RE: Remote Installation Services, DoOldStyleDomainJoin=Yes

Bingo! It works now I have addedd the extra entries to that key.

It appears that the policy had been set previoulsy but when the policy was
removed the settings remained in the registry. I notice the registry key
HKLM\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess
is set to 1. Is this turned on by default by SP1 or is it that if the group
policy setting is set to not defined any settings placed there by previous
policies are not specifically removed unless you select diabled?

Thanks.

"TIMM" wrote:

> SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
> adds new entries to NULL Session Pipes. However if you set the " Network
> access: Named Pipes that can be accessed anonymously" Group policy then the
> updates that SP1 will be over written and thus the workstation will not have
> the ability to access SAMR in order to confirm a workstation account exists
> in AD.
>
> To fix this problem, set the following registry key
> "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.
>
> COMNAP
> COMNODE
> SQL\QUERY
> SPOOLSS
> LLSRPC
> EPMAPPER
> LOCATOR
> TrkWks
> TrkSvr
> Browser
> Netlogon
> LSArpc
> samr
>
> Please let me know if this resolves your problem
>
> Good luck!
> Tim
>
>
> "Steven Wang [MSFT]" wrote:
>
> > Hi Rich,
> >
> > Sorry for my delayed response due to the complexity of this issue. I hope
> > this has not caused you too much inconvenience.
> >
> > I have created a test environment and performed a lot of research. Based
> > on my research, the security policy setting "Add workstations to domain"
> > may be the cause of this issue.
> >
> > This security setting determines which groups or users can add workstations
> > to a domain. By default, any authenticated user has this right and can
> > create up to 10 computer accounts in the domain. After implementing the
> > Windows Server 2003 Security Guide: Enterprise Client: Domain
> > Controller.inf, this security setting is configured as Administrators,
> > that's to say, only the users which has the domain administrators privilege
> > can add workstations to the domain.
> >
> > You may refer to the following steps to change this security setting to see
> > whether the issue can be resolved:
> >
> > 1. On one of the Domain Controllers, open Domain Controller Security Policy
> > in Administrative Tools.
> > 2. Navigate to Security Settings\Local Policies\User Rights Assignment.
> > 3. On the right pane, double click on the "Add workstations to domain"
> > setting.
> > 4. Click Add User or Group button to add the Authenticated Users, and then
> > click OK.
> > 5. Click Start, click Run, type "gpupdate /force", and then click OK, and
> > if you are prompted, restart the DC.
> >
> > Regarding the difference between using "DomainAdmin=" and using "
> > DoOldStyleDomainJoin=Yes ", when we configure DoOldStyleDomainJoin=Yes, it
> > will force unattended setup to override the Windows security and join the
> > domain using the old Windows NT 4.0 style domain join. This means, if you
> > have a computer account pre-created in the domain, you do not need to
> > provide domain account credentials to join the computer account to the
> > domain.
> >
> > Hope the above information helps. If the issue persists after performing
> > the above steps, please help me to collect the GP Results on one of the
> > Domain Controllers and send it to me at v-stwang@xxxxxxxxxxxxxx To collect
> > the GP Results, please refer to the following steps:
> >
> > 1. Type the following command in command prompt on one problematic
> > workstation, and then press ENTER:
> > "gpresult -Z > C:\gpresult_z.txt" (without the quotation marks)
> >
> > 2. This creates a list of the implemented policies on the computer in the
> > following text file: C:\gpresult_z.txt. Please send this file to me.
> >
> > If you have any question or concern, please feel free to let me know. I am
> > glad to be of assistance.
> >
> > Have a nice day!
> >
> > Steven Wang
> > Microsoft CSS Online Newsgroup Support
> >
> > --------------------
> > >X-Tomcat-ID: 265180798
> > >References: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
> > <H46YZvwyFHA.3772@xxxxxxxxxxxxxxxxxxxxx>
> > <3B4884E5-A29C-4717-BB1B-036276FC56CA@xxxxxxxxxxxxx>
> > >MIME-Version: 1.0
> > >Content-Type: text/plain
> > >Content-Transfer-Encoding: 7bit
> > >From: v-stwang@xxxxxxxxxxxxxxxxxxxx (Steven Wang [MSFT])
> > >Organization: Microsoft
> > >Date: Fri, 07 Oct 2005 12:43:05 GMT
> > >Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
> > >X-Tomcat-NG: microsoft.public.windows.group_policy
> > >Message-ID: <cQwdsyzyFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> > >Newsgroups: microsoft.public.windows.group_policy
> > >Lines: 178
> > >Path: TK2MSFTNGXA01.phx.gbl
> > >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10947
> > >NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
> > >
> > >Hello Rich,
> > >
> > >Thanks for your prompt reply and let me know the detailed information.
> > >
> > >This is a quick note to let you know that I am researching your issue and
> > >will get back to you as soon as possible. I appreciate your patience.
> > >
> > >Have a great weekend!
> > >
> > >Steven Wang
> > >Microsoft CSS Online Newsgroup Support
> > >
> > >--------------------
> > >>Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes
> > >>thread-index: AcXLFxPE0slvZMnAT0Kf7ifHNGNYEA==
> > >>X-WBNR-Posting-Host: 195.67.90.253
> > >>From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
> > ><richoo2000@xxxxxxxxxxxxxxxxx>
> > >>References: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
> > ><H46YZvwyFHA.3772@xxxxxxxxxxxxxxxxxxxxx>
> > >>Subject: RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
> > >>Date: Fri, 7 Oct 2005 01:14:02 -0700
> > >>Lines: 136
> > >>Message-ID: <3B4884E5-A29C-4717-BB1B-036276FC56CA@xxxxxxxxxxxxx>
> > >>MIME-Version: 1.0
> > >>Content-Type: text/plain;
> > >> charset="Utf-8"
> > >>Content-Transfer-Encoding: 8bit
> > >>X-Newsreader: Microsoft CDO for Windows 2000
> > >>Content-Class: urn:content-classes:message
> > >>Importance: normal
> > >>Priority: normal
> > >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> > >>Newsgroups: microsoft.public.windows.group_policy
> > >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> > >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> > >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10943
> > >>X-Tomcat-NG: microsoft.public.windows.group_policy
> > >>
> > >>If i use
> > >>[Identification]
> > >> JoinDomain=%MACHINEDOMAIN%
> > >> DomainAdmin=%USERNAME%
> > >> DomainAdminPassword=%DPASSWORD%
> > >>
> > >>Is works, so the permissions is OK.
> > >>-------------------------------------------
> > >>Domain policy is Built on the template
> > >>Enterprise Client. Domain Controller.inf
> > >>-------------------------------------------
> > >>So i just want to know what i need to open in this policy to enable
> > >>DoOldStyleDomainJoin.
> > >>And what the diffrens is between the solution above and DoOldStyle is.
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>"Steven Wang [MSFT]" skrev:
> > >>
> > >>> Hello Rich,
> > >>>
> > >>> Thank you for posting.
> > >>>
> > >>> From your post, my understanding of this issue is: The client
> > >workstations
> > >>> cannot be joined into the domain through the RIS installation. If this
> > >is
> > >>> not correct, please feel free to let me know.
> > >>>
> > >>> Based on my research, this issue may be caused by various factors,
> > >>> therefore, we may need to perform some test and collect more
> > information
> > >to
> > >>> narrow down the root cause of this issue. First, I suggest we refer to
> > >the
> > >>> following KB article to make sure the permissions are set correctly for
> > >the
> > >>> OU:
> > >>>
> > >>> Rights Needed for Remote Installation Server to Create Machine Accounts
> > >>> http://support.microsoft.com/?id=224294
> > >>>
> > >>> Meantime, please help me to collect some information so that I can
> > >perform
> > >>> further research on this specific issue:
> > >>>
> > >>> 1. What is the DC Policy setting you have implemented before this issue
> > >>> occurs, and how the policy setting be configured?
> > >>>
> > >>> 2. Please send the %windir%\debug\Netsetup.log and Setuperr.log files
> > on
> > >>> the client workstation to me at v-stwang@xxxxxxxxxxxxxx
> > >>>
> > >>> 3. Please send the RIPREP.SIF you are using to me.
> > >>>
> > >>> More Information:
> > >>> -------------------------
> > >>> Customizing RIS Installations
> > >>>
> > >http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
> > s
> > >>> /prbc_cai_silp.asp
> > >>>
> > >>> How to Modify the Default Group Policy for Remote Installation Services
> > >>> http://support.microsoft.com/?id=316663
> > >>>
> > >>> Should you have any question or concern, please feel free to let me
> > >know.
> > >>> I am glad to be of assistance.
> > >>>
> > >>> Have a nice day!
> > >>>
> > >>> Steven Wang (MSFT)
> > >>> Microsoft CSS Online Newsgroup Support
> > >>>
> > >>> Get Secure! - www.microsoft.com/security
> > >>> =====================================================
> > >>> This newsgroup only focuses on SBS technical issues. If you have issues
> > >>> regarding other Microsoft products, you'd better post in the
> > >corresponding
> > >>> newsgroups so that they can be resolved in an efficient and timely
> > >manner.
> > >>> You can locate the newsgroup here:
> > >>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> > >>>
> > >>> When opening a new thread via the web interface, we recommend you check
> > >the
> > >>> "Notify me of replies" box to receive e-mail notifications when there
> > >are
> > >>> any updates in your thread. When responding to posts via your
> > >newsreader,
> > >>> please "Reply to Group" so that others may learn and benefit from your
> > >>> issue.
> > >>>
> > >>> Microsoft engineers can only focus on one issue per thread. Although we
> > >>> provide other information for your reference, we recommend you post
> > >>> different incidents in different threads to keep the thread clean. In
> > >doing
> > >>> so, it will ensure your issues are resolved in a timely manner.
> > >>>
> > >>> For urgent issues, you may want to contact Microsoft CSS directly.
> > >Please
> > >>> check http://support.microsoft.com for regional support phone numbers.
> > >>>
> > >>> Any input or comments in this thread are highly appreciated.
> > >>> =====================================================
> > >>> This posting is provided "AS IS" with no warranties, and confers no
> > >rights.
> > >>>
> > >>> --------------------
> > >>> >Thread-Topic: Remote Installation Services, DoOldStyleDomainJoin=Yes
> > >>> >thread-index: AcXKcPvySIP8YiZdSiuAPwhWrGwG7Q==
> > >>> >X-WBNR-Posting-Host: 195.67.90.253
> > >>> >From: "=?Utf-8?B?cmljaG9vMjAwMEBub2VtYWlsLnBvc3RhbGlhcw==?="
> > >>> <richoo2000@xxxxxxxxxxxxxxxxx>
> > >>> >Subject: Remote Installation Services, DoOldStyleDomainJoin=Yes
> > >>> >Date: Thu, 6 Oct 2005 05:25:06 -0700
> > >>> >Lines: 12
> > >>> >Message-ID: <80690FAF-6C3A-4CD7-9F1D-3B42C480D121@xxxxxxxxxxxxx>
> > >>> >MIME-Version: 1.0
> > >>> >Content-Type: text/plain;
> > >>> > charset="Utf-8"
> > >>> >Content-Transfer-Encoding: 8bit
> > >>> >X-Newsreader: Microsoft CDO for Windows 2000
> > >>> >Content-Class: urn:content-classes:message
> > >>> >Importance: normal
> > >>> >Priority: normal
> > >>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> > >>> >Newsgroups: microsoft.public.windows.group_policy
> > >>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> > >>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> > >>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.group_policy:10921
> > >>> >X-Tomcat-NG: microsoft.public.windows.group_policy
> > >>> >
> > >>> >Hello.
> > >>> >After implementing DC Policy on all my 2003 Dc, my Ris installation
> > >>> doesn’t
> > >>> >work correct. The Ris installation can not join the domin correctly.
> > >Fail
> > >>> on
> > >>> >the client Setuperr.log Error: NetSetup: Join domain xxxxxxxx in full
> > >>> >unattended mode failed. Setup will proceed to join the default
> > >workgroup.
> > >>> >
> > >>> >The problem is that the feature DoOldStyleDomainJoin=Yes
> > doesn’t
> > >work
> > >>> after
> > >>> >the policy’s.
> > >>> >How can I enable this so I can install my clients, without to
.