Unable to join the domain - Access Denied
I am an admin on the domain, Sytek.local. I try and get my notebook to join the domain and I get an access denied.
This notebook has been a member of other domains before, but I always exited it.
I have a utility, I can't remember the name of it that at startup shows the IP address and the domain on the desktop.
Two problems:
I can't find where this utility is starting up. Where in the registery are the startup options.
The utiltiy shows that the domain is still CPQ my old domain.
Any suggestions,
Thanks in advance,
Steve
This notebook has been a member of other domains before, but I always exited it.
I have a utility, I can't remember the name of it that at startup shows the IP address and the domain on the desktop.
Two problems:
I can't find where this utility is starting up. Where in the registery are the startup options.
The utiltiy shows that the domain is still CPQ my old domain.
Any suggestions,
Thanks in advance,
Steve
Is this laptop still a member of a nonexistent domain or have you moved it into a workgroup?
I would use the following utility to find the exact startup location of your utility:
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
you can use msconfig which is built into windows xp to see what services are starting up.
Join your computer to a workgroup first restart and then try and join the computer to the domain. I have had many problems trying to join a computer to a domain when it is already in another domain.
Join your computer to a workgroup first restart and then try and join the computer to the domain. I have had many problems trying to join a computer to a domain when it is already in another domain.
http://support.microsoft.com/kb/321708
http://support.microsoft.com/kb/257623/en-us
Use the netdiag.exe tool to recover and fix domain connectivity issues.
http://support.microsoft.com/kb/257623/en-us
Use the netdiag.exe tool to recover and fix domain connectivity issues.
The autorun utility is much more comphrehensive that msconfig. The reason that I had asked if you moved the laptop into a workgroup or not is, if you have not, and you are trying to go from one domain to another, this will fail. Make it a member of a workgroup and then attempt to join the domain. HTH :)
disjoin this computer from any domains, join it to a workgroup and reboot.
reboot again, and then try again to join your domain. of course, you have to have admin credentials in the domain to join it, but only laptop admin credentials to disjoin from a domain.
Good Luck,
reboot again, and then try again to join your domain. of course, you have to have admin credentials in the domain to join it, but only laptop admin credentials to disjoin from a domain.
Good Luck,
As mentioned, remove the computer from the old domain by making a member of a 'workgroup'.
Click OK and re-boot.
Log back in and add it to the new domain - by adding the Fully Qualified Domain Name (FQDN) - this will probably be an extended name such as sytek.local.doo.dah.com
I have this same problem about once in a blue moon and using the FQDN seems to fix it.
Good Luck,
Vic
Click OK and re-boot.
Log back in and add it to the new domain - by adding the Fully Qualified Domain Name (FQDN) - this will probably be an extended name such as sytek.local.doo.dah.com
I have this same problem about once in a blue moon and using the FQDN seems to fix it.
Good Luck,
Vic
Set it back to workgroup. Using the LOCAL administrator/password. Then join it to the new domain.
As far as the 'utility' goes, if you just type "ipconfig /all" from a command prompt, it will display all of that information for you.
As mentioned, remove the computer from the old domain by making a member of a 'workgroup'.
Click OK and re-boot. Before doing that first create a user account for the local machine which has an administrator rights so that you can login after you change it to workgroup
then add it to the new domain - by adding the proper Domain Name and along with the proper credentials - and this will help you to resolve this issue
Regards
Krishna
Click OK and re-boot. Before doing that first create a user account for the local machine which has an administrator rights so that you can login after you change it to workgroup
then add it to the new domain - by adding the proper Domain Name and along with the proper credentials - and this will help you to resolve this issue
Regards
Krishna
Before removing the computer from the domain make sure you have a local administrator account. Other wise you have to crack the password which is easy but still a pain.
All necessary services (such as cryptographic service and some other similar) are started ? (Automatic mode, not manual or disabled) ?
You dns (on xp) settings map the dns server on the join-to domain ?
Jasper
You dns (on xp) settings map the dns server on the join-to domain ?
