Wanted to share some things I learned while troubleshooting another domain join issue.
In my case, I upgraded my FAC HA LB cluster from 5.4.1 > 6.0.3 and afterwards the secondary/slave unit would not re-join 1 of my domains. The master re-joined all 4 properly, but the slave just would not rejoin a single domain for some reason.
TL;DR:
The quickest way to fix an issue like this probably just to delete the machine account from the domain, and re-join using a service account that has Domain Administrator privileges. Once the FAC has properly re-joined the domain, you can remove the Domain Administrator privileges from the account. The FAC will create the machine account for you, with all of the necessary settings it wants it to have. Letting the FAC create the machine account is definitely the best approach, imho.
Debugging Active Directory domain issues
[ol]
Obtain and apply the debug image from FortiNet TAC.This will enable you to drop to the shell from a console window by typing 'shell'[ol]> shell
bash-3.1#
[/ol]We will use the command /bin/smbop to debug the domain join issues.First determine what the ID value is for the domain in question by using the 'list' argument[ol]/bin/smbop list
------
2: mycorp.com
3: othercorp.com
1: yetanother.com
4: domain.icareabout.com
[/ol]In my case, the last domain 'domain.icareabout.com' is giving me trouble, which uses ID value of '4'Attempt a join using the debug flag against that domain:[ol]/bin/smbop -d join 4[/ol]You will get a ton of output likely. The error you care about should be at the very bottom[ol]Look for a line named 'error_string' - that should have the error you care about[/ol]In my case I ended up with two errors:[ol]"Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)"[ol]To resolve I deleted the machine account from the domain.Then attempted to join again, and got this error:[/ol]"Failed to set machine spn: Constraint violation Do you have sufficient permissions to create machine accounts?"[ol]To resolve this, the service account that I use had it's permissions adjusted as detailed in this post.[/ol][/ol]Once you have made the necessary changes, run the domain join command from Step 6 again.Profit.[/ol]
