RE: 2 users 1 workstation

From: Ryan H (RyanH_at_discussions.microsoft.com)
Date: 03/10/05 

Date: Thu, 10 Mar 2005 11:39:06 -0800

Thanks for you multiple solutions!

however, none of them seemed to work...

I first checked the DNS forward look up, which was there. Checked active
directory users but the user accounts were not restricted to any machine in
particular. Updated the registry keys for the clients and security policies,
but still the same error prevailed. I did check the logs for the client
migration, and the 'moveuser.log' has this error in it:

MigrateProfiles() - ran ["C:\Program Files\Microsoft Windows Small Business
Server\Clients\moveuser.exe" "yoosh" "chiralquestinc.local\YKao" /y /k >
C:\PROGRA~1\MI6234~1\Clients\mutemp.log]. output:
 Moving profile from AVSERVER\yoosh to chiralquestinc.local\YKao...

Move failed.

Error 1317

The specified user does not exist.

and the sbsmig.log has this in it:

-- Starting sbsmig.exe --
AddUsersToLocalAdmin() -- calling NetLocalGroupAddMembers( Administrators,
chiralquestinc.local\YKao )
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddUsersToLocalAdmin() - NetLocalGroupAddMembers() failed -- nas == [1387]
AddDomainUserToRemoteDesktopGroup() -- we're not a server, not adding domain
users group to remote desktop group
ChangeComputerName() -- no need to change
ChangeIPAddress() -- we're not a server, not changing the IP config
FAILED to generate the Security Descriptor [1337]
Migrate() -- command - ["C:\Program Files\Microsoft Windows Small Business
Server\Clients\moveuser.exe" "yoosh" "chiralquestinc.local\YKao" /y /k >
C:\PROGRA~1\MI6234~1\Clients\mutemp.log]
Migrate() -- strBat - [C:\Program Files\Microsoft Windows Small Business
Server\Clients\run.bat]
Migrate() -- calling BCreateProcess(), strCommand - [cmd.exe /c "C:\Program
Files\Microsoft Windows Small Business Server\Clients\run.bat"]
DeleteSBSFile() -- DeleteFile( C:\Program Files\Microsoft Windows Small
Business Server\Clients\sbsmig.exe ) failed -- GLE = [5]
running logoff command [C:\Program Files\Microsoft Windows Small Business
Server\Clients\sbsmig.exe] [C:\Program Files\Microsoft Windows Small Business
Server\Clients\sbsmig.exe /l]
-- Exiting sbsmig.exe --

it looks like something is wrong with the user object, but i cannot tell
what it is (i created most of the user accounts of the same way, same
template). I suppose i could try to recreate the user accounts, but i'm not
too big on that.

also, i have tried to join the users manually without the connect computer
wizard, and it did work but it was not as 'neat'; the my documents
redirection would not work...

Thanks for any further input into this matter,

Ryan

""Brandy Nee [MSFT]"" wrote:

> Hello Ryan,
>
> Thank you for your reply and information.
>
> To my understanding, when you use ConnecComputer website to join a W2k or
> XP workstation to the SBS2003 domain, after you click Finish, you receive
> error: <"An error occurred when configuring networking settings">
>
> Based on my experience, this issue can occur if the DNS forward lookup zone
> is missing _msdcs.domain.local.
>
> By default, SBS DNS Forward Lookup zone contains _msdcs.domain.local and
> domain.local. Recreate the _msdcs.domain.local zone if it is missing:
>
> 1. Go to Start ' All Programs ' Administrative Tools ' DNS
>
> 2. Double Click SBS2003PREWFP, Right-click Forward Lookup Zones in DNS and
> select New Zone.
>
> 3. Specify Primary Zone, and use _msdcs.domain.local as the Zone name.
>
> 4. Go to Start ' Service, Stop Netlogon and DNS service (DHCP Server).
>
> 5. Run %windir%\system32\config\, rename netlogon.dns and netlogon.dnb
> extension
>
> 6. Start Netlogon and DNS service
>
> 7. Run ipconfig/flushdns and ipconfig/registerdns see their status.
>
> 8. Close and reopen the DNS snapin.
>
> 9. Verify _msdcs.domain.local contains dc, domains, gc, and pdc these files.
>
> This issue can also occur if the user account is restricted to logon to
> only selected workstations. To resolve this issue remove the logon
> restriction while joining the domain, please follow the steps:
>
> 1. Start Active Directory Users and Computers.
>
> 2. Expland the "My Business" OU, expand the "Users" OU, then expand the
> "SBSUsers" OU
>
> 3. Display the properties of the user account you're using to join the
> domain.
>
> 4. Click on the "Account" tab
>
> 5. Click the "log on to..." button and select the radio button "All
> computers", Click OK twice to exit the dialog box.
>
> 6. From the client machine, open Internet Explorer and browse to the
> followoing url: http:// server name>/connectcomputer
>
> 7. Click the "Connect tot he network now" link to start the Network setup
> wizard.
>
> If the issue still occurs, perform the following steps:
>
> 1. In the Domain Controller Security policy on the server, expand Local
> Policies.
>
> 2. Click on Security Options and set Network Security: LAN Manager
> Authentication to "Send LM and NTLM - use NTLMv2 session security if
> negotiated." Click OK to make the change.
>
> 3. Run gpudate /force at a command prompt.
>
> 4. In Start -> Run, type "regedt32". Go to the following key:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
>
> Make sure the following values are set :
>
> Enablesecuritysignature = 1
> requiresecuritysignature = 0
>
> 5. Still in Regedt go to the following key:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. Set the following
> value:
>
> Incompatibility level = 2
>
> 6. On the client machines go to the following keys and make sure the
> following values are set correctly:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsarestrictanonymoussam
> [REG_DWORD] = 0x1
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\param
> eters
> enablesecuritysignature [REG_DWORD] = 0x1
> requiresecuritysignature [REG_DWORD] = 0x0
>
> 7. On the client go to Start | Programs | Administrative Tools | Local
> Security Policy.
>
> 8. Expand Local Policies and click on Security Options. Check the setting
> for the following three options:
>
> Domain member: Digitally encrypt or sign secure channel data (always) set
> to enabled
> Domain member: Digitally encrypt secure channel data (when possible set to
> enabled
> Domain member: Digitally sign secure channel data (when possible set to
> enabled
>
> 9. Reboot the workstation.
>
> 10. Join the domain.
>
> If anything is unclear, please let me know. I appreciate your time!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>