View RSS Feed

TheScarfedOne

RIS on a Server 2008 Domain - GOTCHAs!!!

Rate this Entry
by , 22nd July 2009 at 11:16 AM (12342 Views)
Ok... picture the scene...

You have a nice existing RIS setup - which deals with all your machines quite nicely. If course - it has to run on Server 03. You then go and update your DCs to Server 2008.

Problem - you notice that some of your image builds stop joining the domain. Cue pulling your hair out time! Have you changed anything in the images etc....

No... the problem as I eventually found out is you Server 2008 DCs. So long as they are the only DCs (ie no Server 03 DCs) the new security settings will screw it up!

The installation stops on with the message:
Network Configuration
The user you have specified is not permitted to join the machine to the
domain. Would you like to proceed for now an try joining a domain later?

With 2003 DC it worked perfect.
Do i need to change something on the DC or in my SIF file?
My [Identification] section look like
JoinDomain = %MACHINEDOMAIN%
DoOldStyleDomainJoin = Yes

I also tryed differnent options i found in the net. e.g.:
[Identification]
JoinDomain = %MACHINEDOMAIN%
DomainAdmin = %USERNAME%
DomainAdminPassword = %PASSWORD%
CreateComputerAccountInDomain = Yes

On the DC i get the error messages NETLOGON 5722 and 5805.

Solution... Enable the GP "Allow cryptography algorithms compatible with Windows NT 4.0"
on Default DC Policy.

This is nicely described in http://technet.microsoft.com/en-us/l...54(WS.10).aspx

and on support in http://support.microsoft.com/kb/942564
Categories
Uncategorized

Comments

  1. ZeroHour's Avatar
    Thanks for this, very useful to know.
  2. cookie_monster's Avatar
    Hahaha i've just spent ages trying to fix this and found the same KB to sort it, I thought i'd post my findings here but had a quick search and bang someone has already come accross the issue.

    It's odd as we don't have any clients or servers running less than XP SP2/2003 SP2 can anyone tell me why we need to allow a policy that puts back the encryption to NT4 levels.

    I think it must be something to do with the "DoOldStyleDomainJoin = yes" setting.
  3. TheScarfedOne's Avatar
    @cookie_monster... think you are right, but even with the specify the username/password route - the same thing happens.

    Real pain, and took a while to find out what caused it.
  4. swordfish215's Avatar
    So RIS will still work if you Upgrade to Server 2008????
    Updated 13th April 2010 at 09:24 AM by swordfish215
  5. cookie_monster's Avatar
    We're using WDS legacy mode on 2003 SP2 in a 2008 domain.

Trackbacks

Total Trackbacks 0
Trackback URL: