Ghost Solution Suite

  • Private Community
Back to discussions
Expand all | Collapse all

Joining Domain

  • 1.  Joining Domain

    Posted Dec 23, 2007 09:34 PM
    hi there,
    Having some trouble with GSS2.0.1 joining the domain. The computer is added to the AD Computers ok but
    i get a warning on Configuration "Failed to join Domain "X" : Login Failure Unknown user name and password.
     
    I have added the Domain Admins group to the "GhostUSEr" that it uses to join the domain. I have even tried re-creating the user.  
    I'll get the log from the client and post it soon.


  • 2.  RE: Joining Domain

    Posted Dec 25, 2007 10:04 PM
    Hi there here is the error log !
     
    Domain is MYDOMAIN
    SERVER NAME is GHOST  (not real names)
    MAchine name L5L-01
    NIC in server Intel 1000
    NIC is PC Attansic Gigabit
     
    Appreciate your assistance
     
     
    12/24 12:40:48 NetpDoDomainJoin
    12/24 12:40:48 NetpMachineValidToJoin: 'L5L-01'
    12/24 12:40:48 NetpGetLsaPrimaryDomain: status: 0x0
    12/24 12:40:48 NetpMachineValidToJoin: status: 0x0
    12/24 12:40:48 NetpJoinDomain
    12/24 12:40:48  Machine: L5L-01
    12/24 12:40:48  Domain: MYDOMAIN
    12/24 12:40:48  MachineAccountOU: (NULL)
    12/24 12:40:48  Account: (NULL)
    12/24 12:40:48  Options: 0xc1
    12/24 12:40:48  OS Version: 5.1
    12/24 12:40:48  Build number: 2600
    12/24 12:40:48  ServicePack: Service Pack 2
    12/24 12:40:48 NetpValidateName: checking to see if 'MYDOMAIN' is valid as type 3 name
    12/24 12:40:48 NetpCheckDomainNameIsValid [ Exists ] for 'MYDOMAIN' returned 0x0
    12/24 12:40:48 NetpValidateName: name 'MYDOMAIN' is valid for type 3
    12/24 12:40:48 NetpDsGetDcName: trying to find DC in domain 'MYDOMAIN', flags: 0x1020
    12/24 12:40:48 NetpDsGetDcName: found DC '\\GHOST' in the specified domain
    12/24 12:40:48 NetUseAdd to \\GHOST\IPC$ returned 1326
    12/24 12:40:48 Trying add to  \\GHOST\IPC$ using NULL Session
    12/24 12:40:48 NetpJoinDomain: status of connecting to dc '\\GHOST': 0x0
    12/24 12:40:48 NetpGetLsaPrimaryDomain: status: 0x0
    12/24 12:40:48 NetpGetDnsHostName: Read NV Hostname: L5L-01
    12/24 12:40:48 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: MYDOMAIN.qld.edu.au
    12/24 12:40:48 NetpLsaOpenSecret: status: 0xc0000034
    12/24 12:40:49 Failed to validate machine account for L5L-01 against \\GHOST: 0xc000006d
    12/24 12:40:49 NetpJoinDomain: w9x: status of validating account: 0x52e
    12/24 12:40:49 NetpJoinDomain: initiaing a rollback due to earlier errors
    12/24 12:40:49 NetpLsaOpenSecret: status: 0x0
    12/24 12:40:49 NetpJoinDomain: rollback: status of deleting secret: 0x0
    12/24 12:40:49 NetpJoinDomain: status of disconnecting from '\\GHOST': 0x0
    12/24 12:40:49 NetpDoDomainJoin: status: 0x52e


  • 3.  RE: Joining Domain

    Posted Dec 27, 2007 07:26 PM
    Hi,

    Since you say adding the machine to the domain is OK, I presume that there are no warnings in the step 'Creating machine account'. This means that the first warning in the task is for the last Configuration step.

