Ghost Solution Suite

We have used symantec ghost console for years and absolutely love it. It has worked very well for us, but now we are seeing an issue with ghost joining machines to the domain.

Our problem occurs when we reimage an existing Windows 7 machine. We have our configuration set to join to our domain and move machine accounts that already exist to a specified container.

The reimage process completes successfully without warnings or errors; however, when we try to enable Windows Bitlocker, we receive an "access denied - uknown username or password" message for copying encryption content to active directory. Only after manually rejoining the machine to the domain will the Bitlocker encryption complete successfully.

What is Ghost not successfully doing to machine accounts that would cause this?

Are your images sysprepped or are you imaging a working machine without this?  If the latter, then your problem is caused by the fact that the computer's password on the server gets changed every seven days and so if you restore an image that is more than seven days old (it may be less depending on where in the cycle you reimage), the domain no longer recognises the old computer account password and so it cannot connect back to the domain.

There is a registry key that turns off the computer account password change:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters\DisablePasswordChange

Change this DWORD value from 0 to 1, and the password change stops - with whatever additional security risks this presents.

Note also that if the server policies have been set to ignore this local setting, then the computer password change gets forced regardless. It all depends on how "clever" your security admins are...

I knew about the password change key - we use it in our labs where we have drive protection software implemented, but that's another topic I think. Images are sysprepped along with sms certs removed and any other guid type objects for 3rdthe party apparently. The odd thing is that these machines still allow domain users to log in. I can execute a "rejoin domain" task, which essentially is just a configuration task, the workstation will enter pre-os and then return to Windows and join the domain successfully, but it will still appear to have some sort of account issue when I enable bitlocker. I looked at the netsetup log and nothing seems out of place to me. Any other ideas?

Are you using an administrator account at the point of implementing bitlocker?  As I recall, bitlocker needs admin rights to run.

Yes, I use the same account for bitlocker every time. The account will return an access denied message until I manually rejoin to the domain, and then that account will backup the recovery keys to AD just fine.

Below is the NetSetup.LOG (domain name changed)
Does anyone see anything that could be causing a problem?

 