Jasper
also just check if the domain your attempting to log onto is set as default connection in local area connection.
Create a temp domain admin account and use that to join the domain AFTER you move it to workgroup mode (ensure to reset the password for local admin if you are unsure as advised earlier)!
Disjoin from old domain. restart. join new domain with proper credentials and restart. check DNS entry too.
ASKER
It is currently set to be a member of the workgroup when I try and join the domain. However it still shows up in that utility as in CPQ domain.
Is the domain setting hidden in the registery? I will try and search for CPQ.
Thanks for you input.
Steve
Is the domain setting hidden in the registery? I will try and search for CPQ.
Thanks for you input.
Steve
Steve,
It will help those of us who are posting if you identify which suggestion (user name) you are responding to.
1. When you do the ipconfig /all command, are you getting the basics of an IP address, Host Name, DNS suffix, etc.?
2. Are you running DHCP?
Vic
It will help those of us who are posting if you identify which suggestion (user name) you are responding to.
1. When you do the ipconfig /all command, are you getting the basics of an IP address, Host Name, DNS suffix, etc.?
2. Are you running DHCP?
Vic
though this sounds stupid try changing the computer name rebooting and then joining the domain as i have run in to that before and it was the only way i could get it to join the domain
jrmedia,
Actually, not stupid at all - good suggestion.
Vic
Actually, not stupid at all - good suggestion.
Vic
Format reinstall. This seems to solve everything for some reason.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have had similar problems with stale DNS records do a ipconfig /dnsflush. See if that helps.
Do you by any chance have Norton installed it may be blocking the port.
edited the TCP/IP properties Advanced - WINS tab to enable Netbios over TCP/IP. Try again to login the XP machine to the domain. Once joined then go back and disable Netbios over TCP/IP
Just an idea from other database here at EE.
Make sure you have client for MS networks installed in the network properties for your NIC. That is in essence, the "workstation" service.
edited the TCP/IP properties Advanced - WINS tab to enable Netbios over TCP/IP. Try again to login the XP machine to the domain. Once joined then go back and disable Netbios over TCP/IP
Just an idea from other database here at EE.
Make sure you have client for MS networks installed in the network properties for your NIC. That is in essence, the "workstation" service.
ASKER
I finally had to call Microsoft and managed to fix the problem.
He checked many of the same issues that were mentioned by the above experts. It turned out to be a setting on the Small Business Server
Hello Steve,
It was my pleasure to serve you during your "Unable to join an XP Laptop to the domain" issue. I hope that you were delighted with the service provided to you. I am providing you with a summary of the key points of the case for your records. If you ever have any questions please feel free to call me. My contact information is listed below.
PROBLEM: Unable to join an XP Laptop to the domain
RESOLUTION:
Steps taken to resolve this issue:
-Went into event vwr and found the following error:
Event Type: Warning
Event Source: NTDS Replication
Event Category: Backup
Event ID: 2089
Date: 12/19/2006
Time: 3:46:34 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NOFEAR
Description:
This directory partition has not been backed up since at least the following number of days.
Directory partition:
DC=ForestDnsZones,DC=Sytek
'Backup latency interval' (days):
30
It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.
By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.
'Backup latency interval' (days) registry key:
System\CurrentControlSet\S
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-Checked the NIC setting on the SBS 2003 server and found that the Default Gateway address was added in place of Alternate DNS.
-Removed the alternate DNS and added the server's IP address in place of alternate DNS.
-Also there was an additional NIC card which had an APIPA address.
-We disabled the other NIC which was not in use.
-Corrected the NIC Bindings.
-Ran ipconfig/flushdns.
-Ran ipconfig/registerdns.
-Checked the NIC settings on the XP Client and the NIC settings on the XP client were fine.
-We enabled NetBIOS over TCP/IP on the XP machine.
-Corrected the NIC Bindings.
-Did ipconfig/flushdns
-Did ipconfig/registerdns.
-Added a computer account named HEALTH from the server management console.
-Tried to ping the XP client from the server and the other way round and it worked fine.
-We stopped and disabled the windows firewall on the XP client.
-From IE we browsed to http://servername/connectcomputer.
-Tried to join the XP client to the domain and it gave us an error.
-Made the user a member of enterprise and schema admins.
-Tried to join the XP client to the domain from My Computer properties\ Computer Name Tab\ Change Button.
-We entered the administrator's credentials and it gave us an "Access Denied" error.
-Also analyzed the netsetup.txt log from the XP client and found the error "failed with 0xc0000022".
-Checked the SMB Signing on the SBS server.
-Went into Group policy Management console and browsed to the following path:
Selected Default Domain Controllers Policy \ Edit \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options
We verified the server's settings with the following and made the necessary changes:
Microsoft network client: Digitally sign communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees) ENABLED
Microsoft network server: Digitally sign communications (always) DISABLED
Microsoft network server: Digitally sign communications (if client agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED
Domain member: Digitally sign secure channel data (when it is possible) ENABLED
Domain member: Require strong (Windows 2000 or later) session key DISABLED
-Ran Gpupdate /force and it was applied successfully.
-Tried to join the XP client to the domain again from My Computer properties\ Computer Name Tab\ Change Button.
-Entered the administrator's credentials.
-This time the XP Client got joined to the domain successfully.
-The XP Client Rebooted and came up fine but it took a while to come up.
-We logged the XP client to the network.
-After logging in we got the following error:
--------------------------
Client Setup Wizard
--------------------------
Client Setup could not remove a special account created to migrate user settings from the previous user of this computer. Contact the person responsible for your network.
--------------------------
OK
--------------------------
-We got the above error every time we logged on to the XP client.
-Followed the following steps:
Deleted the sbs_netsetup user on the local machine, by going to on the Windows XP client machine -> Right click My Computer -> Manage -> Local Users and Groups -> Users -> Delete sbs_netsetup user
-We logged off and then Logged back on to the XP client and this time it didn't give us the above error at the startup.
ADDITIONAL LINKS:
Troubleshooting Active Directory-Related DNS Problems
http://www.microsoft.com/resources/documentation/windowsServ/2003/all/techref/en-us/W2K3TR_addns_intro.asp
Windows 2000 Active Directory Architecture
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd10.mspx
Integrating Your Active Directory Namespace Into an Existing DNS Infrastructure With Name Overlap
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/w2kadarch.asp
Changes to DNS in Windows Server 2003
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns04_integ_adnspace_with_nameoverlap.asp
Optimizing DNS
http://www.microsoft.com/windows2000/technologies/communications/dns/dns2003.asp
Managing DNS Records
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/optimize/c19w2kad.mspx
Managing DNS Server Configuration and Security
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/19w2kadb.mspx
Based on our last conversation, I am closing this case-. If you face any further problem with the same issue please feel free to get in touch with us, with the same case number: and we will be glad to assist you.
Thank you for choosing Microsoft Small Business Server
Thank you for your time and patience in this matter.
Best regards,
Microsoft Enterprise Support
Small Business Server Team
My working hours are 9:00 A.M
He checked many of the same issues that were mentioned by the above experts. It turned out to be a setting on the Small Business Server
Hello Steve,
It was my pleasure to serve you during your "Unable to join an XP Laptop to the domain" issue. I hope that you were delighted with the service provided to you. I am providing you with a summary of the key points of the case for your records. If you ever have any questions please feel free to call me. My contact information is listed below.
PROBLEM: Unable to join an XP Laptop to the domain
RESOLUTION:
Steps taken to resolve this issue:
-Went into event vwr and found the following error:
Event Type: Warning
Event Source: NTDS Replication
Event Category: Backup
Event ID: 2089
Date: 12/19/2006
Time: 3:46:34 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NOFEAR
Description:
This directory partition has not been backed up since at least the following number of days.
Directory partition:
DC=ForestDnsZones,DC=Sytek
'Backup latency interval' (days):
30
It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.
By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.
'Backup latency interval' (days) registry key:
System\CurrentControlSet\S
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-Checked the NIC setting on the SBS 2003 server and found that the Default Gateway address was added in place of Alternate DNS.
-Removed the alternate DNS and added the server's IP address in place of alternate DNS.
-Also there was an additional NIC card which had an APIPA address.
-We disabled the other NIC which was not in use.
-Corrected the NIC Bindings.
-Ran ipconfig/flushdns.
-Ran ipconfig/registerdns.
-Checked the NIC settings on the XP Client and the NIC settings on the XP client were fine.
-We enabled NetBIOS over TCP/IP on the XP machine.
-Corrected the NIC Bindings.
-Did ipconfig/flushdns
-Did ipconfig/registerdns.
-Added a computer account named HEALTH from the server management console.
-Tried to ping the XP client from the server and the other way round and it worked fine.
-We stopped and disabled the windows firewall on the XP client.
-From IE we browsed to http://servername/connectcomputer.
-Tried to join the XP client to the domain and it gave us an error.
-Made the user a member of enterprise and schema admins.
-Tried to join the XP client to the domain from My Computer properties\ Computer Name Tab\ Change Button.
-We entered the administrator's credentials and it gave us an "Access Denied" error.
-Also analyzed the netsetup.txt log from the XP client and found the error "failed with 0xc0000022".
-Checked the SMB Signing on the SBS server.
-Went into Group policy Management console and browsed to the following path:
Selected Default Domain Controllers Policy \ Edit \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options
We verified the server's settings with the following and made the necessary changes:
Microsoft network client: Digitally sign communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees) ENABLED
Microsoft network server: Digitally sign communications (always) DISABLED
Microsoft network server: Digitally sign communications (if client agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED
Domain member: Digitally sign secure channel data (when it is possible) ENABLED
Domain member: Require strong (Windows 2000 or later) session key DISABLED
-Ran Gpupdate /force and it was applied successfully.
-Tried to join the XP client to the domain again from My Computer properties\ Computer Name Tab\ Change Button.
-Entered the administrator's credentials.
-This time the XP Client got joined to the domain successfully.
-The XP Client Rebooted and came up fine but it took a while to come up.
-We logged the XP client to the network.
-After logging in we got the following error:
--------------------------
Client Setup Wizard
--------------------------
Client Setup could not remove a special account created to migrate user settings from the previous user of this computer. Contact the person responsible for your network.
--------------------------
OK
--------------------------
-We got the above error every time we logged on to the XP client.
-Followed the following steps:
Deleted the sbs_netsetup user on the local machine, by going to on the Windows XP client machine -> Right click My Computer -> Manage -> Local Users and Groups -> Users -> Delete sbs_netsetup user
-We logged off and then Logged back on to the XP client and this time it didn't give us the above error at the startup.
ADDITIONAL LINKS:
Troubleshooting Active Directory-Related DNS Problems
http://www.microsoft.com/resources/documentation/windowsServ/2003/all/techref/en-us/W2K3TR_addns_intro.asp
Windows 2000 Active Directory Architecture
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd10.mspx
Integrating Your Active Directory Namespace Into an Existing DNS Infrastructure With Name Overlap
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/w2kadarch.asp
Changes to DNS in Windows Server 2003
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/dns04_integ_adnspace_with_nameoverlap.asp
Optimizing DNS
http://www.microsoft.com/windows2000/technologies/communications/dns/dns2003.asp
Managing DNS Records
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/optimize/c19w2kad.mspx
Managing DNS Server Configuration and Security
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/19w2kadb.mspx
Based on our last conversation, I am closing this case-. If you face any further problem with the same issue please feel free to get in touch with us, with the same case number: and we will be glad to assist you.
Thank you for choosing Microsoft Small Business Server
Thank you for your time and patience in this matter.
Best regards,
Microsoft Enterprise Support
Small Business Server Team
My working hours are 9:00 A.M
ASKER
The following error occurred attempting to join the domain "sytek"
Access is denied.
Is there an issue with appending domain prefixes?
Thanks,
Steve