NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
OOM-9
Jan 07, 2012NETGEAR Expert
Domain Join Issue - Information
I have found some helpful information for people that have issues joining the domain. The points to check when configuring the ReadyNAS to join the domain, and an additional option with logs to see wh...
kejones
Jul 31, 2014Tutor
Hi,
I thought I'd add some more (hopefully useful!) information to the thread. Particularly for Ross's benefit, if he's still around :-)
"Unable to create user account"
If you get this error it actually generally means that the account you were using to join the domain was unable to create a computer account for your device. As all computer objects are effectively extended user objects, Samba is being accurate in its response but not very clear in its actual meaning :-)
Things to check here include;
a) Does the joining account have limited access to the destination OU?
- some people might have credentials with only "devolved" access to particular OU's.
- some organisations actively remove the rights to add a machine to the default "computer" OU to promote neatness (which means you have to specify an OU target when joining the NAS to a domain).
- if you have no rights to create an account with the joiningg credentials then you need to manually create a computer object with other credentials (or reset the password on an existing object).
b) Have you specified the OU correctly?
- The path you need to supply in the OU field shouldn't include the whole OU path. From undocumented struggles, it just needs the parts specifying the relative part of the OU path under the root domain.
(This one catches me very often but it appears that 6.x's dialogs join the OU field with the OU path that can be obtained from the AD controller to make the absolute path - Need more details here!)
c) It's important to have good DNS settings on many, many levels
- If you're re-using a computer object, bear in mind that Windows relies heavily on DNS entries for locating devices.
- If you're doing any work that involves joining or un-joining computer objects, it's worth noting that AD Dynamic DNS updates can get tied up with ACL issues because a computer object gets changed and
the "new" computer object might not be able to register a DNS entry properly because it gets denied access. It takes time for the DNS entries to get "grave-stoned"
(l'll add a new topic about this because I've just run into a quirk that looks worth mentioning on this front considering some previous board requests)
I hope some of this helpful. It needs more explaining though so I'll try and keep in touch!
Regards,
Keith
I thought I'd add some more (hopefully useful!) information to the thread. Particularly for Ross's benefit, if he's still around :-)
"Unable to create user account"
If you get this error it actually generally means that the account you were using to join the domain was unable to create a computer account for your device. As all computer objects are effectively extended user objects, Samba is being accurate in its response but not very clear in its actual meaning :-)
Things to check here include;
a) Does the joining account have limited access to the destination OU?
- some people might have credentials with only "devolved" access to particular OU's.
- some organisations actively remove the rights to add a machine to the default "computer" OU to promote neatness (which means you have to specify an OU target when joining the NAS to a domain).
- if you have no rights to create an account with the joiningg credentials then you need to manually create a computer object with other credentials (or reset the password on an existing object).
b) Have you specified the OU correctly?
- The path you need to supply in the OU field shouldn't include the whole OU path. From undocumented struggles, it just needs the parts specifying the relative part of the OU path under the root domain.
(This one catches me very often but it appears that 6.x's dialogs join the OU field with the OU path that can be obtained from the AD controller to make the absolute path - Need more details here!)
c) It's important to have good DNS settings on many, many levels
- If you're re-using a computer object, bear in mind that Windows relies heavily on DNS entries for locating devices.
- If you're doing any work that involves joining or un-joining computer objects, it's worth noting that AD Dynamic DNS updates can get tied up with ACL issues because a computer object gets changed and
the "new" computer object might not be able to register a DNS entry properly because it gets denied access. It takes time for the DNS entries to get "grave-stoned"
(l'll add a new topic about this because I've just run into a quirk that looks worth mentioning on this front considering some previous board requests)
I hope some of this helpful. It needs more explaining though so I'll try and keep in touch!
Regards,
Keith
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!