03/07/2012 16:29:56:518 -----------------------------------------------------------------
03/07/2012 16:29:56:518 NetpDoDomainJoin
03/07/2012 16:29:56:518 NetpMachineValidToJoin: 'IT-DEPLOY-12-LT'
03/07/2012 16:29:56:518     OS Version: 6.1
03/07/2012 16:29:56:518     Build number: 7601 (7601.win7sp1_gdr.110622-1506)
03/07/2012 16:29:56:518     ServicePack: Service Pack 1
03/07/2012 16:29:56:518     SKU: Windows 7 Enterprise
03/07/2012 16:29:56:518 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
03/07/2012 16:29:56:518 NetpGetLsaPrimaryDomain: status: 0x0
03/07/2012 16:29:56:518 NetpMachineValidToJoin: status: 0x0
03/07/2012 16:29:56:518 NetpJoinDomain
03/07/2012 16:29:56:518     Machine: IT-DEPLOY-12-LT
03/07/2012 16:29:56:518     Domain: domain.com\ICT-DC1.domain.com
03/07/2012 16:29:56:518     MachineAccountOU: (NULL)
03/07/2012 16:29:56:518     Account: (NULL)
03/07/2012 16:29:56:518     Options: 0xc1
03/07/2012 16:29:56:518 NetpLoadParameters: loading registry parameters...
03/07/2012 16:29:56:518 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
03/07/2012 16:29:56:518 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
03/07/2012 16:29:56:518 NetpLoadParameters: status: 0x2
03/07/2012 16:29:56:518 NetpJoinDomain: Unsecure join requested.
03/07/2012 16:29:56:518 NetpJoinDomain: NETSETUP_MACHINE_PWD_PASSED passed, using lpPassword to authenticate as machine
03/07/2012 16:29:56:518 NetpValidateName: checking to see if 'domain.com' is valid as type 3 name
03/07/2012 16:29:56:627 NetpCheckDomainNameIsValid [ Exists ] for 'domain.com' returned 0x0
03/07/2012 16:29:56:627 NetpValidateName: name 'domain.com' is valid for type 3
03/07/2012 16:29:56:846 NetpJoinDomain: status of connecting to dc '\\ICT-DC1.domain.com': 0x0
03/07/2012 16:29:56:861 NetpJoinDomainOnDs: Passed DC 'ICT-DC1.domain.com' verified as DNS name '\\ICT-DC1.domain.com'
03/07/2012 16:29:56:861 NetpLoadParameters: loading registry parameters...
03/07/2012 16:29:56:861 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
03/07/2012 16:29:56:861 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
03/07/2012 16:29:56:861 NetpLoadParameters: status: 0x2
03/07/2012 16:29:56:861 NetpDsGetDcName: status of verifying DNS A record name resolution for 'ICT-DC1.domain.com': 0x0
03/07/2012 16:29:56:861 NetpProvisionComputerAccount:
03/07/2012 16:29:56:861     lpDomain: domain.com
03/07/2012 16:29:56:861     lpMachineName: IT-DEPLOY-12-LT
03/07/2012 16:29:56:861     lpMachineAccountOU: (NULL)
03/07/2012 16:29:56:861     lpDcName: ICT-DC1.domain.com
03/07/2012 16:29:56:861     lpDnsHostName: (NULL)
03/07/2012 16:29:56:861     lpMachinePassword: (non-null)
03/07/2012 16:29:56:861     lpAccount: domain.com\IT-DEPLOY-12-LT$
03/07/2012 16:29:56:861     lpPassword: (non-null)
03/07/2012 16:29:56:861     dwJoinOptions: 0xc1
03/07/2012 16:29:56:861     dwOptions: 0xc0000003
03/07/2012 16:29:56:892 NetpLdapBind: Verified minimum encryption strength on ICT-DC1.domain.com: 0x0
03/07/2012 16:29:56:892 NetpLdapGetLsaPrimaryDomain: reading domain data
03/07/2012 16:29:56:892 NetpGetNCData: Reading NC data
03/07/2012 16:29:56:892 NetpGetDomainData: Lookup domain data for: DC=friends,DC=edu
03/07/2012 16:29:57:126 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=friends,DC=edu
03/07/2012 16:29:57:142 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
03/07/2012 16:29:57:158 NetpProvisionComputerAccount: status of validating account: 0x0
03/07/2012 16:29:57:158 NetpEncodeProvisioningBlob: Encoding provisioning data
03/07/2012 16:29:57:158 NetpInitBlobWin7: Constructing blob...
03/07/2012 16:29:57:158 Blob version: 1
03/07/2012 16:29:57:158     lpDomain: domain.com
