Domain Join Error 0x6ba

While joining machine to a domain, multiple errors can occur. In particular Domain Join Error 0x6ba is often present but with different causes.

Let’s recap the needed things to properly join the domain:

  1. The machine must be able to solve the domain name
  2. The machine must be able to retrieve a domain controller name from that domain
  3. The machine must be able to contact that Domain Controller
  4. The user who is performing the action must have enough rights to create or update the computer account in that domain
  5. but the domain controller must also be able to contact that machine

Sometimes this cheat-sheet is not enough and you’re wondering why the join operation fails, as most of the times the error is very generic.

Please be reminded that in C:\Windows\Debug there’s a NetSetup.log which traces back every attempt to join or unjoin a domain.

Let’s see a somewhat advanced example where the machine starts correctly but when it reboots the domain administrators cannot log in

When analyzing netsetup.log, there are two key principles:

  • Start from the end, as the error message is likely to be the last attempted action
  • Notice that each subpart of the attempt is separated by dashed lines.

In this example, we can see we get a 0x6ba error on the last line. We move backwards until its first apparence and discover that four lines before the end the error first appear with the message ‘Unable to bind the DS’ followed by the name of a domain controller.

When it comes to ‘unable to bind’ messages you can be pretty sure that there are issues at some point to contact the AD DS Service on the mentioned domain controller. You may want to check:

  • that the services are running
  • that the firewall is properly configured on the domain controller
  • that the firewall is properly configured on the member server (there should be no outbound rules, but you may want to check though)
  • that there is no other firewall put in place by other teams or that the ports are open. PortQry will help you check that. In particular you will need:
    • UDP/123
    • UDP-TCP/389 and TCP/3268
    • TCP/636 and TCP/3269 if doing LDAPS
    • TCP-UDP/88
    • TCP-UDP/464
    • TCP/135
    • TCP/445
    • TCP/49152-65535 unless you have restricted the dynamic port range. You can check this by issuing
  • In our case it appears that the first steps are correct because TCP/135 the is open, but the dynamic range is not.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.