RE: Remote Installation Services, DoOldStyleDomainJoin=Yes

[Steven Wang [MSFT]]

Hello Rich,

Thank you for posting.

From your post, my understanding of this issue is: The client workstations
cannot be joined into the domain through the RIS installation. If this is
not correct, please feel free to let me know.

Based on my research, this issue may be caused by various factors,
therefore, we may need to perform some test and collect more information to
narrow down the root cause of this issue. First, I suggest we refer to the
following KB article to make sure the permissions are set correctly for the
OU:

Rights Needed for Remote Installation Server to Create Machine Accounts
http://support.microsoft.com/?id=224294

Meantime, please help me to collect some information so that I can perform
further research on this specific issue:

1. What is the DC Policy setting you have implemented before this issue
occurs, and how the policy setting be configured?

2. Please send the %windir%\debug\Netsetup.log and Setuperr.log files on
the client workstation to me at v-st...@microsoft.com.

3. Please send the RIPREP.SIF you are using to me.

More Information:
-------------------------
Customizing RIS Installations
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us
/prbc_cai_silp.asp

How to Modify the Default Group Policy for Remote Installation Services
http://support.microsoft.com/?id=316663

Should you have any question or concern, please feel free to let me know.
I am glad to be of assistance.

Have a nice day!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes
>thread-index: AcXKcPvySIP8YiZdSiuAPwhWrGwG7Q==
>X-WBNR-Posting-Host: 195.67.90.253
>From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
<richo...@noemail.postalias>
>Subject: Remote Installation Services, DoOldStyleDomainJoin=Yes
>Date: Thu, 6 Oct 2005 05:25:06 -0700
>Lines: 12
>Message-ID: <80690FAF-6C3A-4CD7...@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.group_policy
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10921
>X-Tomcat-NG: microsoft.public.windows.group_policy
>
>Hello.
>After implementing DC Policy on all my 2003 Dc, my Ris installation
doesn’t
>work correct. The Ris installation can not join the domin correctly. Fail
on
>the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
>unattended mode failed. Setup will proceed to join the default workgroup.
>
>The problem is that the feature DoOldStyleDomainJoin=Yes doesn’t work
after
>the policy’s.
>How can I enable this so I can install my clients, without to implement
the
>domain admin and password in the SIF files?
>DC’s 2003 Sp1, Ris 2003 Sp1 Member Server, XP SP2 Eng clients.
>
>

[richo...@noemail.postalias]

If i use
[Identification]
JoinDomain=%MACHINEDOMAIN%
DomainAdmin=%USERNAME%
DomainAdminPassword=%DPASSWORD%

Is works, so the permissions is OK.
-------------------------------------------
Domain policy is Built on the template
Enterprise Client. Domain Controller.inf
-------------------------------------------
So i just want to know what i need to open in this policy to enable
DoOldStyleDomainJoin.
And what the diffrens is between the solution above and DoOldStyle is.

"Steven Wang [MSFT]" skrev:

> doesn’t

> >work correct. The Ris installation can not join the domin correctly. Fail
> on
> >the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
> >unattended mode failed. Setup will proceed to join the default workgroup.
> >

> >The problem is that the feature DoOldStyleDomainJoin=Yes doesn’t work
> after
> >the policy’s.

> >How can I enable this so I can install my clients, without to implement
> the
> >domain admin and password in the SIF files?

> >DC’s 2003 Sp1, Ris 2003 Sp1 Member Server, XP SP2 Eng clients.
> >
> >
>
>

[Steven Wang [MSFT]]

Hello Rich,

Thanks for your prompt reply and let me know the detailed information.

This is a quick note to let you know that I am researching your issue and
will get back to you as soon as possible. I appreciate your patience.

Have a great weekend!

Steven Wang

Microsoft CSS Online Newsgroup Support

--------------------

>Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes

>thread-index: AcXLFxPE0slvZMnAT0Kf7ifHNGNYEA==

>X-WBNR-Posting-Host: 195.67.90.253
>From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
<richo...@noemail.postalias>

>References: <80690FAF-6C3A-4CD7...@microsoft.com>
<H46YZvwy...@TK2MSFTNGXA01.phx.gbl>
>Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
>Date: Fri, 7 Oct 2005 01:14:02 -0700
>Lines: 136
>Message-ID: <3B4884E5-A29C-4717...@microsoft.com>

>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.group_policy
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250

>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10943
>X-Tomcat-NG: microsoft.public.windows.group_policy

[Steven Wang [MSFT]]

Hi Rich,

Sorry for my delayed response due to the complexity of this issue. I hope
this has not caused you too much inconvenience.

I have created a test environment and performed a lot of research. Based
on my research, the security policy setting "Add workstations to domain"
may be the cause of this issue.

This security setting determines which groups or users can add workstations
to a domain. By default, any authenticated user has this right and can
create up to 10 computer accounts in the domain. After implementing the
Windows Server 2003 Security Guide: Enterprise Client: Domain
Controller.inf, this security setting is configured as Administrators,
that's to say, only the users which has the domain administrators privilege
can add workstations to the domain.

