Remote domain join using NetDom & PSexec
I am trying to remotely jon a Windows Vista system to my domain.... but no success so far... heres the scenario:-
The vista machine is upto-date with all patches as of today, i use CheckPoint SecureClient to conenct to my network which is succesful. I can ping all the servers in my domain, i have also made entries in the 'hosts' file for all required servers... i can also access the domain controller through windows explorer on local vista system
After some search in google i have found that NetDom & PSExec should be able to do it.... please find details as under:-
local vista machine name: abc
local vista username: first
domain controller machine name: maindc
domain name is: mycompany
domain admin username: administrator
domain admin password: xyz
i have the 'Support Tools' from windows 2003 & the PSTools on my local system.... when i run PSExec with Netdom as under:-
psexec \\maindc netdom join /Domain:mycompany /UserD:mycompany\administr
it comes up with 'Couldnt access maindc: Login failure: unknown user name or bad password"
Can someone give my the right syntax for above? and also i am note clear about NetDom... if NetDom is supposed to remotely join a machine then why use it in conjunction with PSExec?
The server OS is Windows 2003
Obviously i have tried adding the usual way through 'System Properties' -> 'Computer Name' -> 'Change...' ... but that fails as well.
Please help.
Regards,
Pete
The vista machine is upto-date with all patches as of today, i use CheckPoint SecureClient to conenct to my network which is succesful. I can ping all the servers in my domain, i have also made entries in the 'hosts' file for all required servers... i can also access the domain controller through windows explorer on local vista system
After some search in google i have found that NetDom & PSExec should be able to do it.... please find details as under:-
local vista machine name: abc
local vista username: first
domain controller machine name: maindc
domain name is: mycompany
domain admin username: administrator
domain admin password: xyz
i have the 'Support Tools' from windows 2003 & the PSTools on my local system.... when i run PSExec with Netdom as under:-
psexec \\maindc netdom join /Domain:mycompany /UserD:mycompany\administr
it comes up with 'Couldnt access maindc: Login failure: unknown user name or bad password"
Can someone give my the right syntax for above? and also i am note clear about NetDom... if NetDom is supposed to remotely join a machine then why use it in conjunction with PSExec?
The server OS is Windows 2003
Obviously i have tried adding the usual way through 'System Properties' -> 'Computer Name' -> 'Change...' ... but that fails as well.
Please help.
Regards,
Pete
ASKER
Yes i can ping the DC by name & IP from remote system
Yes i have domain admin rights
No the machine account has not been created before
Strange, i ran NetDom on the DC itself & it came up with the error: 'The network path was not found' ... on the DC itself? ... im curious about this as well
will wait for further inputs...
regards,
Pete
Yes i have domain admin rights
No the machine account has not been created before
Strange, i ran NetDom on the DC itself & it came up with the error: 'The network path was not found' ... on the DC itself? ... im curious about this as well
will wait for further inputs...
regards,
Pete
Hi Pete,
Please confirm what output do you get for this command on DC
netdom query fsmo
Thanks
Nitin
Please confirm what output do you get for this command on DC
netdom query fsmo
Thanks
Nitin
ASKER
well ... the command ran successfully on the DC..... all 5 fsmo roles were found
hope that helps
Regards,
Pete
hope that helps
Regards,
Pete
Hi,
Netdom uses NETBIOS name resolution hence use a wins server or configure a lmhosts file.
Try the command
netdom join abc /domain:mycompany /OU:Computers /userd:mycompany\administr
Netdom uses NETBIOS name resolution hence use a wins server or configure a lmhosts file.
Try the command
netdom join abc /domain:mycompany /OU:Computers /userd:mycompany\administr
Hey,
I just realised, are you running CMD as Administrator
Go to Start menu --> Click Command Prompt, right click, select 'Run as Administrator' and then open the command window and run netdom
I just realised, are you running CMD as Administrator
Go to Start menu --> Click Command Prompt, right click, select 'Run as Administrator' and then open the command window and run netdom
ASKER
Gupnit,
I tried both above recommendations of adding to lmhosts file & also running CMD as administartor .... the error i get this time was "The specified domain either does not exist or could not be contatcted"
hope that helps
Regards,
Pete
I tried both above recommendations of adding to lmhosts file & also running CMD as administartor .... the error i get this time was "The specified domain either does not exist or could not be contatcted"
hope that helps
Regards,
Pete
ASKER
well ..... i removed the mappings from the 'hosts' file and added the entry for my DC in lmhosts file as below:
192.168.1.1 maindc #PRE #DOM:mycompany
after that i cannot ping the DC by name ... but can ping by IP
How to resolve this NetBIOS mapping?
regards,
Pete
192.168.1.1 maindc #PRE #DOM:mycompany
after that i cannot ping the DC by name ... but can ping by IP
How to resolve this NetBIOS mapping?
regards,
Pete
Oh I see, it means your DNS was not working fine. See I had asked if your DNS is working fine. To work properly in a AD environment DNS plays a very important role.
