Have you checked that the user account that you use to add machines to the domain still has those rights since the upgrade?
We have been running RIS since I started here a good number of years ago, but after upgrading my domain controllers to windows server 2008 ent, we have been receiving the following error on RIS down;
"The user you have specified is not permitted to join the machine to the domain. Would you like to proceed for now and try and join the domain later"
If you click no, and then re-enter the same username and password that you used to start the RIS session it will join fine.
I have tried the following:
Blank Windows Image
Different Accounts e.g. domain Administrator
New RIS server
All to no help, the RIS server is still running 2003 server as we are still using RIS image and donít want to use the new style images.
Any help would be great,
Have you changed you password policy recently?
Yeh i have checked all the security permissions, it is strange as when you click no and re-enter the domain users accunt details it joins fine.
We have also not change our password policy.
does the account work? have you tried logging into a computer with that account?
i have tried 4 account all on the domain Administators and domain admins and enterprise admins. none have worked i am currently using the domain administrator account and all can login to workstations and server etc.
Do you have the username and password specified in the ristndrd.sif file?
I have just put that in this morning, to see if that has made any differeance but it doesnt seem to have fixed it.
I was thinking that it might of had an old password in.
At what point is it failing is it right at the start of the build process when you give the client a name and enter the username and password?
A long shot but it might be worth a read, i is possible that the users token has increased in size due to membership changes in the upgrade.
Last edited by cookie_monster; 27th August 2008 at 10:44 AM.
It is very strange it lets me start the install, finished copying files reboots then when it is trying to create the new computer account in the domain that when it fails with the error box, but if you goto AD the account is there! if you click continue and finish the install it will not allow login due to not been able to find the computer account. and as i said previously if i click no i want to try join to the domain during the steup and enter the same cridentials as i started with it works!
Oh that's odd on my setup the computer account is created right at the start of the file copy straight after i've entered the username and password.
I wonder if it's some kind of DNS issue so it's failing to use kerberos and using NTLM the second time, i'm reaching a bit there as i'm not sure 2008 allows that but it might be worth double checking your DNS settings.
Yeh i hav checked that now and mine creates the account at the start as well. I have check dns and it seems to be fine, the problem started after i promoted my intersite toplogy generator to win 2008, once the new generator was 2008 it stopped. I have been looking into how 2008 handles requests differently to 2003 but to no joy.
fix for the windows 2008 ris problem
Edit the default domain controllers policy
Polices\Admin Templates\System\Net Logon
Enable the Allow cryptography algorithms compatible with windows nt 4.0
Also changed in AD the delegation properties of the RIS server (right click server, properties, delegation) and set that to trust (kerboros)
this seems to work for us.
maf_001 (5th September 2008)
Thanks that seems to have rersolved our RIS issue.
There are currently 1 users browsing this thread. (0 members and 1 guests)