    If there is a machine account for the same machine, which was owned by administrator, any other account may not be able to change it even if it has full rights. Could you change the machine name in the configuration to a one that had not been used before and see if it is working?

    Krish


  • 4.  RE: Joining Domain

    Posted Jan 02, 2008 09:00 PM
    Is the default configuration of the target client a member of the domain?  I've occasionally had difficulty adding a client to a domain.  It was in a domain, I remotely installed the client.  So the Console knows that client is a member of a domain by default.  I then took an image of it (with the Remove From Domain checkbox.)  I push it back telling it to use the default config, and it won't work.  If I make a Configuration (in Configuration Resources -> Configurations), and set that all to be normal/default except manually specify the domain (Configuration Set -> Workgroup/Domain Membership) and use that Configuration when pushing the image, it joins ok.

    I've not quite figured out why/when to use the Configuration and why/when the default last known configuration works.

    So if you're having trouble getting a client to join a domain, try just making a Configuration and applying that configuration when pushing.  It's not ideal, and I prefer the client's own default configuration than specifiying a specific configuration file.  But it seems to work.

    Good luck,
    PH


  • 5.  RE: Joining Domain

    Posted Jan 06, 2008 07:38 PM
    You may be on to something.  These machine had the client installed on them and were existing machines in the Ghost Console Database.  And the machine was re-namedto the previous name ok but I did recieve a warning about permissions.  The thing is I want to keep the same machine name, I even tried deleting it from Active Directoy Computers. 
     
    I'll try a machine with a new "confiuration " and see if that works.


  • 6.  RE: Joining Domain

    Posted Jan 09, 2008 12:54 PM
    Yah, give the Configuration file/definition thing a try.  I dunno why that works better than simply relying on a machine's Default configuration, but it seems to.  Maybe Ghost tries harder :)

    As for the system having originally been in the Console already, you can always Refresh Configuration/Inventory at any time.  It'll then update itself.  So if a machine is currently in the Console as Name-A in Domain-B, and you actually want it named Name-C in Domain-D, you'll have to do it once manually.  Once the machine is that way, then just Refresh Config (or delete the machine from the Machines list).  When the Refresh task is done, or the machine is rebooted again and (re)contacts the Console, the console will update its database and from then on, that machine will be known as Machine-C in Domain-D.  At that point, hopefully, its "Default" configuration will be C/D and a Push of an image to that system using the Default config should still make it C/D.

    Having said that, given my situation is the same, I still occasionally have to rely on a Configuration combined with the Push.  Again, I dunno why :)

    I've never tried using *just* a Configuration task.  I've always used the Configuration tab in combination with the Clone tab.  I suppose a Config-only task should work, but somehow I've never really trusted it :)

    Good luck,
    PH



  • 7.  RE: Joining Domain

    Posted Jan 09, 2008 05:55 PM
    Another strange thing is that I was trying to add the computer to a OU Container other than Computers ie. Computers/workstations This seemed to hinder joining the domain as well !!
     
    Strange but true.  I just did 20 computers and half worked the other half didn't All same config  ! I started getting errors like " Ghost failed to reboot to Vi rt partition"  I wonder if the timeout is just to short  before it says it's too hard?


  • 8.  RE: Joining Domain

    Posted Jan 10, 2008 12:14 AM
    Hi,

    When you try to join the machines to a different OU, what is the error message you get? Have you given Console account the full permissions for new OU?

    'failed to reboot to virtual partition' unlikely to get due to Domain joining problems. It basically says that the client did not contact the server while in DOS. Do you use the same network template for all of them?

    Krish


  • 9.  RE: Joining Domain

    Posted Jan 10, 2008 05:18 PM
    Agreed.  Make sure you check perms for the Ghost account on the domain controller.  The cheap-easy way is to just add the Ghost account to Domain Admins.   A better way would be to Delegate Control and allow the Ghost account to fully manipulate objects inside the whatever-container you're putting the Computer Object in.

