RE: Remote Installation Services, DoOldStyleDomainJoin=Yes

Hi Rich,

Sorry for my delayed response due to the complexity of this issue. I hope
this has not caused you too much inconvenience.

I have created a test environment and performed a lot of research. Based
on my research, the security policy setting "Add workstations to domain"
may be the cause of this issue.

This security setting determines which groups or users can add workstations
to a domain. By default, any authenticated user has this right and can
create up to 10 computer accounts in the domain. After implementing the
Windows Server 2003 Security Guide: Enterprise Client: Domain
Controller.inf, this security setting is configured as Administrators,
that's to say, only the users which has the domain administrators privilege
can add workstations to the domain.

You may refer to the following steps to change this security setting to see
whether the issue can be resolved:

1. On one of the Domain Controllers, open Domain Controller Security Policy
in Administrative Tools.
2. Navigate to Security Settings\Local Policies\User Rights Assignment.
3. On the right pane, double click on the "Add workstations to domain"
setting.
4. Click Add User or Group button to add the Authenticated Users, and then
click OK.
5. Click Start, click Run, type "gpupdate /force", and then click OK, and
if you are prompted, restart the DC.

Regarding the difference between using "DomainAdmin=" and using "
DoOldStyleDomainJoin=Yes ", when we configure DoOldStyleDomainJoin=Yes, it
will force unattended setup to override the Windows security and join the
domain using the old Windows NT 4.0 style domain join. This means, if you
have a computer account pre-created in the domain, you do not need to
provide domain account credentials to join the computer account to the
domain.

Hope the above information helps. If the issue persists after performing
the above steps, please help me to collect the GP Results on one of the
Domain Controllers and send it to me at v-stwang@xxxxxxxxxxxxxx To collect
the GP Results, please refer to the following steps:

1. Type the following command in command prompt on one problematic
workstation, and then press ENTER:
"gpresult -Z > C:\gpresult_z.txt" (without the quotation marks)

2. This creates a list of the implemented policies on the computer in the
following text file: C:\gpresult_z.txt. Please send this file to me.

If you have any question or concern, please feel free to let me know. I am
glad to be of assistance.

Have a nice day!

Steven Wang
Microsoft CSS Online Newsgroup Support

--------------------
>X-Tomcat-ID: 265180798
>References: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
<H46YZvwyFHA.3772@xxxxxxxxxxxxxxxxxxxxx>
<3B4884E5-A29C-4717-BB1B-036276FC56CA@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
>Organization: Microsoft
>Date: Fri, 07 Oct 2005 12:43:05 GMT
>Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
>X-Tomcat-NG: microsoft.public.windows.group_policy
>Message-ID: <cQwdsyzyFHA.780@xxxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.group_policy
>Lines: 178
>Path: TK2MSFTNGXA01.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10947
>NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
>
>Hello Rich,
>
>Thanks for your prompt reply and let me know the detailed information.
>
>This is a quick note to let you know that I am researching your issue and
>will get back to you as soon as possible. I appreciate your patience.
>
>Have a great weekend!
>
>Steven Wang
>Microsoft CSS Online Newsgroup Support
>
>--------------------
>>Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes
>>thread-index: AcXLFxPE0slvZMnAT0Kf7ifHNGNYEA==
>>X-WBNR-Posting-Host: 195.67.90.253
>>From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
><richoo2000@xxxxxxxxxxxxxxxxx>
>>References: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
><H46YZvwyFHA.3772@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
>>Date: Fri, 7 Oct 2005 01:14:02 -0700
>>Lines: 136
>>Message-ID: <3B4884E5-A29C-4717-BB1B-036276FC56CA@xxxxxxxxxxxxx>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 8bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.group_policy
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10943
>>X-Tomcat-NG: microsoft.public.windows.group_policy
>>
>>If i use
>>[Identification]
>> JoinDomain=%MACHINEDOMAIN%
>> DomainAdmin=%USERNAME%
>> DomainAdminPassword=%DPASSWORD%
>>
>>Is works, so the permissions is OK.
>>-------------------------------------------
>>Domain policy is Built on the template
>>Enterprise Client. Domain Controller.inf
>>-------------------------------------------
>>So i just want to know what i need to open in this policy to enable
>>DoOldStyleDomainJoin.
>>And what the diffrens is between the solution above and DoOldStyle is.
>>
>>
>>
>>
>>
>>"Steven Wang [MSFT]" skrev:
>>
>>> Hello Rich,
>>>
>>> Thank you for posting.
>>>
>>> From your post, my understanding of this issue is: The client
>workstations
>>> cannot be joined into the domain through the RIS installation. If this
>is
>>> not correct, please feel free to let me know.
>>>
>>> Based on my research, this issue may be caused by various factors,
>>> therefore, we may need to perform some test and collect more
information
>to
>>> narrow down the root cause of this issue. First, I suggest we refer to
>the
>>> following KB article to make sure the permissions are set correctly for
>the
>>> OU:
>>>
>>> Rights Needed for Remote Installation Server to Create Machine Accounts
>>> http://support.microsoft.com/?id=224294
>>>
>>> Meantime, please help me to collect some information so that I can
>perform
>>> further research on this specific issue:
>>>
>>> 1. What is the DC Policy setting you have implemented before this issue
>>> occurs, and how the policy setting be configured?
>>>
>>> 2. Please send the %windir%\debug\Netsetup.log and Setuperr.log files
on
>>> the client workstation to me at v-stwang@xxxxxxxxxxxxxx
>>>
>>> 3. Please send the RIPREP.SIF you are using to me.
>>>
>>> More Information:
>>> -------------------------
>>> Customizing RIS Installations
>>>
>http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
s
>>> /prbc_cai_silp.asp
>>>
>>> How to Modify the Default Group Policy for Remote Installation Services
>>> http://support.microsoft.com/?id=316663
>>>
>>> Should you have any question or concern, please feel free to let me
>know.
>>> I am glad to be of assistance.
>>>
>>> Have a nice day!
>>>
>>> Steven Wang (MSFT)
>>> Microsoft CSS Online Newsgroup Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>> =====================================================
>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>> regarding other Microsoft products, you'd better post in the
>corresponding
>>> newsgroups so that they can be resolved in an efficient and timely
>manner.
>>> You can locate the newsgroup here:
>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>
>>> When opening a new thread via the web interface, we recommend you check
>the
>>> "Notify me of replies" box to receive e-mail notifications when there
>are
>>> any updates in your thread. When responding to posts via your
>newsreader,
>>> please "Reply to Group" so that others may learn and benefit from your
>>> issue.
>>>
>>> Microsoft engineers can only focus on one issue per thread. Although we
>>> provide other information for your reference, we recommend you post
>>> different incidents in different threads to keep the thread clean. In
>doing
>>> so, it will ensure your issues are resolved in a timely manner.
>>>
>>> For urgent issues, you may want to contact Microsoft CSS directly.
>Please
>>> check http://support.microsoft.com for regional support phone numbers.
>>>
>>> Any input or comments in this thread are highly appreciated.
>>> =====================================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>>>
>>> --------------------
>>> >Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes
>>> >thread-index: AcXKcPvySIP8YiZdSiuAPwhWrGwG7Q==
>>> >X-WBNR-Posting-Host: 195.67.90.253
>>> >From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
>>> <richoo2000@xxxxxxxxxxxxxxxxx>
>>> >Subject: Remote Installation Services, DoOldStyleDomainJoin=Yes
>>> >Date: Thu, 6 Oct 2005 05:25:06 -0700
>>> >Lines: 12
>>> >Message-ID: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
>>> >MIME-Version: 1.0
>>> >Content-Type: text/plain;
>>> > charset="Utf-8"
>>> >Content-Transfer-Encoding: 8bit
>>> >X-Newsreader: Microsoft CDO for Windows 2000
>>> >Content-Class: urn:content-classes:message
>>> >Importance: normal
>>> >Priority: normal
>>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >Newsgroups: microsoft.public.windows.group_policy
>>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10921
>>> >X-Tomcat-NG: microsoft.public.windows.group_policy
>>> >
>>> >Hello.
>>> >After implementing DC Policy on all my 2003 Dc, my Ris installation
>>> doesn�t
>>> >work correct. The Ris installation can not join the domin correctly.
>Fail
>>> on
>>> >the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
>>> >unattended mode failed. Setup will proceed to join the default
>workgroup.
>>> >
>>> >The problem is that the feature DoOldStyleDomainJoin=Yes
doesn�t
>work
>>> after
>>> >the policy�s.
>>> >How can I enable this so I can install my clients, without to
implement
>>> the
>>> >domain admin and password in the SIF files?
>>> >DC�s 2003 Sp1, Ris 2003 Sp1 Member Server, XP SP2 Eng clients.
>>> >
>>> >
>>>
>>>
>>
>
>

.