Keep the Host entry also...!!
let me know !
Keep the Host entry also...!!
let me know !
ASKER
It still fails after adding entries in 'hosts' file ........a bit of confusion here ......
The DC machine name is 'maindc' .... domain name is 'mycompany.com'.... the mappings i have done so far are as below:-
In 'Hosts' file: 192.168.1.1 maindc
In lmhosts file: 192.168.1.1 maindc #PRE #DOM:mycompany.com
is that right?
or should i do as below:- (????)
In 'hosts' file: 192.168.1.1 mycompany.com
In lmhosts file: 192.168.1.1 mycompany.com
Please advise
but honestly, i have tried both the above .... and i cant ping my machine name of domain
Regards,
Pete
The DC machine name is 'maindc' .... domain name is 'mycompany.com'.... the mappings i have done so far are as below:-
In 'Hosts' file: 192.168.1.1 maindc
In lmhosts file: 192.168.1.1 maindc #PRE #DOM:mycompany.com
is that right?
or should i do as below:- (????)
In 'hosts' file: 192.168.1.1 mycompany.com
In lmhosts file: 192.168.1.1 mycompany.com
Please advise
but honestly, i have tried both the above .... and i cant ping my machine name of domain
Regards,
Pete
Can you please give me the output of ipconfig /all your PC
Thanks
Thanks
ASKER
This is the output of ipconfig /all from the remote pc:
Windows IP Configuration
Host Name . . . . . . . . . . . . : fadal
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.invalid
Ethernet adapter Local Area Connection* 14:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Check Point Virtual Network Adapter For SecureClient
Physical Address. . . . . . . . . : 54-27-B6-AB-17-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2527:e614:8c06:e555%
IPv4 Address. . . . . . . . . . . : 10.33.23.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, August 01, 2008 12:17:43 PM
Lease Expires . . . . . . . . . . : Tuesday, September 16, 2008 7:24:22 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.33.23.1
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 00-1E-37-99-D7-BC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : domain.invalid
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1C-BF-D4-4C-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::adce:e84c:e53d:ea24%
IPv4 Address. . . . . . . . . . . : 192.168.254.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, August 01, 2008 9:19:14 AM
Lease Expires . . . . . . . . . . : Monday, September 07, 2144 10:05:06 PM
Default Gateway . . . . . . . . . : 192.168.254.254
DHCP Server . . . . . . . . . . . : 192.168.254.254
DNS Servers . . . . . . . . . . . : 192.168.254.254
192.168.254.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-1C-23-30-4C-A1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:d5c7:a2ca:66:1957:3
Link-local IPv6 Address . . . . . : fe80::66:1957:3f57:1fd%8(P
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : domain.invalid
Description . . . . . . . . . . . : isatap.domain.invalid
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{1BC38F8E-FCBA-44C0
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Regards,
Pete
Windows IP Configuration
Host Name . . . . . . . . . . . . : fadal
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.invalid
Ethernet adapter Local Area Connection* 14:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Check Point Virtual Network Adapter For SecureClient
Physical Address. . . . . . . . . : 54-27-B6-AB-17-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2527:e614:8c06:e555%
IPv4 Address. . . . . . . . . . . : 10.33.23.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, August 01, 2008 12:17:43 PM
Lease Expires . . . . . . . . . . : Tuesday, September 16, 2008 7:24:22 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.33.23.1
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 00-1E-37-99-D7-BC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : domain.invalid
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1C-BF-D4-4C-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::adce:e84c:e53d:ea24%
IPv4 Address. . . . . . . . . . . : 192.168.254.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, August 01, 2008 9:19:14 AM
Lease Expires . . . . . . . . . . : Monday, September 07, 2144 10:05:06 PM
Default Gateway . . . . . . . . . : 192.168.254.254
DHCP Server . . . . . . . . . . . : 192.168.254.254
DNS Servers . . . . . . . . . . . : 192.168.254.254
192.168.254.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-1C-23-30-4C-A1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:d5c7:a2ca:66:1957:3
Link-local IPv6 Address . . . . . : fe80::66:1957:3f57:1fd%8(P
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : domain.invalid
Description . . . . . . . . . . . : isatap.domain.invalid
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{1BC38F8E-FCBA-44C0
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Regards,
Pete
Do this also...
in cmd....run nslookup
and type maindc.mycompany.com
is it resolving to the IP 192.168.1.1
in cmd....run nslookup
and type maindc.mycompany.com
is it resolving to the IP 192.168.1.1
IN host file also add
192.168.1.1 maindc.mycompany.com
Thanks
192.168.1.1 maindc.mycompany.com
Thanks
ASKER
having added the entry in hosts file as 'maindc.mycompany.com' .... in nslookup it gives error as '*** unknown cant find maindc.mycompany.com: Server failed'
Regards,
Pete
Regards,
Pete
Yes yes, see the problem is that your DNS is not able to resolve your DC. Well, since you have added the entry in host atleast you should be able to ping to server, see and let me know.
Also, try adding the PC using My Computer and let me know now!
Also, try adding the PC using My Computer and let me know now!
ASKER
well, if the entry in host is "192.168.1.1 maindc" & lmhost is "192.168.1.1 maindc #PRE #DOM:mycompany.com" i can ping the server by its name .... but adding to domain fails from 'My Computer'
If the entry in host is "192.168.1.1 maindc.mycompany.com" & lmhost is "192.168.1.1 maindc #PRE #DOM:mycompany.com" i cannot ping the server by its name and adding to domain fails from 'My Computer'
How to resolve this DNS error? wjat is required?
Regards,
Pete
If the entry in host is "192.168.1.1 maindc.mycompany.com" & lmhost is "192.168.1.1 maindc #PRE #DOM:mycompany.com" i cannot ping the server by its name and adding to domain fails from 'My Computer'
How to resolve this DNS error? wjat is required?
Regards,
Pete
ASKER
Gupnit, finally i could manage to add this machine to the domain .... all what was required was to change the primary DNS server to the DNS of my office server ... after i could manage to join this machine .... BUT NOW ... i cannot manage to log-in using my domain account .... i have restarted the machine ... logged in using the VPN ..... then i log-off and try to log-in using my domain account .. but it fails .... any help please?
Regards,
Pete
Regards,
Pete
Great...
Login with your local account and see if your TCP entries are ok or they have got changed. Since you had changed your DNS and things were fine, remove the host & lmhost entries and then try loggin in with Domain ID
I am here for sometime, so please check and let me know...
Thanks
Nitin
Login with your local account and see if your TCP entries are ok or they have got changed. Since you had changed your DNS and things were fine, remove the host & lmhost entries and then try loggin in with Domain ID
I am here for sometime, so please check and let me know...
Thanks
Nitin
ASKER
Nitin,
the problem seems that if i log-off the VPN connection drops .... is there a way to log-in and keep the VPN connection active? .... thats the only thing left to resolve now i guess
Regards,
Pete
the problem seems that if i log-off the VPN connection drops .... is there a way to log-in and keep the VPN connection active? .... thats the only thing left to resolve now i guess
Regards,
Pete
A couple things you can try:
Load up the VPN then do a runas using your domain credentials, this might work and create a profile on the machine and cache the domain credentials. No promises though.
Try to find a way to run the VPN as a service (using srvany or FireDaemon) and have it autologin the VPN so that way it is running as a service so you are able to login and off while keeping the domain connection active, I doubt this will work though but it is worth a try.
It comes down to the fact that you have to be able to authenticate with the DC in order for the machine to know that the user account exists since it is not a local machine login. Once you login once your credentials will be cached allowing you to login without authenticating to the DC.
Load up the VPN then do a runas using your domain credentials, this might work and create a profile on the machine and cache the domain credentials. No promises though.
Try to find a way to run the VPN as a service (using srvany or FireDaemon) and have it autologin the VPN so that way it is running as a service so you are able to login and off while keeping the domain connection active, I doubt this will work though but it is worth a try.
It comes down to the fact that you have to be able to authenticate with the DC in order for the machine to know that the user account exists since it is not a local machine login. Once you login once your credentials will be cached allowing you to login without authenticating to the DC.
Hi Pete,
Actually the problem is the Domain (AD) ID has not been cached into your system, hence for the first time, it needs the Connection to be On. We will have to try to cache the ID...hmmm
Ok, follow this....
Thanks
Nitin
Actually the problem is the Domain (AD) ID has not been cached into your system, hence for the first time, it needs the Connection to be On. We will have to try to cache the ID...hmmm
Ok, follow this....
