and run Install-RSATv1809v1903.ps1 (download)

—S—

secure channel, change - see trust, change secure channel

—T—>

time, where is a server in the domain getting its from?

From a command line

nltest /dsgetdc:yourdomain /timeserv

should return something like

           DC: \\MYPRIMARYDC
      Address: \\192.168.0.1
     Dom Guid: 6fac954e-21ad-4404-bd04-91ee5f82f02a
     Dom Name: yourdomain
  Forest Name: yourdomain.net
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully

The result indicates that my client is getting its time from MYPRIMARYDC. Or at least should be. This command doesn’t guarantee that MYPRIMARYDC is up or reachable. For that I can use a different NLTEST command

nltest /server:MYPRIMARYDC /query

should return something like

Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

To make sure it’s working, from a command line

w32tm /monitor

should return something like

MYPRIMARYDC.yourdomain.com[192.168.0.1:123]:
    ICMP: 0ms delay
    NTP: +0.0005605s offset from yourserver.yourdomain.com
        RefID: ntp1.usno.navy.mil [192.5.41.41]
        Stratum: 2

And it might list more than just the one server if you have multiple domain servers.  The PDC should look outside (ntp1.usno.navy.mil in the case above), the other DCs should look to the PDC.
To find out the method – whether it looks to your domain controller or outside on its own – look in:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type
If Type is set to Nt5DS then the member machine should be checking with the domain controller for its time.  If Type is set to NTP it will be checking on its own.You can also find this setting from command line:

w32tm /dumpreg /subkey:parameters

to get something like

Value Name                 Value Type          Value Data
------------------------------------------------------------
 
ServiceDll                 REG_EXPAND_SZ       %systemroot%\system32\w32time.dll
 
ServiceMain                REG_SZ              SvchostEntry_W32Time
ServiceDllUnloadOnStop     REG_DWORD           1
Type                       REG_SZ              NT5DSNtpServer                  REG_SZ              time.windows.com,0x9

Or perhaps:

reg query hklm\System\CurrentControlSet\services\W32Time\Parameters

to get something like

HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\W32Time\Parameters
    ServiceDll    REG_EXPAND_SZ    %systemroot%\system32\w32time.dll
    ServiceMain    REG_SZ    SvchostEntry_W32Time
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    Type    REG_SZ    NT5DS
    NtpServer    REG_SZ    time.windows.com,0x9

Or just:

reg query hklm\System\CurrentControlSet\services\W32Time\Parameters /v ntpserver

to get something like

HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\W32Time\Parameters
    NtpServer    REG_SZ    time.windows.com,0x9

To just get which server the domain controller is using.  Notice in the example above, it’s looking outside to time.windows.com.  If this is your PDC and it’s not looking outside, then you want to make sure it’s looking outside somewhere to get the right time:

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

As an aside, you can open up group policy editor (gpedit.msc) and go to Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers where you’ll see how to configure Windows NTP settings.  But recall that, if you’re in a domain, you probably want to use NT5DS rather than NTP.  So, if everything’s “not configured”, probably want to leave it that way.

time, manually set domain client computers’

– NET TIME /DOMAIN: /SET

time server, set primary domain controller to look outside – from here

in Registry editor:

HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type

Set this Value to NTP; all other “lesser” domain controllers should be set to Nt5DS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

In the right pane, right-click AnnounceFlags, and then click Modify.

In Edit DWORD Value, type 5 in the Value data box, and then click OK

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

In the right pane, right-click NtpServer, and then click Modify.

In Edit Value, type Peers in the Value data box, and then click OK.

Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes will not take effect.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollIntervaleFlags

In the right pane, right-click SpecialPollInterval, and then click Modify.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.

In Edit DWORD Value, click to select Decimal in the Base box.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.

In Edit DWORD Value, click to select Decimal in the Base box.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.

at the command prompt

net stop w32time && net start w32time

time server, how far out of sync are various domain servers from the primary domain controller

C:\>w32tm /monitor

Time service has not synchronized the system time” error (event ID 36)

What happens if you get event ID 36?  It might say something like, “The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details”.  You might try:

w32tm /resync

to force an instant time synchronization If you get

Sending resync command to local computer
The computer did not resync because no time data was available.

