Domain Join 실패 원인 분석

네트워크 방화벽이 설치된 환경에서 port 차단에 의한 도메인 Join 실패 현상과 관련하여 아래와 같이 정리하였습니다.


[환경]
Windows Server 2003 EE SP2


[현상]
Domain Controller에 Join 을 시도할 때 계정/패스워드 입력 후 아래 메시지 발생합니다.

도메인 "laigo.kr"에 가입하는 동안 다음 오류가 발생했습니다:
종점 매퍼에서 사용 가능한 종점이 더 이상 없습니다.
(There are no more endpoints available from the endpoint mapper)


[원인]
방화벽으로 인해 Client 1024-65535 port 가 차단되어 있습니다.


[조치방법]
서버, 클라이언트 측 도메인 트러스트에 필요한 해당 포트를 개방합니다. 


[분석결과]

1. Portqry 사용으로 DC Join에 필요한 해당 포트 LISTENING 상태 확인  
    - 아래 port 가 개방되어 있지 않습니다.

  Client(1024-65535/TCP) | Server(135/TCP) - RPC *
  Client(1024-65535/TCP/UDP) | Server(389/TCP/UDP) - LDAP
  Client(1024-65535/TCP) | Server(636/TCP) - LDAP SSL
  Client(1024-65535/TCP) | Server(3268/TCP) - LDAP GC
  Client(1024-65535/TCP) | Server(3269/TCP) - LDAP GC SSL
  Client(53.1024-65535/TCP/UDP) | Server(53/TCP/UDP) - DNS
  Client(1024-65535/TCP/UDP) | Server(88/TCP/UDP) - Kerberos
  Client(1024-65535/TCP) | Server(445/TCP) - SMB

