We help IT Professionals succeed at work.

SBS 2003 rebuild - Access denied when joining new domain with same name as original domain

micror
micror asked
on
4,409 Views
Last Modified: 2009-07-27
We have just installed a new Windows SBS 2003 to take over from an existing server.
The new server is configured identically to the original server. That is same domain name, IP address config, etc.
All Windows XP Pro workstations can not join the domain with "Access Denied" errors.
I believe this has something to do with original SIDS on the workstations. There are quite a few workstations to rejoin to the domain.
Does anyone have any solutions to resolve this problem?

(Microsoft is really annoying. How can they expect a 500 to 1000 workstation network to not have the option of replacing a server with identical details??? very strange)
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
You need to unjoin your current domain members (by "joining" them to a workgroup), then re-join them to your new domain.
By installing a new domain controller, even with the same name and same IP address, you still created a completely different domain. Neither the DC's name nor the domain's name is of importance. Each domain has a unique SID, created when the first DC is installed. Your new domain has a different SID than the old one, so for the obvious reasons, your DC won't trust the clients that are members of the old domain.
That means, of course, that all your users will receive new profiles, as their old accounts don't exist anymore, either.
You should be able to migrate them using moveuser.exe from the resource Kit Tools:
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

And with networks of 500, 1000 or more clients, it's no problem at all replacing a server.
There just aren't any migration paths *to* SBS (only from SBS to a "real" server), as the usual direction is the other way when you outgrow SBS.

Author

Commented:
Many thanks for your ideas oBdA, they are much appreciated.
Please note that I am aware of the removing the workstations from the domain and joining a workgroup.
Unfortunately, this has already been done and the new server will still not accept workstations login.
I believe it may be SID related.

Author

Commented:
Also, please note that I removed the new SBS 2003 server from the site and took it back to my office.
I connected my own workstation to the same server (on it's own mini LAN) and my workstation joined the domain of the new server without issue.

I had thought the SBS 2003 server may have had some security policy preventing it but thought better of it as it is a brand new vanilla, straight out of the box installation without any modifications made.

Still in trouble. Bugger.

I am now planning on disjoining one of the client workstations from the original domain, joining it and then disjoining it from a completely different domain, then attempting to join it to the new server again.

I cannot help thinking that there has to be an easier way to clean out old SIDS. Ïs it Microsoft of me???
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
The problem is that you can't use the same computer names... even with all the talk about the SID's above, you need to change the names of your computers.

Follow these exact steps and you'll be fine:

The following needs to be done with each client machine:
1.  Unjoin the domain into a WORKGROUP if it's not there already -- per your comments
2.  Change the name of the computer
3.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients

Then on the server, from the Server Management Console:
1.  Remove all client computers
2.  Add each client again with it's NEW name via the Add Client Computer Wizard

Then, go back to the client machine and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer
Full KB for adding computers (which unfortunately doesn't mention the fact that the names need to be changed): http://www.microsoft.com/smallbusiness/support/articles/win2k3sbnetwork.mspx 


And yes, there are PLENTY of migration paths to SBS... http://www.microsoft.com/windowsserver2003/sbs/upgrade/default.mspx

Jeff
TechSoEasy

Author

Commented:
TechSoEasy,

Many thanks for your suggestions. I am very eager to try them out and will post my results asap.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
No problem... in looking back over my answer, however, I realize that I gave you the wrong KB link for adding computers it should be:  http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/xp2sbs.mspx

Jeff
TechSoEasy

Author

Commented:
TechSoEasy, thanks for your suggestions but unfortunately we had no joy. We even took in another 2003 Server to join one of the workstations to a completely different domain, disjoin it and attempt to logon to new server.
Still had no success.

The same domain name and server details are really causing issues. I'm wondering of certificates may have something to with it.
Will keep trying and when we get the results we will post it.

thanks
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Well, you definitely should clear out any stored certificates on the workstation.  Also, run the Network Diagnostic tool from Help & Support and see if there are any leftover problems.  I just did the same kind of thing for a client and couldn't join the workstations to the new server ... kept getting an error in the middle of connectcomputer sequence...

Turned out that the old IP address of the server had gotten stuck in the WINS field of the NICs properties... once that was cleared up it connected just fine.

Jeff
TechSoEasy

Author

Commented:
Thank you all for you assistance.
We ended up speaking directly with Microsoft helpdesk, who stated that they had not seen our particular problem before.
I suppose it was just unlucky that we has to be the first. As the acutaul cause of the problem could not be determined,
Microsoft provided a fuill procedure to follow to fix the problem. it went like this.
1. Remove the workstation from the existing domain.
1a. Rename the computer to a short name and join it to a workgroup also with a short name. (Eg ABC).
2. Uninsgtall any virus applications.
3. Run "GPEDIT.MSC" and navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
4. Enable the two options reading "Microsoft Network Client: Digitally sign communications (if server agrees)" and "Microsoft Network Client: Send unencrypted password to third party SMB servers" if not already enabled.
5. Run "MSCONFIG" and select the "Services" tab. Check the box that reads "Hide All Microsoft Services" and disable what is left. Reboot the system.
6.Set the IP configuratioin to static (if using DHCP).
7. Successfully join the new domain ensuring to use the username format "Domain\administrator" (eg microsoft\administrator) for the authority permitting the joining of the domain.

A real pain but it worked. Be sure to reset your IP config to DHCP and re-enable the services when done.
Do not alter the security settings or you will find that login scripts etc will not run.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Did Microsoft Support ACTUALLY advise you to join a workstation to an SBS domain manually?  If so, can you email me the case number (my email is in my profile) because I've just spent the past two days in Redmond at the SMBNation conference with about 500 SBS consultants and the topic of misinformation regarding using the wizards was continually brought up.


I'm also curious... were there any NON-Microsoft services that you disabled in MSCONFIG, and if so, what were they?


One other thing that I found out with changing workstations to a new domain is that there may be necessary operating system files that are owned by an inactive SID.  I've started claiming ownership for all files with the local Administrators group before rejoining the domain.

Glad you got it worked out though.

Jeff
TechSoEasy
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.