Then problems. If this is your PDC, then maybe

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

If this is not your PDC but instead a client, then you can try

PS C:\Users\administrator.YOURDOMAIN> w32tm /config /syncfromflags:domhier /reliable:yes /update

The command completed successfully.

to configure a client computer for automatic domain time synchronization

trust, change secure channelnltest /sc_reset: < DomainName> [\<DcName>] - Reset secure channel for <Domain> on <ServerName> to <DcName> - no space between the DomainName and the “\DcName”

—U—

—V—

—W—

Windows cannot obtain the domain controller name for your computer network userenv error (An unexpected network error occurred. ). Group Policy processing aborted.”

Error:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date:  30/03/2009
Time:  14:14:20
User:  NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

Solution:

Create a registry file with the following code (userenvfix.reg):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c
“GroupPolicyMinTransferRate”=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GroupPolicyMinTransferRate”=dword:00000000

Run userenvfix.reg to import the changes in the registry and restart the server.

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1054&EvtSrc=Userenv&LCID=1033

Explanation

A network connectivity or configuration problem exists. Group Policy settings cannot be applied until the problem is fixed.

User Action

To troubleshoot the network connectivity or configuration problem, try one or all of the following:

Windows cannot change the password – see password, Windows cannot change, User Accounts, more settings and then click Reset Password...

“Windows cannot bind to yourcompany.com domain. (Local Error). Group Policy processing aborted” – UserEnv event ID # 1006 see Group Policy problem

“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance.”

This error is received even though the computer account for the workstation and user account for the user both exist.
This or error may appear when a PC is replaced with another computer with the same computer name without first deleting the duplicate computer name from the Active Directory domain before joining the new workstation to the domain with the same duplicate name.
The funny part is that the symptom may either appear immediately at the first try, or even after a few successful logons.
The cause of the error is usually related to security identifier (SID) issues. Another possible cause for the error is that the computer account for the workstation was accidentally deleted from the Active Directory domain.
Another common cause for the error is using Norton Ghost or any other similar disk cloning software. This happens when the administrator has cloned one XP machine and reproduced it to many other new computers without first using and running Microsoft's SYSPREP utility (read more on that in a different article).
The resolution to the above error is:

  1. Login to the Windows Server 2003 Domain Controller, open DSA.MSC (Active Directory Users and Computers) and delete the computer account object from the domain.
  2. Login to the Windows XP workstation as a local administrator. If you cannot logon as local administrator, try to disconnect the network cable and login to the computer by using a domain administrator user that was used to logon on the PC before. This will be made possible because of the cached logon credentials feature that remembers the last 10 successful logons.
  3. Go to Control Panel, then click on System icon, then go to Computer Name tab. You can also do this by right-clicking My Computer, and then Properties or by pressing the Windows logo key я and Break.
  4. Remove the computer from the domain by clicking on “Change”. You should see that Domain button is now selected. Remember your domain name in the text box. Select the “Workgroup” radio button to remove the computer from the domain, and put any workgroup name in the text box (e.g. workgroup).
  5. Click OK to exit and reboot the computer.
  6. After the computer restarts, go back to Control Panel > System > Computer Name tab, and click Change.
  7. Rejoin the domain by chocking the Domain button. Enter the domain name noted in step 4.
  8. You might be prompter to enter the credentials of one of the Domain Admin users. This can be bypassed if one of the Domain Admins manually creates a computer account in Active Directory Users and Computers for the workstation you're about to join.
  9. Click OK to exit.
  10. Reboot the PC.

—X—

—Y—

—Z—

—No's—

29 Event ID – see KDC (Key Distribution Center) cannot find a suitable certificate

36 Event ID – “Time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp” – see Time service has not synchronized the system time

4319 Event ID – “A duplicate name has been detected on the TCP network.  The IP address of the computer that sent the message is in the data. Use

nbtstat -n

in a command window to see which name is in the Conflict state.” – see duplicate name has been detected on the TCP network, nbtstat.  So far, I’ve found that command to be completely worthless to solve this problem.  According to here, There could be several reasons