Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: RIS built Machines won't join the domain after upgrading to W2k3sp

2 views
Skip to first unread message

Bruce Musgrove

unread,
Sep 20, 2005, 2:37:38 PM9/20/05
to

[Identification]
JoinDomain=%MACHINEDOMAIN%

In your sif file possibly?

Something similar happened to me after one of my updates (maybe after
mofiying the SIF ile using the answer file wizard) and
"JoinDomain=my.domain.org" had changed to "
"JoinDomain=%MACHINEDOMAIN%"


"TIMM" <TI...@discussions.microsoft.com> wrote in message
news:B23195B0-3C7C-48B7...@microsoft.com...
> I forgot to mention that the Setuperr.log reports the following
> Error:
> Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
> proceed to add the workstation to the default domain.
>
> However I am able to add the workstation to the damain if I login locally
> and then add the workstation to the domain.
>
> Tim
>
> "TIMM" wrote:
>
> > After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
the
> > domain even though the workstation account are being created by RIS
during
> > the built process. Prior to the upgrade over 300 pc's had been deployed
via
> > RIS and this issue is occuring on multiple servers. Rolling back SP1
does
> > seem to resolve the issue. Also RIS is running on domain controllers.
> >
> > Any assistance or recommendations would be appreciated


TIMM

unread,
Nov 28, 2005, 6:47:02 AM11/28/05
to
Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim

gherkin

unread,
Nov 28, 2005, 10:40:07 AM11/28/05
to
Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
notice in the book of SP1 there is a section about modifications to the SAMR
and LSAR protocols.

When my builds run successfully without SP1 you get the following lines in
the netsetup.log: -

09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0

The w9x is presumably a reference to old style domain joining. The book of
SP1 states that if the SAMR and LSAR modifications stop your code working you
will need to modify your code.

Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
problem that slipped under the testing radar?

TIMM

unread,
Nov 29, 2005, 8:06:03 AM11/29/05
to
SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
adds new entries to NULL Session Pipes. However if you set the " Network
access: Named Pipes that can be accessed anonymously" Group policy then the
updates that SP1 will be over written and thus the workstation will not have
the ability to access SAMR in order to confirm a workstation account exists
in AD.

To fix this problem, set the following registry key
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Please let me know if this resolves your problem

Good luck!
Tim

gherkin

unread,
Nov 29, 2005, 9:03:04 AM11/29/05
to
Bingo! It works now I have addedd the extra entries to that key.

It appears that the policy had been set previoulsy but when the policy was
removed the settings remained in the registry. I notice the registry key
HKLM\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess
is set to 1. Is this turned on by default by SP1 or is it that if the group
policy setting is set to not defined any settings placed there by previous
policies are not specifically removed unless you select diabled?

Thanks.

0 new messages