How To Security Servers Technology

Astaro SG “Joining domain failed”

Astaro LogoI just spent the last 2 business days working on trying to get my Astaro SG 120 v7.507 to re-join the domain, after I deleted the “computer” entry from our Windows 2003 SBS AD. After deleting the computer entry, I rebooted the Astaro box and attempted to join it to the domain (with the same flawless effort I experienced during the initial setup). No luck.

I ran across several Astaro User Forum posts telling people the same things over and over about what to check, and none of it was helping.

I’ll try and give a run through of some error message appearances from the Fallback error log, and what you should do to fix them. If you have more, leave them in the comments below, and I’ll add them.

ads_get_dnshostname: No dNSHostName attribute!

You need to make sure you have a Host Name specified in the FQDN style in the Management > System Settings > Hostname tab

ads_keytab_add_entry: unable to determine machine account’s dns name in AD

  • You need to make sure your Astaro box doesn’t show up as a Computer listed in Active Directory anywhere there are computers listed, then you need to make sure there is a DNS Host (A) entry for your hostname, and also you need to reboot your Active Directory and/or DNS server. (For me, they were the same Windows SBS Box, but a reboot fixed this error message.)

»clock skew too great«

  • You need to make sure the Time & Date on both the Astaro box and the Active Directory server are no more than 5 minutes apart.

»pre-authentication failed«

Make sure the Username/Password you're using to join the domain are correct. They should look like the image above.

Below is the fix that finally worked for me, but I never saw anything in the User Forums (or anywhere else, for that matter) related to these error codes and the Astaro box (only to Samba and Linux Servers).




pipe \lsarpc fnum

  • This means that the Intrusion Prevention System is preventing the Active Directory server from approving the Active Directory join. You need to create an Exception like this:
Go to Network Security > Intrusion Prevention > Exceptions and create a new Exception that Skips "Intrusion Prevention" and list the Active Directory Server in the Source Network area.

I’m sure there are probably more items in the Fallback error logs that folks have encountered. Surprisingly, I didn’t even come across this PDF document detailing a lot of them during my searches until I was researching the error codes for this post. Check that document out and see if your answer is in there.


The main rebuttals from most of the “suggestions” you’ll find on the User Forums are:

  1. You don’t need to create a Pre-Win2000 Computer in Active Directory for this to work.
  2. You can’t have an existing computer entry in Active Directory for the hostname you’ve given your Astaro box.
  3. You should create a DNS Host (A) entry for the Astaro box, if you run a DNS server outside of the Astaro box
  4. The Time & Date on both the Server and Astaro Box need to be within 5 minutes of each other.
  5. You don’t have to be able to ping the Astaro box from the server for this to work.
  6. You do have to be able to ping the Active Directory server from the Astaro box’s Support > Tools area
  7. Domains ending in .local will work.
  8. You don’t have to use all CAPS when filling in the hostname  & domain name, but it’s suggested by the Astaro people. It won’t make a difference to DNS – CAPS or lowercase both resolve the same.

As I mentioned above, if you have any other error messages or tips or suggestions, etc., related to getting the Astaro box on the domain, please post them in the comments. Too many people have spent too long trying to get things to work simply because the information wasn’t out there when they were searching.

By [[Neo]]

I am a web programmer, system integrator, and photographer. I have been writing code since high school, when I had only a TI-83 calculator. I enjoy getting different systems to talk to each other, coming up with ways to mimic human processes using technology, and explaining how complicated things work.

Of my many blogs, this one is purely about the technology projects, ideas, and solutions that I have come across in my internet travels. It's also the place for technical updates related to my other sites that are part of The-Spot.Network.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.