On Domain Join
LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] the domain is offline.
This issue typically occurs because network ports required by Kerberos are blocked.
[root@host1 bin]$ ./domainjoin-cli --loglevel debug --logfile /tmp/join.log join --ou 'My OU' example.com Administrator Joining to AD Domain: example.com With Computer DNS Name: host1.example.com Administrator@EXAMPLE.COM's password: Error: LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] The domain is offline
To correct this issue, verify all ports required by Kerberos are open or modify firewall rules to allow Kerberos traffic on the following ports.
- Kerberos: 88 UDP/TCP
- Machine password changes (typically after 30 days): 464 UDP/TCP
In the gpagent Logs
LW_ERROR_DOMAIN_OFFLINE error while primary domain is online in gpagent.
The gpagent service consistently throws LW_ERROR_DOMAIN_OFFLINE errors while primary domain is online. Group policies may also correctly appear in the /var/lib/pbis/grouppolicy directory.
gpagent: [gpagent] Error processing group policies while processing list of group policy objects for computer, error: [0x 9CB9] (LW_ERROR_DOMAIN_IS_OFFLINE)
In this situation, there may be no discernible impact, but the above errors continue to appear in /var/log/messages (or equivalent).
You may see this error without any visible impact if one of the trusted domains in the customer's environment is unreachable. To verify this, run /opt/pbis/bin/get-status and look in the list of trusted domains for:
Domain flags: [0x0002] [0x0002 - Offline]
The gpagent service will attempt to download any group policies it has access to, even if they aren't intended to be applied to the target computer. To resolve the errors, investigate network or DNS issues that may be preventing communication with the trusted domain that is unavailable.
If the domain is unavailable by design, you can exclude it from being enumerated by setting the Lsass:Domain trust enumeration exclude list group policy setting and specifying the domains you would like to exclude.