Users unable to join PC's to domain

  • Thread starter Allen Undercover
  • Start date
A

Allen Undercover

Hello,

I have a WIN2K domain, which was set up to allow allow normal users to add
computers to the domain. Everything was working ok for years, until an
Active Directory restore was performed, now only Administrators can add
computers to the Domain. Normal users get the error "Access is Denied".

Things I have checked:

* Default Domain Policy - "Authenticated Users" have the "Add workstation to
domain" right
* Active Directory Users and Computers - Computers container has "Create
Computer Objects" and "Delete Computer Objects" checked for "Authenticated
Users"
* Active Directory ms-DS-MachineAccountQuota is set to a big number(10000)

The NetSetup.log for a failed attempt from a WIN2K workstation is pasted
below. I am baffled, and welcome advice.

Regards,
Allen

8 12:52:22 -----------------------------------------------------------------
08/28 12:52:22 NetpDoDomainJoin
08/28 12:52:22 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:22 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:22 NetpMachineValidToJoin: status: 0x0
08/28 12:52:22 NetpJoinDomain
08/28 12:52:22 Machine: LCACER
08/28 12:52:22 Domain: dynalite.com.au
08/28 12:52:22 MachineAccountOU: (NULL)
08/28 12:52:22 Account: dynalite.com.au\terry
08/28 12:52:22 Options: 0x27
08/28 12:52:22 OS Version: 5.0
08/28 12:52:22 Build number: 2195
08/28 12:52:22 ServicePack: Service Pack 4
08/28 12:52:22 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:22 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:22 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:22 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:25 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:25 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:25 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:26 NetpManageMachineAccountWithSid: NetUserAdd on
'\\nightmare.dynalite.com.au' for 'LCACER$' failed: 0x5
08/28 12:52:26 NetpJoinDomain: status of creating account: 0x5
08/28 12:52:26 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:26 NetpLsaOpenSecret: status: 0x0
08/28 12:52:26 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:26 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:26 NetpDoDomainJoin: status: 0x5
08/28
12:52:26 -----------------------------------------------------------------
08/28 12:52:26 NetpDoDomainJoin
08/28 12:52:26 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:26 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:26 NetpMachineValidToJoin: status: 0x0
08/28 12:52:26 NetpJoinDomain
08/28 12:52:26 Machine: LCACER
08/28 12:52:26 Domain: dynalite.com.au
08/28 12:52:26 MachineAccountOU: (NULL)
08/28 12:52:26 Account: dynalite.com.au\terry
08/28 12:52:26 Options: 0x25
08/28 12:52:26 OS Version: 5.0
08/28 12:52:26 Build number: 2195
08/28 12:52:26 ServicePack: Service Pack 4
08/28 12:52:26 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:26 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:26 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:26 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:29 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:29 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:29 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:30 SamOpenDomain on S-1-5-21-979185461-1960865544-1481510878
failed with 0xc0000022
08/28 12:52:30 NetpJoinDomain: status of setting machine password: 0x5
08/28 12:52:30 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:30 NetpLsaOpenSecret: status: 0x0
08/28 12:52:31 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:31 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:31 NetpDoDomainJoin: status: 0x5
 
J

Jorge de Almeida Pinto [MVP - DS]

what was done during that restore?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Allen Undercover said:
Hello,

I have a WIN2K domain, which was set up to allow allow normal users to add
computers to the domain. Everything was working ok for years, until an
Active Directory restore was performed, now only Administrators can add
computers to the Domain. Normal users get the error "Access is Denied".

Things I have checked:

* Default Domain Policy - "Authenticated Users" have the "Add workstation
to
domain" right
* Active Directory Users and Computers - Computers container has "Create
Computer Objects" and "Delete Computer Objects" checked for "Authenticated
Users"
* Active Directory ms-DS-MachineAccountQuota is set to a big number(10000)

The NetSetup.log for a failed attempt from a WIN2K workstation is pasted
below. I am baffled, and welcome advice.