2. %systemroot%\debug\Netsetup.log

09/25 11:03:29 -----------------------------------------------------------------
09/25 11:03:29 NetpValidateName: checking to see if 'laigo.kr' is valid as type 3 name
09/25 11:03:29 NetpCheckDomainNameIsValid [ Exists ] for 'laigo.kr' returned 0x0
09/25 11:03:29 NetpValidateName: name 'laigo.kr' is valid for type 3
09/25 11:03:38 -----------------------------------------------------------------
09/25 11:03:38 NetpDoDomainJoin
09/25 11:03:38 NetpMachineValidToJoin: 'laigo01'
09/25 11:03:38 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:03:38 NetpMachineValidToJoin: status: 0x0
09/25 11:03:38 NetpJoinDomain
09/25 11:03:38    Machine: laigo01
09/25 11:03:38    Domain: laigo.kr
09/25 11:03:38    MachineAccountOU: (NULL)
09/25 11:03:38    Account: laigo.kr\user11
09/25 11:03:38    Options: 0x25
09/25 11:03:38    OS Version: 5.2
09/25 11:03:38    Build number: 3790
09/25 11:03:38    ServicePack: Service Pack 2
09/25 11:03:38 NetpValidateName: checking to see if 'laigo.kr' is valid as type 3 name
09/25 11:03:38 NetpCheckDomainNameIsValid [ Exists ] for 'laigo.kr' returned 0x0
09/25 11:03:38 NetpValidateName: name 'laigo.kr' is valid for type 3
09/25 11:03:38 NetpDsGetDcName: trying to find DC in domain 'laigo.kr', flags: 0x1020
09/25 11:03:53 NetpDsGetDcName: failed to find a DC having account 'laigo01$': 0x525
09/25 11:03:53 NetpDsGetDcName: found DC '\\dc.laigo.kr' in the specified domain
09/25 11:04:03 NetpJoinDomain: status of connecting to dc '\\dc.laigo.kr': 0x0
09/25 11:04:03 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:03 NetpGetDnsHostName: Read NV Hostname: laigo01
09/25 11:04:03 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: laigo.kr
09/25 11:04:03 NetpLsaOpenSecret: status: 0xc0000034
09/25 11:04:03 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:03 NetpLsaOpenSecret: status: 0xc0000034
09/25 11:04:03 NetpJoinDomain: status of setting machine password: 0x0
09/25 11:04:24 NetpGetComputerObjectDn: Unable to bind to DS on '\\dc.laigo.kr': 0x6d9
09/25 11:04:24 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9
09/25 11:04:24 ldap_unbind status: 0x0
09/25 11:04:24 NetpJoinDomain: status of setting DnsHostName and SPN: 0x6d9
09/25 11:04:24 NetpJoinDomain: initiaing a rollback due to earlier errors
09/25 11:04:24 NetpLsaOpenSecret: status: 0x0
09/25 11:04:24 NetpJoinDomain: rollback: status of deleting secret: 0x0
09/25 11:04:24 NetpJoinDomain: status of disconnecting from '\\dc.laigo.kr': 0x0
09/25 11:04:24 NetpDoDomainJoin: status: 0x6d9
09/25 11:04:24 -----------------------------------------------------------------
09/25 11:04:24 NetpDoDomainJoin
09/25 11:04:24 NetpMachineValidToJoin: 'laigo01'
09/25 11:04:24 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:24 NetpMachineValidToJoin: status: 0x0
09/25 11:04:24 NetpJoinDomain
09/25 11:04:24    Machine: laigo01
09/25 11:04:24    Domain: laigo.kr
09/25 11:04:24    MachineAccountOU: (NULL)
09/25 11:04:24    Account: laigo.kr\user11
09/25 11:04:24    Options: 0x27
09/25 11:04:24    OS Version: 5.2
09/25 11:04:24    Build number: 3790
09/25 11:04:24    ServicePack: Service Pack 2
09/25 11:04:24 NetpValidateName: checking to see if 'laigo.kr' is valid as type 3 name
09/25 11:04:24 NetpCheckDomainNameIsValid [ Exists ] for 'laigo.kr' returned 0x0
09/25 11:04:24 NetpValidateName: name 'laigo.kr' is valid for type 3
09/25 11:04:24 NetpDsGetDcName: trying to find DC in domain 'laigo.kr', flags: 0x1020
09/25 11:04:25 NetpDsGetDcName: found DC '\\DC2.laigo.kr' in the specified domain
09/25 11:04:29 NetpJoinDomain: status of connecting to dc '\\DC2.laigo.kr': 0x0
09/25 11:04:29 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:29 NetpGetDnsHostName: Read NV Hostname: laigo01
09/25 11:04:29 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: laigo.kr
09/25 11:04:29 NetpLsaOpenSecret: status: 0xc0000034
09/25 11:04:29 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:29 NetpLsaOpenSecret: status: 0xc0000034
09/25 11:04:29 NetpManageMachineAccountWithSid: NetUserAdd on '\\DC2.laigo.kr' for 'laigo01$' failed:
x8b0
09/25 11:04:29 NetpManageMachineAccountWithSid: status of attempting to set password on
\\DC2.laigo.kr' for 'laigo01$': 0x0
09/25 11:04:29 NetpJoinDomain: status of creating account: 0x0
09/25 11:04:51 NetpGetComputerObjectDn: Unable to bind to DS on '\\DC2.laigo.kr': 0x6d9
09/25 11:04:51 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9
09/25 11:04:51 ldap_unbind status: 0x0
09/25 11:04:51 NetpJoinDomain: status of setting DnsHostName and SPN: 0x6d9
09/25 11:04:51 NetpJoinDomain: initiaing a rollback due to earlier errors
09/25 11:04:51 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:04:51 NetpManageMachineAccountWithSid: status of disabling account 'laigo01$' on
\\DC2.laigo.kr': 0x0
09/25 11:04:51 NetpJoinDomain: rollback: status of deleting computer account: 0x0
09/25 11:04:51 NetpLsaOpenSecret: status: 0x0
09/25 11:04:51 NetpJoinDomain: rollback: status of deleting secret: 0x0
09/25 11:04:51 NetpJoinDomain: status of disconnecting from '\\DC2.laigo.kr': 0x0
09/25 11:04:51 NetpDoDomainJoin: status: 0x6d9
09/25 11:09:06 -----------------------------------------------------------------
09/25 11:09:06 NetpValidateName: checking to see if 'laigo.kr' is valid as type 3 name
09/25 11:09:06 NetpCheckDomainNameIsValid [ Exists ] for 'laigo.kr' returned 0x0
09/25 11:09:06 NetpValidateName: name 'laigo.kr' is valid for type 3
09/25 11:09:24 -----------------------------------------------------------------
09/25 11:09:24 NetpDoDomainJoin
09/25 11:09:24 NetpMachineValidToJoin: 'laigo01'
09/25 11:09:24 NetpGetLsaPrimaryDomain: status: 0x0
09/25 11:09:24 NetpMachineValidToJoin: status: 0x0
09/25 11:09:24 NetpJoinDomain
09/25 11:09:24    Machine: laigo01
09/25 11:09:24    Domain: laigo.kr
09/25 11:09:24    MachineAccountOU: (NULL)
09/25 11:09:24    Account: laigo.kr\user11
09/25 11:09:24    Options: 0x25
09/25 11:09:24    OS Version: 5.2
09/25 11:09:24    Build number: 3790
09/25 11:09:24    ServicePack: Service Pack 2
09/25 11:09:24 NetpValidateName: checking to see if 'laigo.kr' is valid as type 3 name
09/25 11:09:24 NetpCheckDomainNameIsValid [ Exists ] for 'laigo.kr' returned 0x0
09/25 11:09:24 NetpValidateName: name 'laigo.kr' is valid for type 3
09/25 11:09:24 NetpDsGetDcName: trying to find DC in domain 'laigo.kr', flags: 0x1020


[참고자료]
Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/kb/839880

도메인 및 트러스트를 위한 방화벽을 구성하는 방법
http://support.microsoft.com/kb/179442/ko

Join and Authentication issues
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbi_add_qqne.mspx?mfr=true

PortQry Command Line Port Scanner Version 2.0 (PortQry 다운로드)
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

 
작성자 : Lai Go / 작성일자 : 2008.09.25