RIS built Machines won't join the domain after upgrading to W2k3sp

G

Guest

After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the the
domain even though the workstation account are being created by RIS during
the built process. Prior to the upgrade over 300 pc's had been deployed via
RIS and this issue is occuring on multiple servers. Rolling back SP1 does
seem to resolve the issue. Also RIS is running on domain controllers.

Any assistance or recommendations would be appreciated
 
G

Guest

I forgot to mention that the Setuperr.log reports the following
Error:
Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
proceed to add the workstation to the default domain.

However I am able to add the workstation to the damain if I login locally
and then add the workstation to the domain.

Tim
 
B

Bruce Musgrove

[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"
 
G

Guest

Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim
Bruce Musgrove said:
[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"


TIMM said:
I forgot to mention that the Setuperr.log reports the following
Error:
Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
proceed to add the workstation to the default domain.

However I am able to add the workstation to the damain if I login locally
and then add the workstation to the domain.

Tim
 
G

Guest

Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
notice in the book of SP1 there is a section about modifications to the SAMR
and LSAR protocols.

When my builds run successfully without SP1 you get the following lines in
the netsetup.log: -

09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0

The w9x is presumably a reference to old style domain joining. The book of
SP1 states that if the SAMR and LSAR modifications stop your code working you
will need to modify your code.

Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
problem that slipped under the testing radar?


TIMM said:
Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim
Bruce Musgrove said:
[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"


TIMM said:
I forgot to mention that the Setuperr.log reports the following
Error:
Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
proceed to add the workstation to the default domain.

However I am able to add the workstation to the damain if I login locally
and then add the workstation to the domain.

Tim

:

After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the the
domain even though the workstation account are being created by RIS during
the built process. Prior to the upgrade over 300 pc's had been deployed via
RIS and this issue is occuring on multiple servers. Rolling back SP1 does
seem to resolve the issue. Also RIS is running on domain controllers.

Any assistance or recommendations would be appreciated
 
G

Guest

SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
adds new entries to NULL Session Pipes. However if you set the " Network
access: Named Pipes that can be accessed anonymously" Group policy then the
updates that SP1 will be over written and thus the workstation will not have
the ability to access SAMR in order to confirm a workstation account exists
in AD.

To fix this problem, set the following registry key
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Please let me know if this resolves your problem

Good luck!
Tim


gherkin said:
Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
notice in the book of SP1 there is a section about modifications to the SAMR
and LSAR protocols.

When my builds run successfully without SP1 you get the following lines in
the netsetup.log: -

09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0

The w9x is presumably a reference to old style domain joining. The book of
SP1 states that if the SAMR and LSAR modifications stop your code working you
will need to modify your code.

Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
problem that slipped under the testing radar?


TIMM said:
Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim
Bruce Musgrove said:
[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"


I forgot to mention that the Setuperr.log reports the following
Error:
Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
proceed to add the workstation to the default domain.

However I am able to add the workstation to the damain if I login locally
and then add the workstation to the domain.

Tim

:

After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
the
domain even though the workstation account are being created by RIS
during
the built process. Prior to the upgrade over 300 pc's had been deployed
via
RIS and this issue is occuring on multiple servers. Rolling back SP1
does
seem to resolve the issue. Also RIS is running on domain controllers.

Any assistance or recommendations would be appreciated
 
G

Guest

Bingo! It works now I have addedd the extra entries to that key.

It appears that the policy had been set previoulsy but when the policy was
removed the settings remained in the registry. I notice the registry key
HKLM\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess
is set to 1. Is this turned on by default by SP1 or is it that if the group
policy setting is set to not defined any settings placed there by previous
policies are not specifically removed unless you select diabled?

Thanks.

TIMM said:
SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
adds new entries to NULL Session Pipes. However if you set the " Network
access: Named Pipes that can be accessed anonymously" Group policy then the
updates that SP1 will be over written and thus the workstation will not have
the ability to access SAMR in order to confirm a workstation account exists
in AD.

To fix this problem, set the following registry key
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Please let me know if this resolves your problem

Good luck!
Tim


gherkin said:
Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
notice in the book of SP1 there is a section about modifications to the SAMR
and LSAR protocols.

When my builds run successfully without SP1 you get the following lines in
the netsetup.log: -

09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0

The w9x is presumably a reference to old style domain joining. The book of
SP1 states that if the SAMR and LSAR modifications stop your code working you
will need to modify your code.

Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
problem that slipped under the testing radar?


TIMM said:
Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim
:


[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"


I forgot to mention that the Setuperr.log reports the following
Error:
Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
proceed to add the workstation to the default domain.

However I am able to add the workstation to the damain if I login locally
and then add the workstation to the domain.

Tim

:

After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
the
domain even though the workstation account are being created by RIS
during
the built process. Prior to the upgrade over 300 pc's had been deployed
via
RIS and this issue is occuring on multiple servers. Rolling back SP1
does
seem to resolve the issue. Also RIS is running on domain controllers.

Any assistance or recommendations would be appreciated
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top