Video Screencast Help

This operation is only allowed for the Primary Domain Controller of the domain.

Created: 15 Aug 2008 • Updated: 22 May 2010 | 21 comments

Using GSS 2.5, all goes well until the GSS trys to join a PC to our domain. I have admin rights and can create, add and delete computers manually with no problem. but GSS gives this information inside the Event Details:

Details for : Configuraton 

Failed to join domain XXX.XX.asu.edu: This operation is only allowed for the Primary Domain Controller of the domain.

My config set up is no name, apply menber of domain, add to AD, no move, TCP/IP is DHCP

Discussion Filed Under:

Comments 21 CommentsJump to latest comment

Ben1410's picture

Hi, I am having the exact same issue and am eagerly waiting a solution too :)

Meckron's picture

Make sure your Ghost Console account (in the Console, Tools/Supported Domain List, it's at the bottom) has the Local Policy "Add workstations to the domain" User Right in the Default Domain Controllers Policy of Group Policies.

Ben1410's picture

hi, i have put a domain admin level user into the console to make sure it wasnt that.

Also i have used the ghost(Computername) user that the console creates to join a computer manually.

I have found that the whole operation goes without a hitch if the logon server that the ghost console picks up is also the PDC Emulator of the Domain.

If the ldap server that it uses to create the accounts is the one that is the PDC Emaulator (which is the same as the logon server) it will work great.

As soon as it uses the ldap from one of the other DC's it fails. (hence the error message)

Thanks

Ben

Lesley's picture

I have followed your steps.  I deleted the computer object prior to running the Configuration and I still get the error.  I am running only one domain.

 

Meckron's picture

What is your domain structure?  Running Mixed or Native and what servers?

Lesley's picture

I just took over this site and did notice that the server is running in Native window 2000.

MPSC's picture

Did anyone solve this issue? I have been using ghost with no problems, I just upgraded our 4 domain controllers to windows 2008 and now my windows 2003 ghost server is getting the "operation is only allowed from the Primary Domain". What I found was if I keep running the configuration task it will add the pc's to the domain. (Takes about 6 goes) I even tried installing AD on the ghost server but it still fails. Any help would be great. Has any one taken this error up with Symantec?

 

Thanks,

Toug's picture

I have the same probleme here with two 2008 domain controller.  I hope the solution will come soon.

 

Toug's picture

I have opened a case with Symantec Tech Support to solve this issue.

I don't have a solution yet...  If anyone find it before please let me know.

 

Aaron8IT's picture

Hi,

 

I am having the excat same problem and have followed the instructions on modfiying the defualt domain controller policey, this doesnt work.

 

heres is my previous post: https://forums.symantec.com/syment/board/message?board.id=109&thread.id=19146

 

any suggestions or help regarding this problem would be very appreicated...

 

cheers,

 

aaron

 

Krish Jayaratne's picture

Hi,

 

Could you have a look at Aaron's post (https://forums.symantec.com/syment/board/message?board.id=109&thread.id=19146) and see if the solution works for you? Looks like it is the same issue, can't say for sure without looking at log files.

 

Krish

 

 

MPSC's picture

i modfied is found in the defualt domain controller policey: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Named pipes that can be accessed anonymously"

 

Now I get "Access Denied" in the log file.

Aaron8IT's picture

Did you manually add into the template, 'lsarpc' and verfiy that 'netlogon' are apart of the services?

 

Did you try restarting your DC?

 

cheers,

 

aaron

 

 

MPSC's picture

Netlogon was already there. I manually added Lsarpc to the template. Which service are you talking about?

Aaron8IT's picture

my appolagies, i did mean 'named pipes'.

 

Might want to check that these named pipes are specified in the domain controller policy template are as follows;

-COMNAP

-COMNODE

-SQL\QUERY

-LLSRPC

-BROWSER

-netlogon

-samr

-lsarpc

 

I also deleted and recreated my Ghost account (tools -> supported domain)

 

Does that help?

 

cheers,

 

aaron


 

MPSC's picture

I recreated the account and now it works.

 

Thanks for everyone's help. Much appreciated.

tamcac's picture

What did you do to resolve this issue was recreating the account the fix?

Krish Jayaratne's picture

Hi,

I think this issue is related to domain controllers that are upgraded from 2k3 to 2k8. Do you have upgraded domain controllers?

Krish 

tamcac's picture

No im having trouble with connecting a 2003 domain Ghost creates the Account in the right ou but when it trys to join the domain it gets the can not connect this fuction is only allowed by the Primary Domain controler