Ghost Solution Suite

I have seen a few issues regarding this but they either wind up with no posted answer or the solution is something I have already tried.

I have a lab with an image ready. If I run the task to deploy the image with the configuration settings all works fine EXCEPT when it tries to join the domain. I get the following message

" Details for :Configuration

Failed to join the domain domain.local : The specified domain either doesnt exist or cannot be contacted"

Now for the intresting part. If AFTER the image is deployed ( the PCs are all ready cept for being on the domain) I run another task that simply just reruns the configuration ...it works...

A few notes:

- Its a win 2008 R2 DC that is also running the GSS

- the configuration  simply just sets up the domain join and moves the computer account into a specified OU ...all others settings are left to defaults

- the account has been delegated full access rights for the domain AND is in the domain admin group

- all clients are windows xp SP3 and are up to date

Hello,

I have done investigation related to the Windows 2008 server R2 domain joining issue. In my testing I have observed as follows.

1. Domain joining were successful for Windows 7 clients with domain joining sysprep task and configuration task.
2. Domain joining fails on XP and Windows Server 2003 with warning message "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you" when run configuration task.
3. Domain joining were successful on XP and Windows Server 2003 with sysprep task.

No changes were made on Windows 2008 R2 domain controller (default settings) to allow domain join in my DC setup.

I went through the Microsoft link where Microsoft mentioned that the Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default. This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers. It means that "compromise security" warning message will observe and domain join will fail when XP and Windows Server 2003 client computers (which are Windows NT 4.0 based operating systems) use the NetJoinDomain function together with the NETSETUP_JOIN_UNSECURE join option against a Windows Server 2008-based domain controller. Issue will not observed on Vista SP1 onwards operating systems since Microsoft has taken care of the issue in the later versions of operating systems (Vista SP2 and Windows 7). Same was observed in my testing as well.

Microsoft has explained this issue in detailed at <http://support.microsoft.com/kb/942564>when the Windows 2008 R2 Read Only Domain Controller (RODC) is added to the network that has Windows XP or Windows Server 2003.

Microsoft has released the patch for XP (32 and 64 bit) and Windows Server 2003 (32 and 64bit) and can be download from <http://support.microsoft.com/kb/944043>. Prerequisites to apply this patch are mentioned on this link.

I have seen STN forum (<http://www.symantec.com/connect/forums/winxp-system-wont-join-domain-console-task>and <http://www.symantec.com/connect/forums/gss25-failed-join-domain-xxx-system-detected-possible-attempt-compromise-security>) which stated that the problem is resolved with this patch.

I have tested the domain joining with configuration task after applying the patch to XP 64 bit operating system and found to be working fine.

So according to my test observations, Vista SP1 and above will not have the problem while joining Windows 2008 server R2 domain. XP and Windows Server 2003 operating systems need to apply the 944043 patch to resolve Windows 2008 server R2 domain joining issue.

Please let me know if you need any further information or clarification.

 

Thanks for the prompt reply...

1. I had already installed the hotfix 944043 onto the image. So i don't think that is the solution

2. I also have told it to join the full domain name not just the NETBIOS name....also same result

3. I have a second classroom of newer machines ( dual core with 3 gigs of ram ) that I imaged with the same image and they executed the config file just fine.  The older classroom that I have problems with is running single core with 256 ram...( this also means it uses the MSDOS client not the winpe)

I know the older machines aren't in good condition but is there maybe a problem with them only having 256 RAM?

Any other thoughts?

I believe the problem lies in the DOS NIC driver / LAN redirector being too basic to be able to handle the level of security now required by Win 2008 R2.  The amount of RAM in your old systems is immaterial in this respect as DOS uses less that 1Mb, but clearly is somewhat marginal for a WinPE boot.

I believe you may need to revert to an older server platform for the old environment, or even a workstation running XP, if you wish to continue using PCDOS as your boot environment.

There may be some scope to test a cut down version of WinPE which may just load into the 256 Mb memory you have available on old machines, but this may not leave much spare ram to buffer network transfers.

It is also worth to check your DNS configuration. Most of the time DNS is the culprit to join machine into domain. Please attach netsetup.log to diagnose the issue. Usually they are located at c:\windows\debug.