    I dunno about not booting into a Virtual Boot Partition.  That part really never fails for me.  Once booted into a VP itshould just go.  If you see a failed to boot into the VP error entry in your Console logs, go to that machine and see what's on the screen.  It's possible the computer never rebooted (it never received the command to reboot into the VP) so I'd check that.  If it did indeed get the command and start rebooting but failed, I'd first just try again with only that one client in the push/configure task (remove all other issues and focus on one client only.)

    Good luck,
    PH



  • 10.  RE: Joining Domain

    Posted Jan 14, 2008 12:05 PM
    I've been having the same problem here.  From the advice here, I deleted the machine account off the domain server.  That eliminated the first error saying the account already existed.  But I can't figure out how to solve the second error:
    Failed to join domain XXXXX:  Logon failure:  unknown user name or bad password.
     
    What user name and password is it trying to use, and what is it trying to use it to do?  If it is using the Console Service Account, it should be working, as I know that is a valid account on the domain server with full permissions.  The account is in the Domain Administers Group.  It is actually my own login and I am the system admin.  The error happens during the configuration task near the end of the whole clone/deploy task.  It obviously is when the Ghost Console is trying to add the machine to the domain.
     
    What am I doing wrong?


  • 11.  RE: Joining Domain

    Posted Jan 14, 2008 06:04 PM
    >>>When you try to join the machines to a different OU, what is the error message you get?
    WARNING:Bad user name and password is the error.  I have added the Console Ghost Account to Domain Admin. 
    Half of the computers work sucessfully.  I have a feeling the switch is not doing its job as the lab beside it worked 100% and the switch is the only thing that is different. 
     
    So I'll replace the switch when I can to test it.  Thank's for all your assitance.
     
    For the other user with issues::::
     
    I created a new Ghost User with a complex password as directed by Sym helpdesk and then added Domain Admin to the account. Then made the OU Computers as the default. this requires you to re add the supported domains. You only use your account to join the Ghost account to the domain. (This is not clear at all) 
    They suggested trying to log on with the Ghost account you create to see if it will let you add to domain as well. Just to be sure.


  • 12.  RE: Joining Domain

    Posted Jan 16, 2008 01:12 AM
    Hi,

    Rather than the switch, it could be something to do with the DNS entries. For some reason, when the DNS entries are not accurate, AD seems to be going through a different path to validate the credentials. This usually does not affect when the credentials are entered from the client directly.

    Could you (and Joe) try running Dcdiag to see if it complains about anything?

    Krish


  • 13.  RE: Joining Domain

    Posted Jan 17, 2008 11:00 AM
    Hello all,
     
    It seems that I too am having the same problem.  Although, everything was working fine 3 days ago.
     
    We have an account in AD that allows Ghost to do tasks (such as Join Domain).  When I use it, I get the error compalining about the username or a bad password.  But, when I use my own account (1 machine at a time, the machine goes in fine.  If I try to use my account in the "Join Domain Template" it craps out.  It seems that the only way I can join machines is 1 at a time, with my own account.
     
    Now, the Ghost account is a member of domain users.  I know this could potentially be a stupid question, but....should it be a member of Authenticated Users as well.  Keep in mind I'm a newbie when it comes to doing things the Microsoft way.  I'm a Netware Person whose not using it anymore (not by choice!!).
     
    I have tried blowing away the task & template and recreating it from scratch, with no luck. Another tech thinks it's the way I preped the image before I set it up as a console image.  It started as a screwed up syspreped image.
     
    I pulled it down on a machine, tweeked it (fixed the issue , then set permissions, copied profiles, etc) copied it to the server with a copy of it going to an external drive for other locations.  then I set up the console image and ran the Join Domain task at the end with no problem. I did not re-sysprep the image after tweeking it.
     
    Noe the task won't work, with the same errors that others in this thread are getting.....
     
    What am I missing??
     
    Any help from anyone would be greatly appreciated.....


