Merge pull request #8693 from Deland-Han/ci5170-part

Deland-Han · web-flow · commit f13c8f4fe6ce · 2025-04-11T13:23:47.000+08:00
Ci5170 part
diff --git a/support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md b/support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md
@@ -55,27 +55,6 @@ The following table lists the ports required to be open between the client compu
 
 For more information, see [Error code 0x569: The user has not been granted the requested logon type at this computer](error-0x569-not-granted-logon-type.md).
 
-### Error code 0x534
-
-> No mapping between account names and security IDs was done.
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
-mm/dd/yyyy hh:mm:ss:ms NetpProvisionComputerAccount: LDAP creation failed: 0x534
-mm/dd/yyyy hh:mm:ss:ms ldap_unbind status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: Function exits with status of: 0x534
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: status of disconnecting from '\\<DC name>': 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDoDomainJoin: status: 0x534
-```
-  
-The domain join graphical user interface (GUI) can call the `NetJoinDomain` API twice to join a computer to a domain. The first call is made without the "create" flag being specified to locate a pre-created computer account in the target domain. If no account is found, a second `NetJoinDomain` API call may be made with the "create" flag specified.
-  
-In another scenario, the 0x534 error code is logged when you attempt to change the password for a machine account. However, the account can't be found on the targeted DC, likely because the account was not created or due to replication latency or a replication failure.
-
-The 0x534 error code is commonly logged as a transient error when domain join searches the target domain. The search determines whether a matching computer account was pre-created or the join operation needs to dynamically create a computer account on the target domain. Check the bit flags in the join options to see if the type of join being performed is relying on a pre-created or newly created computer account.
-
 ### Error code 0x6BF or 0xC002001C
 
 > The remote procedure call failed and did not execute.
@@ -100,40 +79,7 @@ Make sure of the following items:
 
 ### Error code 0x6D9
 
-> There are no more endpoints available from the endpoint mapper.
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpGetDnsHostName: Read NV Hostname: <hostname>
-mm/dd/yyyy hh:mm:ss:ms NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: <DNS domain>.<TLD>
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0xc0000034
-mm/dd/yyyy hh:mm:ss:ms NetpGetLsaPrimaryDomain: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0xc0000034
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: NetUserAdd on \\<hostname>.<domain> for <computername>$ failed: 0x8b0
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: status of attempting to set password on \\<DC name>.<domain>.<tld> for <hostname>$: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of creating account: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpGetComputerObjectDn: Unable to bind to DS on \\<DC name>.<domain>.<tld>: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms ldap_unbind status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of setting DnsHostName and SPN: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: initiaing a rollback due to earlier errors
-mm/dd/yyyy hh:mm:ss:ms NetpGetLsaPrimaryDomain: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: status of disabling account <hostname>$ on \\<DC name>.<domain>.<tld>: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: rollback: status of deleting computer account: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: rollback: status of deleting secret: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of disconnecting from \\<DC name>.<domain>.<tld>: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDoDomainJoin: status: 0x6d9
-```
-  
-Error 0x6D9 is logged when network connectivity is blocked between the joining client and the helper DC. The network connectivity services the domain join operation over port 135 or a port in the ephemeral range between 1025 to 5000 or 49152 to 65535. For more information, see [Service overview and network port requirements for Windows](../networking/service-overview-and-network-port-requirements.md).  
-
-To resolve this error, follow these steps:
-
-1. On the joining client, open the *%systemroot%\\debug\\NETSETUP.LOG* file and determine the name of the helper DC selected by the joining client to perform the join operation.
-2. Verify that the joining client has network connectivity to the DC over the required ports and protocols used by the applicable operating system (OS) versions. Domain join clients connect a helper DC over TCP port 135 by the dynamically assigned port in the range between 49152 and 65535.
-3. Ensure that the OS, software and hardware routers, firewalls, and switches allow connectivity over the required ports and protocols.
+See [Domain join error 0x6D9 "There are no more endpoints available from the endpoint mapper"](./domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md) for troubleshooting guide. 
 
 ### Error code 0xa8b
 
diff --git a/support/windows-server/active-directory/domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md b/support/windows-server/active-directory/domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md
@@ -0,0 +1,79 @@
+---
+title: Error 0x6D9 There Are No More Endpoints Available from the Endpoint Mapper
+description: Addresses the error There are no more endpoints available from the endpoint mapper encountered during domain join operations.
+ms.date: 03/28/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: raviks, eriw, dennhu
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Domain join error 0x6D9 "There are no more endpoints available from the endpoint mapper"
+
+This article addresses the error code 0x6D9 encountered during domain join operations.
+
+## Symptoms
+
+When you try to join a computer to a domain, you receive the following error message:
+
+> There are no more endpoints available from the endpoint mapper.
+
+When you review the **netsetup.log** file, you find error messages that resemble the following entries:
+
+```output
+NetpGetDnsHostName: Read NV Hostname: <hostname>
+NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: <DNS domain>.<TLD>
+NetpLsaOpenSecret: status: 0xc0000034
+NetpGetLsaPrimaryDomain: status: 0x0
+NetpLsaOpenSecret: status: 0xc0000034
+NetpManageMachineAccountWithSid: NetUserAdd on \\<hostname>.<domain> for <computername>$ failed: 0x8b0
+NetpManageMachineAccountWithSid: status of attempting to set password on \\<DC_name>.<domain>.<tld> for <hostname>$: 0x0
+NetpJoinDomain: status of creating account: 0x0
+NetpGetComputerObjectDn: Unable to bind to DS on \\<DC_name>.<domain>.<tld>: 0x6d9
+NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9
+ldap_unbind status: 0x0
+NetpJoinDomain: status of setting DnsHostName and SPN: 0x6d9
+NetpJoinDomain: initiaing a rollback due to earlier errors
+NetpGetLsaPrimaryDomain: status: 0x0
+NetpManageMachineAccountWithSid: status of disabling account <hostname>$ on \\<DC_name>.<domain>.<tld>: 0x0
+NetpJoinDomain: rollback: status of deleting computer account: 0x0
+NetpLsaOpenSecret: status: 0x0
+NetpJoinDomain: rollback: status of deleting secret: 0x0
+NetpJoinDomain: status of disconnecting from \\<DC_name>.<domain>.<tld>: 0x0
+NetpDoDomainJoin: status: 0x6d9
+```
+
+### Error detail
+
+| Hexadecimal error | Decimal error | Symbolic error string | Friendly error                                                  |
+| --------- | ------------- | --------------------- | --------------------------------------------------------------- |
+| 0x6d9     | 1753          | EPT_S_NOT_REGISTERED  | There are no more endpoints available from the endpoint mapper. |
+
+## Cause
+  
+Error 0x6D9 is logged when network connectivity is blocked between the joining client and the Domain Controller (DC). The network connectivity services the domain join operation initially over Transmission Control Protocol (TCP) port 135, and then an ephemeral port which is by default between 49152 to 65535. For more information, see [How to restrict Active Directory RPC traffic to a specific port](restrict-ad-rpc-traffic-to-specific-port.md).
+
+The network connectivity issue can be caused by several factors, including advanced security solutions with host firewalls installed on the DC, port exhaustion, and other potential issues.
+
+## Resolution
+
+1. On the joining client, open the **%systemroot%\\debug\\NETSETUP.LOG** file and determine the name of the DC selected by the joining client to perform the join operation. For example, the following **NETSETUP.LOG** sample shows that the joining client "APP_SRV" is using the DC "DC1.CONTOSO.COM":
+
+   ```output
+   NetpManageMachineAccountWithSid: NetUserAdd on '\\DC1.CONTOSO.COM' for 'APP_SRV$' failed: 0x8b0
+   NetpManageMachineAccountWithSid: status of attempting to set password on '\\DC1.CONTOSO.COM' for '<APP_SRV>$': 0x0
+   NetpJoinDomain: status of creating account: 0x0
+   NetpGetComputerObjectDn: Unable to bind to DS on '\\DC1.CONTOSO.COM': 0x6d9
+   ```
+
+2. Verify that the joining client has network connectivity to the DC over the required ports and protocols used by the applicable operating system (OS) versions. Domain join clients initially connect to a DC over TCP port 135, and then a dynamically assigned port in the range between 49152 and 65535.
+3. Ensure that the OS, software and hardware routers, firewalls, and switches allow connectivity over the required ports and protocols.
+4. Ensure that there are enough ports available for the operation. You can use tools like netstat to check for port availability and usage.
+5. If advanced security solutions with host firewalls are installed on the DC, review their settings to ensure they aren't blocking the required ports.
+6. Consider other potential causes and troubleshoot accordingly. For example, check firewall rules, ensure proper Domain Name System (DNS) resolution, and verify the health of the DC.
+
+## Reference
+
+ For more information, see [Service overview and network port requirements for Windows](../networking/service-overview-and-network-port-requirements.md).
diff --git a/support/windows-server/active-directory/failure-when-you-use-an-existing-computer-account-to-join-a-domain.md b/support/windows-server/active-directory/failure-when-you-use-an-existing-computer-account-to-join-a-domain.md
@@ -0,0 +1,111 @@
+---
+title: Failure When You Use an Existing Computer Account to Join a Domain
+description: Addresses the issue of failing to join a computer to a domain when an existing computer account with the same name already exists.
+ms.date: 03/28/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: raviks, eriw, dennhu
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Failure when you use an existing computer account to join a domain
+
+This article addresses the issue of failing to join a computer to a domain when an existing computer account with the same name already exists.
+
+## Symptoms
+
+When you try to use an existing computer account name to join a computer to a domain, the operation fails and you receive the following error messages:
+
+In the **Access work or school** page:  
+> Can't join this domain. Contact your IT admin for more info.
+
+In **System Properties**:  
+> The following error occurred attempting to join the domain "\<domain_name\>":
+>
+> An account with the same name exists in Active Directory.  
+> Re-using the account was blocked by security policy.
+
+### Netsetup.log
+
+Review the following example of the **Netsetup.log** file on a fully updated system.
+
+```output
+NetpProvisionComputerAccount:
+    lpDomain: contoso.com
+    lpHostName: host1
+    lpMachineAccountOU: (NULL)
+    lpDcName: ContosoDC1.contoso.com
+    lpMachinePassword: (null)
+    lpAccount: contoso\nonadminuser2
+    lpPassword: (non-null)
+    dwJoinOptions: 0x403
+    dwOptions: 0x40000003
+NetpLdapBind: Verified minimum encryption strength on ContosoDC1.contoso.com: 0x0
+NetpLdapGetLsaPrimaryDomain: reading domain data
+NetpGetNCData: Reading NC data
+NetpGetDomainData: Lookup domain data for: DC=contoso,DC=com
+NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=contoso,DC=com
+NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
+NetpCheckForDomainSIDCollision: returning 0x0(0).
+NetpGetComputerObjectDn: Cracking DNS domain name contoso.com/ into Netbios on \\ContosoDC1.contoso.com
+NetpGetComputerObjectDn: Crack results:     name = CONTOSO\
+NetpGetComputerObjectDn: Cracking account name CONTOSO\HOST1$ on \\ContosoDC1.contoso.com
+NetpGetComputerObjectDn: Crack results:     (Account already exists) DN = CN=HOST1,CN=Computers,DC=contoso,DC=com 
+NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=HOST1,CN=Computers,DC=contoso,DC=com
+NetpGetNCData: Reading NC data
+NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=contoso,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
+NetpReadAccountReuseModeFromAD: Got 0 Entries.
+Returning NetStatus: 0, ADReuseMode: 0
+IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. 
+IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
+NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: 0, NetStatus: 0
+NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
+NetpCheckIfAccountShouldBeReused: Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x0.
+NetpCheckIfAccountShouldBeReused: Account re-use attempt was Denied by Active Directory Policy. 
+NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
+NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac 
+NetpProvisionComputerAccount: LDAP creation failed: 0xaac 
+NetpProvisionComputerAccount: Retrying downlevel per options
+NetpManageMachineAccountWithSid: NetUserAdd on 'ContosoDC1.contoso.com' for 'HOST1$' failed: 0x8b0 
+IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. 
+IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
+NetpManageMachineAccountWithSid: The computer account already exists in Active Directory.Re-using the account was blocked by security policy.
+NetpProvisionComputerAccount: retry status of creating account: 0xaac
+ldap_unbind status: 0x0
+NetpJoinCreatePackagePart: status:0xaac.
+NetpJoinDomainOnDs: Function exits with status of: 0xaac 
+NetpJoinDomainOnDs: status of disconnecting from '\\ContosoDC1.contoso.com': 0x0
+NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
+NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
+NetpDoDomainJoin: status: 0xaac
+```
+
+### Error detail
+
+|Hexadecimal error|Decimal error|Symbolic error string|Error description|Header|
+|---|---|---|---|---|
+|0x8b0|2224|NERR_UserExists|The account already exists.|lmerr.h|
+|0xaac|2732|NERR_AccountReuseBlockedByPolicy|An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.|lmerr.h|
+
+## Cause
+
+Windows introduced additional protections with updates released on and after October 11, 2022. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless any of the following conditions is met:
+
+- The user attempting the operation is the creator of the existing account.
+- The computer is created by a member of domain administrators, enterprise administrators, or built-in administrators groups.
+- The owner of the computer account object that is being reused is a member of the **Domain controller: Allow computer account reuse during domain join** Group Policy setting. This setting requires the installation of Windows updates released on or after March 14, 2023, on all member computers and domain controllers.
+
+## Resolution
+
+To fix the issue, follow these steps:
+
+1. Perform the join operation by using the same account that created the computer account in the target domain.
+2. If the existing account is stale (unused), delete it before attempting to join the domain again.
+3. Rename the computer and join the domain using a different account that doesn't exist.
+4. If a trusted security principal owns the existing account, and an administrator wants to reuse the account, use the **Domain controller: Allow computer account re-use during domain join** Group Policy.
+
+## Reference
+
+For more information about domain join hardening changes, see [KB5020276—Netjoin: Domain join hardening changes](https://support.microsoft.com/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8).
diff --git a/support/windows-server/toc.yml b/support/windows-server/toc.yml
@@ -349,6 +349,10 @@ items:
       href: ./active-directory/cannot-connect-internet-domain.md
     - name: Default limit to workstation numbers
       href: ./active-directory/default-workstation-numbers-join-domain.md
+    - name: 'Error 0x6D9 "No more endpoints available from the endpoint mapper"'
+      href: ./active-directory/domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md
+    - name: Failure when you use an existing computer account to join a domain
+      href: ./active-directory/failure-when-you-use-an-existing-computer-account-to-join-a-domain.md
     - name: Error 0x5 Access Denied when you rename a computer
       href: ./active-directory/error-0x5-access-denied-rename-computer.md
     - name: Error code 0x569