You may refer to the following steps to change this security setting to see
whether the issue can be resolved:

1. On one of the Domain Controllers, open Domain Controller Security Policy
in Administrative Tools.
2. Navigate to Security Settings\Local Policies\User Rights Assignment.
3. On the right pane, double click on the "Add workstations to domain"
setting.
4. Click Add User or Group button to add the Authenticated Users, and then
click OK.
5. Click Start, click Run, type "gpupdate /force", and then click OK, and
if you are prompted, restart the DC.

Regarding the difference between using "DomainAdmin=" and using "
DoOldStyleDomainJoin=Yes ", when we configure DoOldStyleDomainJoin=Yes, it
will force unattended setup to override the Windows security and join the
domain using the old Windows NT 4.0 style domain join. This means, if you
have a computer account pre-created in the domain, you do not need to
provide domain account credentials to join the computer account to the
domain.

Hope the above information helps. If the issue persists after performing
the above steps, please help me to collect the GP Results on one of the
Domain Controllers and send it to me at v-st...@microsoft.com. To collect
the GP Results, please refer to the following steps:

1. Type the following command in command prompt on one problematic
workstation, and then press ENTER:
"gpresult -Z > C:\gpresult_z.txt" (without the quotation marks)

2. This creates a list of the implemented policies on the computer in the
following text file: C:\gpresult_z.txt. Please send this file to me.

If you have any question or concern, please feel free to let me know. I am

glad to be of assistance.

Have a nice day!

Steven Wang

Microsoft CSS Online Newsgroup Support

--------------------
>X-Tomcat-ID: 265180798
>References: <80690FAF-6C3A-4CD7...@microsoft.com>
<H46YZvwy...@TK2MSFTNGXA01.phx.gbl>

<3B4884E5-A29C-4717...@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain

>Content-Transfer-Encoding: 7bit
>From: v-st...@online.microsoft.com (Steven Wang [MSFT])
>Organization: Microsoft
>Date: Fri, 07 Oct 2005 12:43:05 GMT

>Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes

>X-Tomcat-NG: microsoft.public.windows.group_policy
>Message-ID: <cQwdsyz...@TK2MSFTNGXA01.phx.gbl>
>Newsgroups: microsoft.public.windows.group_policy
>Lines: 178
>Path: TK2MSFTNGXA01.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10947
>NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

[gherkin]

Did anyone find the solution?

Thanks

"Steven Wang [MSFT]" wrote:

> >>> doesn’t

> >>> >work correct. The Ris installation can not join the domin correctly.
> >Fail
> >>> on
> >>> >the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
> >>> >unattended mode failed. Setup will proceed to join the default
> >workgroup.
> >>> >
> >>> >The problem is that the feature DoOldStyleDomainJoin=Yes

> doesn’t
> >work
> >>> after
> >>> >the policy’s.

> >>> >How can I enable this so I can install my clients, without to
> implement
> >>> the
> >>> >domain admin and password in the SIF files?

> >>> >DC’s 2003 Sp1, Ris 2003 Sp1 Member Server, XP SP2 Eng clients.
> >>> >
> >>> >
> >>>
> >>>
> >>
> >
> >
>
>

[TIMM]

SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
adds new entries to NULL Session Pipes. However if you set the " Network
access: Named Pipes that can be accessed anonymously" Group policy then the
updates that SP1 will be over written and thus the workstation will not have
the ability to access SAMR in order to confirm a workstation account exists
in AD.

To fix this problem, set the following registry key
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Please let me know if this resolves your problem

Good luck!
Tim

"Steven Wang [MSFT]" wrote:

> >>> doesn’t

> >>> >work correct. The Ris installation can not join the domin correctly.
> >Fail
> >>> on
> >>> >the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
> >>> >unattended mode failed. Setup will proceed to join the default
> >workgroup.
> >>> >
> >>> >The problem is that the feature DoOldStyleDomainJoin=Yes

> doesn’t
> >work
> >>> after

> >>> >the policy’s.

> >>> >How can I enable this so I can install my clients, without to
> implement
> >>> the
> >>> >domain admin and password in the SIF files?

> >>> >DC’s 2003 Sp1, Ris 2003 Sp1 Member Server, XP SP2 Eng clients.
> >>> >
> >>> >
> >>>
> >>>
> >>
> >
> >
>
>

[gherkin]

Bingo! It works now I have addedd the extra entries to that key.

It appears that the policy had been set previoulsy but when the policy was
removed the settings remained in the registry. I notice the registry key
HKLM\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess
is set to 1. Is this turned on by default by SP1 or is it that if the group
policy setting is set to not defined any settings placed there by previous
policies are not specifically removed unless you select diabled?

Thanks.

[richo...@noemail.postalias]

Oki.
Someone have same problem as me :)
I use my solution with
[Identification]
JoinDomain=%MACHINEDOMAIN%
DomainAdmin=%USERNAME%
DomainAdminPassword=%DPASSWORD%

and it's working great.. so i change all my sif files instead.

"gherkin" skrev: