Jump to content

Problem Joining Domain

quickdraw
 Share

Recommended Posts

quickdraw

quickdraw

Posted
Posted

Hi, im having a problem getting my machines joined to the domain during RIS install, i have setup and OCS screen to input the desired machine name before the installation kicks off and all this works fine. The problem is that when i press enter to move to the next screen an account is created in AD so when the computer tries to join to the domain during install there is a duplicate computer account and it fails. Everything works fine if i remove the 1st computer account created when i choose the name on the OCS screen however i want to be able to just walk away after the OCS screens and not have to do any more.

I have an installers security group setup that has permissions to create and reset computer accounts and the correct user accounts are added to this group, but this still isnt getting me any further. Any help on this would be greatly appreciated as this seemingly simple problem is soon going to start making me nuts. Hope i have provided enough information if not let me know.

BTW, RIS Server and DC are both Windows 2003

Thanks in advance for any help

Link to comment
Share on other sites

Fencer128

Fencer128

Posted
Posted (edited)

Hi,

Couple of thoughts:

1. Are you relying on RIS joining the PC to the domain at the end of the build, or are you running a post-installation script?

2. When you pass the %MACHINENEAME% variable through your RIS menu file, are you *just* passing the variable or are you also performing a server-side action? e.g:

<META SERVER ACTION="CHECKGUID X8664 DUPCUST">

3. Are both computer accounts being (attempted to) created within the same location in the AD schema?

Cheers,

Andy

Edited by Fencer128
Link to comment
Share on other sites
quickdraw

quickdraw

Posted
  • Author
Posted

Thanks for your reply Andy,

1. Are you relying on RIS joining the PC to the domain at the end of the build, or are you running a post-installation script?
Im relying on RIS Joining the PC to the domain,
2. When you pass the %MACHINENEAME% variable through your RIS menu file, are you *just* passing the variable or are you also performing a server-side action to create the machine account?

As far as im aware im just passing the variable and not performing a serverside action, i will post a copy of the OCS screen so you can see how im doing it.

3. Are both computer accounts being (attempted to) created within the same location in the AD schema?

Yes, both computer accounts by default go to the Computers container.

code from pickname.osc

<OCSML>
<META KEY=ESC ACTION="REBOOT">
<META KEY=F3 HREF="OSCHOICE">
<TITLE>Client Installation Wizard Choosing Names</TITLE>
<FOOTER> [ENTER] continue	 [ESC] Reboot	[F3] Pick Install</FOOTER>
<BODY left=5 right=75>
<br>
<br>
Type the Machine name you require
<br>
<br>
<FORM ACTION="WARNING">
Machine Name <input NAME="MACHINENAME" VALUE =%MACHINENAME% maxlength=20><br>
%OPTIONS%
</SELECT>
</FORM>
</BODY>
</OSCML>

.sif file

[data]
floppyless = "1"
msdosinitiated = "1"
OriSrc = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%"
OriTyp = "4"
LocalSourceOnCD = 1


[SetupData]
OsLoadOptions = "/noguiboot /fastdetect"
SetupSourceDevice = "\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"

[Unattended]
OemPreinstall = yes
OemPnPDriversPath = \DR\NIC;\DR\NIC\DELL;\DR\obvideo;\DR\IntelInf
FileSystem = LeaveAlone
ExtendOEMPartition = 0
TargetPath = \WINDOWS
OemSkipEula = yes
InstallFilesPath = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%"
LegacyNIC = 1
DriverSigningPolicy = Ignore

[UserData]
ProductKey =xxxx-xxxx-xxxx-xxxx-xxxx
FullName ="Admin"
OrgName ="The Norton School"
ComputerName = %MACHINENAME%

[GuiUnattended]
OemSkipWelcome = 1
OemSkipRegional = 1
TimeZone = %TIMEZONE%
AdminPassword = "xxxxx"
AutoLogon=Yes
AutoLogonCount=1
TimeZone=85

[Display]
BitsPerPel =16
XResolution =1024
YResolution =768
VRefresh =60

[RegionalSettings]
LanguageGroup=1
SystemLocale=00000809
UserLocale=00000809
InputLocale=0809:00000809

[Networking]

[NetServices]
MS_Server=params.MS_PSched

[Identification]
JoinDomain =norton.local
DomainAdmin=risman
DomainAdminPassword=xxxxxxxxxxxx

[RemoteInstall]
Repartition = Yes
UseWholeDisk = Yes


[OSChooser]
Description ="Windows XP Professional Flat Image"
Help ="Automatically installs Microsoft Windows XP Professional Flat Image without prompting the user for input."
LaunchFile = "%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType =Flat
Version="5.1 (2600)"

Hope the extra info helps,

Cheers,

Rob

Link to comment
Share on other sites
oioldman

oioldman

Posted
Posted

Are you doing the RIS from a windows 2000 or 2003 server as the

DoOldStyleDomainJoin = Yes

works with 2000 NOT 2003 reading other topics.

Seems that it has to be done slightly differently, not sure how though.

hope it helps

Link to comment
Share on other sites
Fencer128

Fencer128

Posted
Posted (edited)

Hi,

Have you given the "Installers" security group the following specific permissions for the "Computers" container?

"Create computer objects"

"Delete computer objects"

Also, have you delegated the group control to join computers to the domain?

If so then comment out the following lines in your SIF file:

DomainAdmin=risman
DomainAdminPassword=xxxxxxxxxxxx

This would then match your setup with ours, which does not have your problem.

Sorry for all the questions, but I'm a bit lost with this one. Maybe the Sausage Eater or RogueSpear can shed a bit of light and clarity ;)

Cheers,

Andy

Edited by Fencer128
Link to comment
Share on other sites
quickdraw

quickdraw

Posted
  • Author
Posted

Hi,

Have you given the "Installers" security group the following specific permissions for the "Computers" container?

"Create computer objects"

"Delete computer objects"

Yeah, i applied these allong with 'Change Password' and 'Reset Password'

I have noticed that i am getting a different problem if i add DoOldStyleDomainJoin = Yes, it doesnt create the duplicate account but instead tells me the account im using doesn't have permission to join machines to the domain.

Im currently trying without the DomainAdmin and DomainAdminPassword settings. Will update when i know more.

Thanks

Rob

Link to comment
Share on other sites
Fencer128

Fencer128

Posted
Posted (edited)
...the account im using doesn't have permission to join machines to the domain
That's because you haven't yet delegated that permission to the Installers group (see below)
Also, have you delegated the group control to join computers to the domain?

To do this, open up AD users and computers, right-click the domain at the top of the tree, select "Delegate Control" and follow the wizard to assign the permission to the correct group.

Be warned to make sure you choose carefully as there isn't an un-delegate control wizard! ;)

Good luck,

Andy

Edited by Fencer128
Link to comment
Share on other sites
quickdraw

quickdraw

Posted
  • Author
Posted

I hadnt delegated control to the installers group so have done that now (sry for missing it in your post, tired eyes :blink: ), however for testing purposes i was using the admin account and i have had it working previously using that account but with duplicate's in AD. Am currently testing with the new settings and will update when done. Hope i get this finished by tomorrow as its my last day :w00t: (had to tell someone as im bursting here :whistle: )

Thanks,

Rob

Link to comment
Share on other sites
quickdraw

quickdraw

Posted
  • Author
Posted

Still the same - User not permitted to join the machine to the domain, here are my curent .sif settings

[data]
floppyless = "1"
msdosinitiated = "1"
OriSrc = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%"
OriTyp = "4"
LocalSourceOnCD = 1


[SetupData]
OsLoadOptions = "/noguiboot /fastdetect"
SetupSourceDevice = "\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"

[Unattended]
OemPreinstall = yes
OemPnPDriversPath = \DR\NIC;\DR\NIC\DELL;\DR\obvideo;\DR\IntelInf
FileSystem = LeaveAlone
ExtendOEMPartition = 0
TargetPath = \WINDOWS
OemSkipEula = yes
InstallFilesPath = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%"
LegacyNIC = 1
DriverSigningPolicy = Ignore

[UserData]
ProductKey =xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
FullName ="Admin"
OrgName ="The Norton School"
ComputerName = %MACHINENAME%

[GuiUnattended]
OemSkipWelcome = 1
OemSkipRegional = 1
TimeZone = %TIMEZONE%
AdminPassword = "xxxxxx"
AutoLogon=Yes
AutoLogonCount=1
TimeZone=85

[Display]
BitsPerPel =16
XResolution =1024
YResolution =768
VRefresh =60

[RegionalSettings]
LanguageGroup=1
SystemLocale=00000809
UserLocale=00000809
InputLocale=0809:00000809

[Networking]

[NetServices]
MS_Server=params.MS_PSched

[Identification]
DoOldStyleDomainJoin = Yes
JoinDomain =%MACHINEDOMAIN%



[RemoteInstall]
Repartition = Yes
UseWholeDisk = Yes


[OSChooser]
Description ="Windows XP Professional Flat Image"
Help ="Automatically installs Microsoft Windows XP Professional Flat Image without prompting the user for input."
LaunchFile = "%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType =Flat
Version="5.1 (2600)"

The installers group has delegated control to add computers to the domain, and permissions to Reset/Change Passwords & Create/Delete computer Objects.

It's the end of the day here for me so will have to pick it back up tomorrow. Im leaving for pastures new on Friday, nice new contract to get my teeth into. :thumbup

Thanks for all the help,

Rob

Link to comment
Share on other sites
Fencer128

Fencer128

Posted
Posted

Hi,

I would manually delete the exisiting AD account for the machine and then try again. You can have problems with the existing account having been created by a user that has different privileges to the one currntly trying to add the account.

So long as inheritence is enabled, joining a PC to the domain should simply require the permissions you have currently set up.

Good luck,

Andy

Link to comment
Share on other sites
  • 1 month later...
Rivalpc

Rivalpc

Posted
Posted

Im going to tag onto this issue since it is the same as mine.

Windows 2003 with Sp1 trying to ris XP with sp2. Flat file install

The osc file has the user and pass that allows the machine to join the domain during the inital ris osc setup. The ristnd.sif file uses the same acount for the join domain function. The account can create and delete machine account (domain Admin)

When I go to the event veiwer I see the account adding the machine to the domain right after the osc portion.

During the The Gui mode setup I see the error message about the account not able to create the machine in the domain "do you want to continue yes/no" if i looked in the eventveiwer for the domain I see the system account trying to add the machine to the domain and not a specific user.

If i enter a user and password at the error prompt the machine gets joined to the domain uning the new machine name from the sif file. I then see the account i entered created the machine account in the event viewer.

Any ideas folks?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...