Ghost Solution Suite

Hi all, we recently upgraded our 2k03 domain to 2k08. Now this problem occurs... 

Cannot join the domain warning is:

"Failed to join the domain XXXX: This operation is only allowed for the Primary Domain Controller of the domain"  

i thinking its somthing simple that i am missing...

cheers,

aaron

Hi Aaron,

Default security settings in 2k8 prevent the way Ghost Console join the machines to the domain. But I would expect to see a 'Access denied' error rather than this one if it is the case. However, could you have a look at the following thread?

https://forums.symantec.com/syment/board/message?board.id=109&message.id=15624

Krish

Hi Krish,

unfornatuly this didnt work when i adjusted the default domain policey to allow NT4 crypography ( Default Domain Controller Policy-->Computer Configuration-->Policies-->Administrative Templates-->System-->Net Logon = 'enabled')

any other suggestions?

cheers,

aaron

Hi Aaron,

Do you have 2k3 domain controllers still in the domain? Could you check what DC console uses to create the account? If you look at the task log, under 'create machine account', you should see the domain controller it uses if you use GSS 2.5. 

If not, could you have a look at the netsetup.log in the client? It is in \Windows\Debug folder. It also has information about what domain controller it tries to contact.

Krish

Hi Krish,

nope, we are running W2K08 on both of our DCs in 2008 native.

I have checked the task log and it trys to contact our primary domain controller that does indeed have 2k08 installed on it.

I had to recreate the ghost console service account after the 2k08 upgrade was completed on both DCs (as it did come up with 'access denied' when trying to create the machince account on the domain - which works fine now).

does this help?

cheers,

aaron

Hi Aaron,

Re-creating the account should not cause any issues. I was just looking at your previous post, and the policy is not exactly enabling netlogon but 'Allow cryptography algorithms compatible with Windows NT 4.0'. Could you confirm that's what was done? there is a MS kb article http://support.microsoft.com/kb/942564 that explains the process. 

How did you all upgrade the DCs? Did you add them as additional domain controllers and decommissioned 2k3 DCs or did an in-place upgrade from 2k3 to 2k8?

Krish

Hi Krish,

Yes i have confirmed that is the correct GPO setting that i have modified...

We preformed an inplace  upgrade from a 2003 domain, on both DC.

-aaron

Hi Aaron,

Could you have a look at the \windows\debug\netsetup.log file in a failed client and see what it says?

Krish

Krish,

a part of the Debug\netsetup.log for a client as follows (note:the domain and DC names have been changed for this post):

---------------------------------------------------------------------------------------

01/08 15:41:30 -----------------------------------------------------------------
01/08 15:41:30 NetpDoDomainJoin
01/08 15:41:30 NetpMachineValidToJoin: 'MSTAFF-3'
01/08 15:41:30 NetpGetLsaPrimaryDomain: status: 0x0
01/08 15:41:30 NetpMachineValidToJoin: status: 0x0
01/08 15:41:30 NetpJoinDomain
01/08 15:41:30     Machine: MSTAFF-3
01/08 15:41:30     Domain: mydomain.local\DC1.Mydomain.local
01/08 15:41:30     MachineAccountOU: (NULL)
01/08 15:41:30     Account: (NULL)
01/08 15:41:30     Options: 0xc1
01/08 15:41:30     OS Version: 5.1
01/08 15:41:30     Build number: 2600
01/08 15:41:30     ServicePack: Service Pack 3
01/08 15:41:30 NetpValidateName: checking to see if 'mydomain.local' is valid as type 3 name
01/08 15:41:30 NetpValidateName: 'mydomain.local' is not a valid NetBIOS domain name: 0x7b
01/08 15:41:30 NetpCheckDomainNameIsValid [ Exists ] for 'mydomain.local' returned 0x0
01/08 15:41:30 NetpValidateName: name 'mydomain.local' is valid for type 3
01/08 15:41:30 NetpJoinDomain: status of connecting to dc '\\DC1.mydomain.local': 0x0
01/08 15:41:30 NetpJoinDomain: DsGetDcName on passed DC '\\DC1.mydomain.local' failed: 0x5
01/08 15:41:30 NetpJoinDomain: DsGetDcName on passed DC '\\DC1.mydomain.local' failed: 0x5
01/08 15:41:30 NetpJoinDomain: Passed DC '\\DC1.mydomain.local' is not verified: 0x5
01/08 15:41:30 NetpJoinDomain: status of disconnecting from '\\DC1.mydomain.local': 0x0
01/08 15:41:30 NetpDoDomainJoin: status: 0x54a

---------------------------------------------------------------------------------

thanks for the help,

aaron

Hi Aaron,

Thanks for the log. This is actually related to a earlier post in the forum too, but I thought it could not find the DC due to a DNS issue. But this appears to be different.

Client calls the API netjoindomain, and that seems to be calling dsgetdcname to get the details of domain controller. It is difficult to think why it's failing. Could you check any event audit logs in DC to see if there are any other details? Is there a possibility of running a packet trace from domain controller for the traffic from the workstation?

I'm trying to see if I can get the same situation by upgrading 2k3 DC to 2k8. But my feeling is its not going to happen with default settings. Most likely, when converting some of the policies or permissions from 2k3, mapping would have stopped this call succeeding. 

Krish

Hi Krish,

I have checked the DC logs and nothing jumps out as being a problem....

I have sent the packect trace log for 1 of our clients that is having problems as per your request via Private Message on these forums; the trace was taken on the domain controller that the GSS 'create machine' task referances in the Ghost task log.

cheers,

aaron

Hi Aaron,

Thanks a lot for the update and the trace. In the mean time I think I found the problem (or at least a problem :-). I managed to get the same error message from an upgraded2k3 domain. 

In my case, when NetJoinDomain API calls DSGETDC, client tries to access netlogon service of the server and receives an access denid error. Then, the API seems to interpret it as netlogon not available and probably think it is a NT BDC and gives that particular message.  

Reason for NETLOGON to fail seems to be local security setting "Network Access: Named pipes that can be accessed anonymously" not containing Netlogon and lsarpc. In 2k3 as well as 2k8 Domain fresh installs contain Browser, Netlogon, lsarpc and samr in this list. But when 2k3 DC is upgraded, this list contains only the Browser. I'm not sure if this is intended or a defect in upgrade since fresh installs behave differently, even when 2008 security level is selected. 

If you do not specifically need to remove them, could you try adding Netlogon and lsarpc to the "Network Access: Named pipes that can be accessed anonymously" setting in domain local security settings? 


Krish

Hi Krish,

It works!!!

Thanks very much for the time you have put into my problem :)

I just had to manually add into the template (after enableing it) 'lsarpc' as netlogon was already there....

FYI for everyone else, the polciy i modfied is found in the defualt domain controller policey: 

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Named pipes that can be accessed anonymously"

Thanks for all your help,

Aaron