    Message Edited by Combat on 01-17-2008 08:02 AM


  • 14.  RE: Joining Domain

    Posted Jan 22, 2008 05:01 PM
    Either Delegate Control so that the ghost account user can actually manipulate objects in the right OU/Container.  I don't know what the default is for Ghost - if it can only manipulate objects in the Computer container or any container/OU.  It doesn't need to be a member of Authenticated Users (although it won't hurt.)  The easy way is to add it to Domain Admin group (you mentioned domain users which isn't enough.) 

    I prefer Delegate Control method, so I know I specifically did it for this specific container/OU (and everything subcontained in it.) 

    Good luck,
    PH



  • 15.  RE: Joining Domain

    Posted Jan 25, 2008 08:33 AM
    Hi Paul,
     
    I believe that the account is set up like that....I just don't know if its AD muffing up or if it's Ghost Console....
     
    I have tried most of the suggestions here with no luck...and now some other schools are reporting issues too...


  • 16.  RE: Joining Domain

    Posted Jan 26, 2008 01:37 AM
    Hi,

    To answer Paul's question about the default permissions, when creating the console account it gives full rights to the computers folder, but no permissions to any other container. If you use OUs, you need to manually give full permissions for Console user to those OUs and the child objects.(This object and all child objects).

    "Combat", Do you get the same error in netsetup.log as in the previous posts? Do you have this issue only when adding machines to the OUs?

    Krish


  • 17.  RE: Joining Domain

    Posted Jan 26, 2008 03:43 AM
    Yep, that'll do it - thank you :)  I just have all my computer objects in the Computer container, so it works for me.  But for folks who are not using the Computer container (and I might start putting my computer objects into OUs since I see that coming in the horizon), I'll make sure to double-check permissions.  I believe my having the Ghost service account in the Domain Administrators group is sufficient, but it never hurts to explicitly do a Delegate Control anyway.

    For those of you having difficulty w/adding a machine to the domain, I guess it's go back to square one.  Push an image to a client, and don't tell it to configure to join a domain.  Then goto that machine, and first rename it, then reboot, then join to the domain.  When it asks for credentials, give it the ghost console account user/pass rather than your usual domain admin account/password.  See if that works.

    Next, push it again w/out any configuration.  When done pushing, join the client to the domain without renaming it first, and use the ghost console account/password.  After it's joined, then try to rename it, and again do so using the ghost console account.

    Do the above two steps with and without the same object name already existing in the Computer container (so total four times.)  I've often found it works one way, but not the other.  It's a lot of step-by-step work, but it goes by fairly fast (I push a bare image w/just XP & Ghost agent.)   You'll probably find at one point, an error occurs and once you see it happen at a particular step manually, you can track down what's going on.

    Someone also mentioned DNS as a potential problem.  I've definitely had DNS related problems as well.  Whether they caused problems for Ghost, I'm not sure.  But certainly from the computer your Ghost console is installed on, do a few nslookup's, pings, etc to check your IP address/name space.  Then do similar commands that prefer netbios like "net use".  I've found sometimes one works and the other doesn't cause my DNS says machine name "BLAH-001" is 1.1.1.1.  But I've got a Windows computer named BLAH-001 as 2.2.2.2.  So ping and nslookup fail cause they use DNS, but my "net use" works cause it uses NetBIOS/NetBEUI thing and it still manages to find the "windows computer with the name BLAH-001".  So make sure DNS name preferably matches the NetBIOS name which in turn matches the IP address all correctly.  In this day and age of DNS-dependent AD, it should all be automatic, but sometimes things get screwed up, especially if you're using static IP addressing, or DNS servers not capable of DDNS.

    This does work, as quirky and tempermental as it may seem.  And yes, I've often resorted to the standard "Microsoft solution" of uninstall/reinstall.  It sucks, and the argument about whether we should ever have to do such or not aside, it does tend to work :)


    Good luck,
    PH