GSS 2.0.2 - Joining computers to domain fails with odd error message
Hello,
I'm trying to image a number of WinXP SP2 to SP3 laptops with GSS 2.0.2 on a Windows Server 2008 (x64) domain server, and every step in the process is marked with Success except for the second Configuration which is marked with WARNING and the following error message "Failed to join domain [NEW_DOMAIN]: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
The server I'm running GSS on is a domain server on [NEW_DOMAIN] and should have no problem joining a computer to the domain, and the creation of the computer account goes through without a hitch.
I've tried adding the Ghost[SERVER] user to the Domain Admins group to see if the problem was insufficient rights on the domain but the error message remains.
Previous imagings on [OLD_DOMAIN] have been run without ghostwalker or sysprep (bad form I know) but we've had no problems doing so. I thought that Windows Server 2008 might be more sensitive to SSID conflicts so I've run a separate imaging with the GhostWalker SSID changer, but still no luck. Besides if it was a matter of SSID conflicts I should be blocked from joining the computers manually, but that's not a problem.
Part of the imaging process is moving the laptops from [OLD_DOMAIN] to [NEW_DOMAIN] and at first I thought that somehow the credentials from [OLD_DOMAIN] were being retained after the Clone-operation so I tested to add a laptop to [NEW_DOMAIN] manually and reinstall the client, but I'm still getting the same error.
Google and the GSS documentation are less than helpful, so I'm hoping someone here can shed some light on this, or at least point me in the right direction to resolve this.
Comments
Two supplementary comments to this problem:
Event ID: 5722 NETLOGON (The session setup from the computer [COMPUTER NAME] failed to authenticate. The name(s) of the account(s) referenced in the security database is [COMPUTER NAME]$. The following error occurred:
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. )
Event ID: 5805 NETLOGON (The session setup from the computer [COMPUTER NAME] failed to authenticate. The following error occurred:
Access is denied.)
I was able to get around the problem you are describing with Server 2008 by changing the default domain controller policy to allow cryptography algorithms compatible with Windows NT 4.0. I believe the policy is located here:
Default Domain Controller Policy-->Computer Configuration-->Policies-->Administrative Templates-->System-->Net Logon
Hope this helps.
Windows Server 2008 RODC compatibility pack
I installed this patch from Microsoft and i can join Windows XP SP3 computers to W2k8 domain controller without to have to modify the default domain controller policy.
Install this patch http://support.microsoft.com/kb/944043/en-us on Windows XP only, not on Domain Controller.
Thanks for the information
Thanks for the heads-up on this patch; if this does resolve this particular message (which is innate to the internals of the NetJoinDomain API in Windows, rather than in our code) then that is great news. I'll pass this on to our QA team so they can have a look at this and see how it works in the test environments for GSS.
Hi This works partly. Now
Hi
This works partly.
Now ghost is giving another error for joining domain. You were not connected because a duplicate name exist on the network
edit: OK now it works! It works with winpe but not with pcdos.
I was wondering if anyone from Symantec would comment on this. We just recently upgraded our DCs to Server 2008 and at the same time are disallowing the NT 4.0 cryptography algorithms. Are there any plans to change the method that Ghost uses to join computers to the domain? I'm having limited success using netdom and would love to have the old way back.
gddickin: Thank you! That did the trick.
It didn't seem like an obvious solution considering the results I got from my own searches of the error message, how did you find this answer?
A follow-up question, that you or someone else here hopefully knows the answer to:
A post I read on this forum got me looking at the log file Windows creates when attempting to join a domain (%systemroot%\debug\netsetup.log). In the logs from machines that failed to join the domain I found this error in common:
NetpJoinDomain: w9x: status of validating account: 0x4f1
A quick search lead me to this Microsoft KB article:
http://support.microsoft.com/kb/942564
As for your second question, unfortunately this behavior still exists in GSS 2.5
Hello everybody Question: Has
Hello everybody
Question: Has this issue been fixed in the newest 2.5.1 GSS release ?
It really would be time
Asking because out IT Department ist going to upgrade our Windows domain to Windows 2008 R2 soon and they will for sure not accept changing the "Default DomainController Policy" to allow cryptography algorithms compatible with Windows NT 4.0.
Can anybody confirm that the workaround proposed above (Windows 2008 RODC compatibility pack) fixes the issue for Windows XP SP3 100% ?
What about Windows 7 clients ? Do they suffer from the same problem or is it working flawlessly there ?
Kind regards,
Oliver
Would you like to reply?
Login or Register to post your comment.