03/07/2012 16:29:57:158     lpMachineName: IT-DEPLOY-12-LT
03/07/2012 16:29:57:158     lpMachinePassword: <omitted from log>
03/07/2012 16:29:57:158    DomainDnsPolicy:
03/07/2012 16:29:57:158        Name: FRIENDS
03/07/2012 16:29:57:158        DnsDomainName: domain.com
03/07/2012 16:29:57:158        DnsForestName: domain.com
03/07/2012 16:29:57:158        DomainGuid: 08aea239-e277-451c-bfeb-9bd50b3e4a21
03/07/2012 16:29:57:158        Sid: S-1-5-21-2124552659-584541895-1489575960
03/07/2012 16:29:57:158    DcInfo:
03/07/2012 16:29:57:158        DomainControllerName: \\ICT-DC1.domain.com
03/07/2012 16:29:57:158        DomainControllerAddress: \\10.1.10.111
03/07/2012 16:29:57:158        DomainControllerAddressType: 1
03/07/2012 16:29:57:158        DomainGuid: 08aea239-e277-451c-bfeb-9bd50b3e4a21
03/07/2012 16:29:57:158        DomainName: domain.com
03/07/2012 16:29:57:158        DnsForestName: domain.com
03/07/2012 16:29:57:158        Flags: 0xe00001f8
03/07/2012 16:29:57:158        DcSiteName: WICHITA
03/07/2012 16:29:57:158        ClientSiteName: WICHITA
03/07/2012 16:29:57:158     Options: 0xc0000003
03/07/2012 16:29:57:158 NetpInitBlobWin7: Blob pickling result: 0
03/07/2012 16:29:57:158 NetpEncodeProvisioningBlob: result: 0x0
03/07/2012 16:29:57:158 ldap_unbind status: 0x0
03/07/2012 16:29:57:158 NetpRequestOfflineDomainJoin:
03/07/2012 16:29:57:158     dwProvisionBinDataSize: 664
03/07/2012 16:29:57:158     JoinOptions: 0xc1
03/07/2012 16:29:57:158     Options: 0xc0000003
03/07/2012 16:29:57:158     lpWindowsPath: C:\Windows
03/07/2012 16:29:57:158 NetpDecodeProvisioningBlob: Unpickling provisioning blob with size 664 bytes
03/07/2012 16:29:57:158 NetpDecodeProvisioningBlob: Searching 1 blobs for supported ODJ blob, highest supported version: 1
03/07/2012 16:29:57:158 NetpDecodeProvisioningBlob: Found ODJ blob version: 1
03/07/2012 16:29:57:158 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1
03/07/2012 16:29:57:158 Blob version: 1
03/07/2012 16:29:57:158     lpDomain: domain.com
03/07/2012 16:29:57:158     lpMachineName: IT-DEPLOY-12-LT
03/07/2012 16:29:57:158     lpMachinePassword: <omitted from log>
03/07/2012 16:29:57:158    DomainDnsPolicy:
03/07/2012 16:29:57:158        Name: FRIENDS
03/07/2012 16:29:57:158        DnsDomainName: domain.com
03/07/2012 16:29:57:158        DnsForestName: domain.com
03/07/2012 16:29:57:158        DomainGuid: 08aea239-e277-451c-bfeb-9bd50b3e4a21
03/07/2012 16:29:57:158        Sid: S-1-5-21-2124552659-584541895-1489575960
03/07/2012 16:29:57:158    DcInfo:
03/07/2012 16:29:57:158        DomainControllerName: \\ICT-DC1.domain.com
03/07/2012 16:29:57:158        DomainControllerAddress: \\10.1.10.111
03/07/2012 16:29:57:158        DomainControllerAddressType: 1
03/07/2012 16:29:57:158        DomainGuid: 08aea239-e277-451c-bfeb-9bd50b3e4a21
03/07/2012 16:29:57:158        DomainName: domain.com
03/07/2012 16:29:57:158        DnsForestName: domain.com
03/07/2012 16:29:57:158        Flags: 0xe00001f8
03/07/2012 16:29:57:158        DcSiteName: WICHITA
03/07/2012 16:29:57:158        ClientSiteName: WICHITA
03/07/2012 16:29:57:158     Options: 0xc0000003
03/07/2012 16:29:57:158 NetpDoInitiateOfflineDomainJoin
03/07/2012 16:29:57:158 NetpDoInitiateOfflineDomainJoin: Setting backup/restore privileges
03/07/2012 16:29:57:158 NetpInitiateOfflineJoin
03/07/2012 16:29:57:158     lpLocalRegistryPath: C:\Windows\system32\config\SYSTEM
03/07/2012 16:29:57:158     dwOptions: 0xc0000003
03/07/2012 16:29:57:158 NetpConvertBlobToJoinState: Translating provisioning data to internal format
03/07/2012 16:29:57:158 NetpConvertBlobToJoinState: Selecting version 1
03/07/2012 16:29:57:158 NetpConvertBlobToJoinState: exiting: 0x0
