Re: Unable to join client to domain
- From: "Ken F" <TechAdmin@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 6 Jan 2007 02:13:16 -0500
Hi Inn Jin,
If I may ask a question, as I just returned from a similiar problem...(which
took us 4 hours to figure out)....client moved XP pc's from Srvr2003 domain
to SBS2003PremR2 domain......they did not properly disjoin the pcs, so the
only way I found to join them to SBS domain was to manually disjoin and
enter workgroup mode, restart. then rename computer, then run
ConnectComputer wizard..........5 of the 21 machines would report errors
joining domain with same SBSNetSetup.log entry as stated in this thread
FinishNetworkingSetup() -- NetJoinDomain() failed [5], returning
FinishNetworkingSetup() failed -- hr == [-2147467259]
What I did was set the Clients registry Lanmanworkstation and Lanmanserver
Parameter keys of Enablesecuritysignature and
Requiresecuritysignature to be identical to the server keys without making
any changes to GPolicy of the server(ie not enabling the 4 digitally sign
settings - left them as default) This instantly resolved my issue, but am
curious as to weather I should expect any future problems if I do not set
the clients local security policy as
Domain member: Digitally encrypt or sign secure channel data (always) set
to enabled
Domain member: Digitally encrypt secure channel data (when possible) set to
enabled
Domain member: Digitally sign secure channel data (when possible) set to
enabled
or did I unintentionally do that by changing the client registry to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Enablesecuritysignature = 1
Requiresecuritysignature = 1
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
Enablesecuritysignature = 1
Requiresecuritysignature = 0
Thanks for your time and helpful insight.
By the way...all the other registry settings matched up perfectly
""Inn Jin [MSFT]"" <v-innjin@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:m9CErQAMHHA.3604@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Rob,
Thank you for updating.
I appreciate your effort on this issue, please notice that my email box is
v-innjin@xxxxxxxxxxxxx, which I have already said in my last post, not
v-innjin@xxxxxxxxxxxxxxxxxxxxx
From your error message we can see that:
FinishNetworkingSetup() -- NetJoinDomain() failed [5], returning
FinishNetworkingSetup() failed -- hr == [-2147467259]
Deleted sbsmig out of runonce key.
Sorry to forget to tell you enable SMB signing after disable it without
any
luck. Let's try the following steps:
1. In the Domain Controller Security policy on the server, expand Local
Policies.
2. Click on Security Options and set Network Security: LAN Manager
Authentication to "Send LM and NTLM - use NTLMv2 session security if
negotiated." Click OK to make the change.
3. Run gpudate /force at a command prompt.
4. In Start | Run, type "regedt32". Go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Make sure the following values are set :
Enablesecuritysignature = 1
requiresecuritysignature = 0
5. Still in Regedt go to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. Set the
following
value:
Incompatibility level = 2
6. On the client machines go to the following keys and make sure the
following values are set correctly:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
restrictanonymoussam [REG_DWORD] = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\param
eters
enablesecuritysignature [REG_DWORD] = 0x1
requiresecuritysignature [REG_DWORD] = 0x0
7. On the client go to Start | Programs | Administrative Tools | Local
Security Policy.
8. Expand Local Policies and click on Security Options. Check the
setting
for the following three options:
Domain member: Digitally encrypt or sign secure channel data (always) set
to enabled
Domain member: Digitally encrypt secure channel data (when possible) set
to
enabled
Domain member: Digitally sign secure channel data (when possible) set to
enabled
9. Reboot the workstation.
10. Join the domain.
If it didn't work please try the following step to deleted the
sbs_netsetup
user on the local machine
1. In the XP client machine, Right click My Computer -> Manage -> Local
Users and Groups -> Users
2. Delete sbs_netsetup user
3. Log off and Log back on, try to join the domain.
If problem persists, please Download and run the network MPS report tool
On
the SBS 2003 server
a. Visit
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE to download the file.
b. Run the MPSRPT_NETWORK.EXE on the server box.
c. Wait for 10~15 minutes.
d. Open Windows explorer, navigate to
%systemroot%\MPSReports\Network\Reports\Cab
e. Send the .cab file directly to me at "v-innjin@xxxxxxxxxxxxx"
I appreciate your understanding. I am happy to be of assistance to you and
look forward to your reply.
Have a nice day!
Best regards,
Inn Jin (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
.
- Follow-Ups:
- Re: Unable to join client to domain
- From: "Inn Jin [MSFT]"
- Re: Unable to join client to domain
- From: Rob Grattan
- Re: Unable to join client to domain
- References:
- Re: Unable to join client to domain
- From: Kevin Weilbacher [SBS-MVP]
- Re: Unable to join client to domain
- From: Rob Grattan
- Re: Unable to join client to domain
- From: "Inn Jin [MSFT]"
- Re: Unable to join client to domain
- From: Rob Grattan
- Re: Unable to join client to domain
- From: Rob Grattan
- Re: Unable to join client to domain
- From: "Inn Jin [MSFT]"
- Re: Unable to join client to domain
- Prev by Date: Tracking Sent Messages in Exchange 2k3
- Next by Date: Re: DNS setting keeps changing to router's IP
- Previous by thread: Re: Unable to join client to domain
- Next by thread: Re: Unable to join client to domain
- Index(es):
Relevant Pages
|