Regards,
Allen

8
12:52:22 -----------------------------------------------------------------
08/28 12:52:22 NetpDoDomainJoin
08/28 12:52:22 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:22 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:22 NetpMachineValidToJoin: status: 0x0
08/28 12:52:22 NetpJoinDomain
08/28 12:52:22 Machine: LCACER
08/28 12:52:22 Domain: dynalite.com.au
08/28 12:52:22 MachineAccountOU: (NULL)
08/28 12:52:22 Account: dynalite.com.au\terry
08/28 12:52:22 Options: 0x27
08/28 12:52:22 OS Version: 5.0
08/28 12:52:22 Build number: 2195
08/28 12:52:22 ServicePack: Service Pack 4
08/28 12:52:22 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:22 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:22 NetpValidateName: name 'dynalite.com.au' is valid for type
3
08/28 12:52:22 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:25 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:25 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:25 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:26 NetpManageMachineAccountWithSid: NetUserAdd on
'\\nightmare.dynalite.com.au' for 'LCACER$' failed: 0x5
08/28 12:52:26 NetpJoinDomain: status of creating account: 0x5
08/28 12:52:26 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:26 NetpLsaOpenSecret: status: 0x0
08/28 12:52:26 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:26 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:26 NetpDoDomainJoin: status: 0x5
08/28
12:52:26 -----------------------------------------------------------------
08/28 12:52:26 NetpDoDomainJoin
08/28 12:52:26 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:26 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:26 NetpMachineValidToJoin: status: 0x0
08/28 12:52:26 NetpJoinDomain
08/28 12:52:26 Machine: LCACER
08/28 12:52:26 Domain: dynalite.com.au
08/28 12:52:26 MachineAccountOU: (NULL)
08/28 12:52:26 Account: dynalite.com.au\terry
08/28 12:52:26 Options: 0x25
08/28 12:52:26 OS Version: 5.0
08/28 12:52:26 Build number: 2195
08/28 12:52:26 ServicePack: Service Pack 4
08/28 12:52:26 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:26 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:26 NetpValidateName: name 'dynalite.com.au' is valid for type
3
08/28 12:52:26 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:29 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:29 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:29 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:30 SamOpenDomain on S-1-5-21-979185461-1960865544-1481510878
failed with 0xc0000022
08/28 12:52:30 NetpJoinDomain: status of setting machine password: 0x5
08/28 12:52:30 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:30 NetpLsaOpenSecret: status: 0x0
08/28 12:52:31 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:31 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:31 NetpDoDomainJoin: status: 0x5
 
A

Allen Undercover

Hi Jorge,

It was a full Active Directory restore from Backup Exec. Everything else
worked fine, and it is possible that this has nothing to do with my problem,
although the problem started cropping up around the same time.

Regards,
Allen

"Jorge de Almeida Pinto [MVP - DS]"
what was done during that restore?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Allen Undercover said:
Hello,

I have a WIN2K domain, which was set up to allow allow normal users to
add
computers to the domain. Everything was working ok for years, until an
Active Directory restore was performed, now only Administrators can add
computers to the Domain. Normal users get the error "Access is Denied".

Things I have checked:

* Default Domain Policy - "Authenticated Users" have the "Add workstation
to
domain" right
* Active Directory Users and Computers - Computers container has "Create
Computer Objects" and "Delete Computer Objects" checked for
"Authenticated
Users"
* Active Directory ms-DS-MachineAccountQuota is set to a big
number(10000)

The NetSetup.log for a failed attempt from a WIN2K workstation is pasted
below. I am baffled, and welcome advice.

Regards,
Allen

8
12:52:22 -----------------------------------------------------------------
08/28 12:52:22 NetpDoDomainJoin
08/28 12:52:22 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:22 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:22 NetpMachineValidToJoin: status: 0x0
08/28 12:52:22 NetpJoinDomain
08/28 12:52:22 Machine: LCACER
08/28 12:52:22 Domain: dynalite.com.au
08/28 12:52:22 MachineAccountOU: (NULL)
08/28 12:52:22 Account: dynalite.com.au\terry
08/28 12:52:22 Options: 0x27
08/28 12:52:22 OS Version: 5.0
08/28 12:52:22 Build number: 2195
08/28 12:52:22 ServicePack: Service Pack 4
08/28 12:52:22 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:22 NetpCheckDomainNameIsValid [ Exists ] for
'dynalite.com.au'
returned 0x0
08/28 12:52:22 NetpValidateName: name 'dynalite.com.au' is valid for type
3
08/28 12:52:22 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:25 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:25 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:25 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:26 NetpManageMachineAccountWithSid: NetUserAdd on
'\\nightmare.dynalite.com.au' for 'LCACER$' failed: 0x5
08/28 12:52:26 NetpJoinDomain: status of creating account: 0x5
08/28 12:52:26 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:26 NetpLsaOpenSecret: status: 0x0
08/28 12:52:26 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:26 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:26 NetpDoDomainJoin: status: 0x5
08/28
12:52:26 -----------------------------------------------------------------
08/28 12:52:26 NetpDoDomainJoin
08/28 12:52:26 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:26 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:26 NetpMachineValidToJoin: status: 0x0
08/28 12:52:26 NetpJoinDomain
08/28 12:52:26 Machine: LCACER
08/28 12:52:26 Domain: dynalite.com.au
08/28 12:52:26 MachineAccountOU: (NULL)
08/28 12:52:26 Account: dynalite.com.au\terry
08/28 12:52:26 Options: 0x25
08/28 12:52:26 OS Version: 5.0
08/28 12:52:26 Build number: 2195
08/28 12:52:26 ServicePack: Service Pack 4
08/28 12:52:26 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:26 NetpCheckDomainNameIsValid [ Exists ] for
'dynalite.com.au'
returned 0x0
08/28 12:52:26 NetpValidateName: name 'dynalite.com.au' is valid for type
3
08/28 12:52:26 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:29 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:29 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:29 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:30 SamOpenDomain on S-1-5-21-979185461-1960865544-1481510878
failed with 0xc0000022
08/28 12:52:30 NetpJoinDomain: status of setting machine password: 0x5
08/28 12:52:30 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:30 NetpLsaOpenSecret: status: 0x0
08/28 12:52:31 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:31 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:31 NetpDoDomainJoin: status: 0x5
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top