03/07/2012 16:29:57:158 NetpValidateFullJoinState: Validating provisioning data...
03/07/2012 16:29:57:158 NetpValidateFullJoinState: exiting: 0x0
03/07/2012 16:29:57:158 NetpClearFullJoinState:  Removing cached state from the registry...
03/07/2012 16:29:57:158 NetpClearFullJoinState: Status of deleting join state key 0x2
03/07/2012 16:29:57:158 NetpSaveFullJoinStateInternal: Injecting provisioning data into image...
03/07/2012 16:29:57:173 NetpSaveFullJoinStateInternal: exiting: 0x0
03/07/2012 16:29:57:173 NetpSetComputerNamesOffline: Checking for pending name changes...
03/07/2012 16:29:57:173     SetHostName:    TRUE
03/07/2012 16:29:57:173     SetDnsDomain:    TRUE
03/07/2012 16:29:57:173     SetNetBiosName:    TRUE
03/07/2012 16:29:57:173     SetCurrentValues:    TRUE
03/07/2012 16:29:57:173 NetpSetComputerNamesOffline: Setting Hostname to IT-DEPLOY-12-LT
03/07/2012 16:29:57:173 NetpSetComputerNamesOffline: Setting Domain name to domain.com
03/07/2012 16:29:57:173 NetpSetComputerNamesOffline: Setting NetBios computer name to IT-DEPLOY-12-LT
03/07/2012 16:29:57:173 NetpDoInitiateOfflineDomainJoin: status: 0x0
03/07/2012 16:29:57:173 NetRequestOfflineDomainJoin: Successfully initiated the offline domain join
03/07/2012 16:29:57:173 NetpJoinDomainOnDs: Setting netlogon cache.
03/07/2012 16:29:57:236 NetpJoinDomainOnDs: status of setting netlogon cache: 0x0
03/07/2012 16:29:57:236 NetpJoinDomainOnDs: Function exits with status of: 0x0
03/07/2012 16:29:57:236 NetpJoinDomainOnDs: status of disconnecting from '\\ICT-DC1.domain.com': 0x0
03/07/2012 16:29:57:236 NetpCompleteOfflineDomainJoin
03/07/2012 16:29:57:236     fBootTimeCaller: FALSE
03/07/2012 16:29:57:236     fSetLocalGroups: TRUE
03/07/2012 16:29:57:236 NetpLsaOpenSecret: status: 0xc0000034
03/07/2012 16:29:57:236 NetpGetLsaPrimaryDomain: status: 0x0
03/07/2012 16:29:57:236 NetpJoinDomainLocal: NetpHandleJoinedStateInfo returned: 0x0
03/07/2012 16:29:57:236 NetpLsaOpenSecret: status: 0xc0000034
03/07/2012 16:29:57:360 NetpJoinDomainLocal: NetpManageMachineSecret returned: 0x0.
03/07/2012 16:29:57:360 Calling NetpQueryService to get Netlogon service state.
03/07/2012 16:29:57:360 NetpJoinDomainLocal: NetpQueryService returned: 0x0.
03/07/2012 16:29:57:392 NetpSetLsaPrimaryDomain: for 'FRIENDS' status: 0x0
03/07/2012 16:29:57:392 NetpJoinDomainLocal: status of setting LSA pri. domain: 0x0
03/07/2012 16:29:57:392 NetpManageLocalGroupsForJoin: Adding groups for new domain, removing groups from old domain, if any.
03/07/2012 16:29:57:392 NetpManageLocalGroups: Populating list of account SIDs.
03/07/2012 16:29:57:563 NetpManageLocalGroupsForJoin: status of modifying groups related to domain 'FRIENDS' to local groups: 0x0
03/07/2012 16:29:57:563 NetpManageLocalGroupsForJoin: INFO: No old domain groups to process.
03/07/2012 16:29:57:563 NetpJoinDomainLocal: Status of managing local groups: 0x0
03/07/2012 16:29:57:626 NetpJoinDomainLocal: status of setting ComputerNamePhysicalDnsDomain to 'domain.com': 0x0
03/07/2012 16:29:57:626 NetpJoinDomainLocal: Controlling services and setting service start type.
03/07/2012 16:29:57:626 NetpJoinDomainLocal: Updating W32TimeConfig
03/07/2012 16:29:57:719 [0000068c] NetpGetLsaPrimaryDomain: status: 0x0
03/07/2012 16:29:57:938 NetpUpdateW32timeConfig: 0x0
03/07/2012 16:29:57:938 NetpClearFullJoinState:  Removing cached state from the registry...
03/07/2012 16:29:57:938 NetpClearFullJoinState: Status of deleting join state key 0x0
03/07/2012 16:29:57:938 NetpCompleteOfflineDomainJoin: status: 0x0
03/07/2012 16:29:57:938 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0
03/07/2012 16:29:57:938 NetpDoDomainJoin: status: 0x0