Hi Renato: Try stepping through the troubleshooting steps below: 


Solve Domain-Join Problems

To troubleshoot problems with joining a Linux computer to a domain,
perform the following series of diagnostic tests sequentially on the
Linux computer with a root account. The tests can also be used to
troubleshoot domain-join problems on a Unix or Mac OS X computer;
however, the syntax of the commands on Unix and Mac might be slightly

The procedures in this topic assume that you have already checked
whether the problem falls under the Top 10 Reasons Domain Join Fails. It
is also recommended that you generate a domain-join log.


Verify that the Name Server Can Find the Domain

Run the following command as root:

nslookup ADrootDomain.com


Make Sure the Client Can Reach the Domain Controller

You can verify that your computer can reach the domain controller by
pinging it:

ping domainName


Verify that Outbound Ports Are Open

Run the following command as root:

domainjoin-cli join --details firewall likewisedemo.com

The results of the command show whether you must open any ports.

For a list of ports that must be open on the client, see Make Sure
Outbound Ports Are Open.


Check DNS Connectivity

The computer might be using the wrong DNS server or none at all. Make
sure the nameserver entry in /etc/resolv.conf contains the IP address of
a DNS server that can resolve the name of the domain you are trying to
join. This is likely to be the IP address of one of your domain

Make Sure nsswitch.conf Is Configured to Check DNS for Host Names

The /etc/nsswitch.conf file must contains the following line. (On AIX,
the file is /etc/netsvc.conf.)

hosts: files dns

Computers running Solaris, in particular, may not contain this line in
nsswitch.conf until you add it.


Ensure that DNS Queries Are Not Using the Wrong Network Interface Card

If the computer is multi-homed, the DNS queries might be going out the
wrong network interface card. Temporarily disable all the NICs except
for the card on the same subnet as your domain controller or DNS server
and then test DNS lookups to the AD domain. If this works, re-enable all
the NICs and edit the local or network routing tables so that the AD
domain controllers are accessible from the host.


Determine Whether the DNS Server Is Configured to Return SRV Records

Your DNS server must be set to return SRV records so the domain
controller can be located. It is common for non-Windows (bind) DNS
servers to not be configured to return SRV records. 

Diagnose by executing the following command:

nslookup -q=srv _ldap._tcp.ADdomainToJoin.com


Make Sure that the Global Catalog Is Accessible

The global catalog for Active Directory must be accessible. A global
catalog in a different zone might not show up in DNS. Diagnose by
executing the following command:

nslookup -q=srv _ldap._tcp.gc._msdcs.ADrootDomain.com

>From the list of IP addresses in the results, choose one or more
addresses and test whether they are accessible on Port 3268 by using

telnet 3268

Connected to sales-dc.likewisedemo.com (
Escape character is '^]'.

Press the Enter key to close the connection:

Connection closed by foreign host.

Verify that the Client Can Connect to the Domain on Port 123

The following test checks whether the client can connect to the domain
controller on Port 123 and whether the Network Time Protocol (NTP)
service is running on the domain controller. For the client to join the
domain, NTP -- the Windows time service -- must be running on the domain

On a Linux computer, run the following command as root:

ntpdate -d -u DC_hostname 

Example: ntpdate -d -u sales-dc

For more information, see Diagnose NTP on Port 123.

In addition, check the logs on the domain controller for errors from
source w32tm, the Windows time service.


(c) 2008 Likewise Software. All rights reserved. For more information,
contact [EMAIL PROTECTED] or visit www.LikewiseSoftware.com
<http://www.likewisesoftware.com/> .



Behalf Of Renato F. Fuyonan Jr.
Sent: Friday, August 29, 2008 4:36 AM
To: likewise-open-discuss@lists.likewisesoftware.com
Subject: [Likewise-open-discuss] Lsass Error


I have installed Likewise Open on my Fedora 9 box.... 

Doing domainjoin-cli join domain account would output:

Error: Lsass Error [code 0x00080047]
Error [code:-1]

Please help what does this mean? I cannot let my Fedora 9 join AD


Likewise-open-discuss mailing list

Reply via email to