- Login with a local ID
- Make sure all connection is perfect to the Domain Controller
- Now, add your AD ID to the Local Administrator Group on your PC
- Enable Screen Saver (keep 1 min) and enable Password to resume
- Let it get locked and then over there try to use the AD ID to resume, it will ask you to log off other user, but I think we might be successful in caching the AD ID
Thanks
Nitin
great HSChronic has also hit the right button :-) !
ASKER
I did as above .... doesnt help ... screen saver comes up but doesnt allow to change user :( .... runas comes up with logon failure
any other ideas?
Guys, im off for the day ... will have a look at this tomorrow morning ..... but i reallly need this thing working .... thanks so far for your help
Regards,
Pete
any other ideas?
Guys, im off for the day ... will have a look at this tomorrow morning ..... but i reallly need this thing working .... thanks so far for your help
Regards,
Pete
OHHHHH...wait I gave u wrong option
see use CTRL + L (lock) and then use the DOamin/SUer and passsword there
see use CTRL + L (lock) and then use the DOamin/SUer and passsword there
I mean Windows+L...
see all confuised....lock and then use the Domain ID
see all confuised....lock and then use the Domain ID
ASKER
just tried Windows+L ... but doesnt allow to change the user :((((
will have a look tomorrow morning ....
Regards,
Pete
will have a look tomorrow morning ....
Regards,
Pete
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i solved it by configuring the VPN client to pop-up before logging in vista .... that solved the problem
Regards,
Pete
Regards,
Pete
Fadal: Please could you tell me how you got the VPN to pop up BEFORE you logged in?
Many Thanks!!!!!
Many Thanks!!!!!
ASKER
After a lot of headache i found it to be very simple:-
-> Right-click on Check-Point VPN
-> Settings
-> 'options' tab
-> Tick the option 'Enable Secure Domain Logon'
That will let you connect to VPN before you login to windows .... but if its Vista i hope you know how to do that ... click on the red mark on the screen corner during logon and from then on you should find the way ... if you need further info let me know
Regards,
Pete
-> Right-click on Check-Point VPN
-> Settings
-> 'options' tab
-> Tick the option 'Enable Secure Domain Logon'
That will let you connect to VPN before you login to windows .... but if its Vista i hope you know how to do that ... click on the red mark on the screen corner during logon and from then on you should find the way ... if you need further info let me know
Regards,
Pete
Thanks for the reply Pete.
I am using Vista. and our goal is to join a laptop in Spain to a domain in the UK.
So I will connect to their machine in spain with LogMeIn, I will then create a VPN to connect to the domain in the UK, while connected I will add to domain.
When I reboot the PC i will need to use a method to dial in to the domain as there are no user profile for the domain craeted yet. This is where my problem is.
I can, on XP, tick the "Log on using Dial up Connection" tick box and then conenct to the domain over VPN again before logging in as a domain user.
However on Vista, there is no tick box. This is what I am Ultimately trying to find out.
I am using Vista. and our goal is to join a laptop in Spain to a domain in the UK.
So I will connect to their machine in spain with LogMeIn, I will then create a VPN to connect to the domain in the UK, while connected I will add to domain.
When I reboot the PC i will need to use a method to dial in to the domain as there are no user profile for the domain craeted yet. This is where my problem is.
I can, on XP, tick the "Log on using Dial up Connection" tick box and then conenct to the domain over VPN again before logging in as a domain user.
However on Vista, there is no tick box. This is what I am Ultimately trying to find out.
Found it:
you needed to create the VPN connection with your local account (the one you created during setup). Dial the connection, and then switch user (the little flyout right next to the padlock on the Start menu). From there, you can type in your domain/username/password combination and it will log you in using that connection.
Once this is done, the credentials are cached, and you can log in to the machine using your domain information without actually being connected.
you needed to create the VPN connection with your local account (the one you created during setup). Dial the connection, and then switch user (the little flyout right next to the padlock on the Start menu). From there, you can type in your domain/username/password combination and it will log you in using that connection.
Once this is done, the credentials are cached, and you can log in to the machine using your domain information without actually being connected.
ASKER
Ok good to hear it solved your problem
Let me ask yuo these questions:
- Are you able to ping to your DC by IP & Name from your PC
- Do you have Domain Admin rights on the Domain
- If not DA rights then, has the Machine Account been created by your Domain Admin and your ID given the rights to join the PC to Domain
Please confirmThanks
Nitin