LW_ERROR_DOMAIN_IS_OFFLINE

On Domain Join

Error

LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] the domain is offline.

Cause

This issue typically occurs because network ports required by Kerberos are blocked.

[root@host1 bin]$ ./domainjoin-cli --loglevel debug --logfile /tmp/join.log join --ou 'My OU' example.com Administrator
Joining to AD Domain: example.com
With Computer DNS Name: host1.example.com
Administrator@EXAMPLE.COM's password:
Error: LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] The domain is offline

Resolution

To correct this issue, verify all ports required by Kerberos are open or modify firewall rules to allow Kerberos traffic on the following ports.

  • Kerberos: 88 UDP/TCP
  • Machine password changes (typically after 30 days): 464 UDP/TCP

In the gpagent Logs

Error

LW_ERROR_DOMAIN_OFFLINE error while primary domain is online in gpagent.

Cause

The gpagent service consistently throws LW_ERROR_DOMAIN_OFFLINE errors while primary domain is online. Group policies may also correctly appear in the /var/lib/pbis/grouppolicy directory.

gpagent: [gpagent] Error processing group policies while processing list of group policy objects for computer, error: [0x 9CB9] (LW_ERROR_DOMAIN_IS_OFFLINE)

In this situation, there may be no discernible impact, but the above errors continue to appear in /var/log/messages (or equivalent).

You may see this error without any visible impact if one of the trusted domains in the customer's environment is unreachable. To verify this, run /opt/pbis/bin/get-status and look in the list of trusted domains for:

Domain flags: [0x0002]
[0x0002 - Offline]

The gpagent service will attempt to download any group policies it has access to, even if they aren't intended to be applied to the target computer. To resolve the errors, investigate network or DNS issues that may be preventing communication with the trusted domain that is unavailable.

Resolution

If the domain is unavailable by design, you can exclude it from being enumerated by setting the Lsass:Domain trust enumeration exclude list group policy setting and specifying the domains you would like to exclude.