[Likewise-open-discuss] Error: Manual configuration required [code0x00080043]

Robert Auch rauch at likewisesoftware.com
Tue Apr 29 20:09:48 PDT 2008 

According to the documentation at http://support.microsoft.com/kb/555381 these ports are required for proper operation of any Windows 2003 Domain controller, no matter which client is joining.  (137 UDP is included in the "file and printer sharing" group).

<quote>
In the following, only items specifically related to correct functioning of a Domain Controller are listed; unlisted items can be set to any value desired.  For example, it may be useful to have the Allow Remote Desktop exception set to Enabled so the Domain Controller can be administered remotely, which is common in large installations where Domain Controllers are remotely located.
 
    a. Windows Firewall: Protect all network connections - Enabled
    b. Windows Firewall: Allow remote administration exception - Enabled (enables port 135 and 445 which are both required for Domain Controllers)
    b. Windows Firewall: Allow file and printer sharing exception: - Enabled
    c. Windows Firewall: Define port exceptions: - Enabled (in the list of port exceptions below, the * indicates incoming requests from any IP address will be accepted.  Other values are possible - see the text on the Setting tab in Group Policy Editor for details.  For example, localsubnet may be applicable in some circumstances).  The strings below are exactly what needs to be in the list of port exceptions.
         123:udp:*:enabled:NTP
         3268:tcp:*:enabled:Global Catalog LDAP
         389:tcp:*:enabled:LDAP
         389:udp:*:enabled:LDAP
         53:tcp:*:enabled:DNS
         53:udp:*:enabled:DNS
         53211:tcp:*:enabled:AD Replication (Note: use the port number selected in 1.b.i above)
         53212:tcp:*:enabled:File Replication Service (Note: use the port number selected in 1.b.ii above)
         88:tcp:*:enabled:Kerberos
         88:udp:*:enabled:Kerberos
</quote>

Because Windows clients can do a "net time /set" rather than NTP to sync their time, they're likely getting around NTP being blocked.  You may want to check the event logs on your clients to make sure that they are working 100%.

Robert Auch


From: likewise-open-discuss-bounces at lists.likewisesoftware.com [mailto:likewise-open-discuss-bounces at lists.likewisesoftware.com] On Behalf Of Lealcy Belegante Junior
Sent: Tuesday, April 29, 2008 9:34 AM
To: likewise-open-discuss at lists.likewisesoftware.com
Subject: [Likewise-open-discuss] Error: Manual configuration required [code0x00080043]

I received the error below when try to put my PC on the domain:

--

root at cpd05:/home/lbjunior# domainjoin-cli join prefeitura lbjunior mypass
Joining to AD Domain:   prefeitura
With Computer DNS Name: cpd05.prefeitura


Error: Manual configuration required [code 0x00080043]

The configuration stage 'open ports to DC' cannot be completed automatically.
Please manually perform the following steps and rerun the domain join:

Some required ports on the domain controller could not be contacted. Please
update your firewall settings to ensure that the following ports are open to
'servaut.PREFEITURA':
    88  UDP
    137 UDP
    389 UDP
    464 UDP
    123 UDP

--

A portscan to servaut.prefeitura show me that the only ports appears to be closed are 137 and 123. My domain server is a Windows Server 2003.

My Windows XP machines connect to domain normally.

Is this ports REALLY necessary open to the Linux connect to the domain against the other Windows XP clients that do not require this?

Exist a workarround to this issue?

Thank you all.

More information about the Likewise-open-discuss mailing list