DonKwizote
asked on
Error adding Windows 7 Professional PC to Linux/Ubuntu domain
Hi Everyone,
I recently started work at a new company that has many Windows PC's and the servers are mostly Linux. I do not have much exposure to Linux, so the company are helping me learn about it.
I have been given the administrator username and password to add PC's to the domain and the last few times I tried it on XP PC's, it worked.
I am trying to add a Windows 7 Professional PC to our domain (Linux domain controller), but I keep getting an error message on the PC....
"The specified computer account could not be found. Contact an administrator to verify the account is in the specified domain. If the account has been deleted upon unjoin, reboot and rejoin the domain"
I'm sure the administrator username and password are accurate, because I can logon to other PC's and I have admin access.
I do have an IP address on the PC, can ping the domain controller and DNS servers.
Does anyone know why I would have difficulty adding a Windows 7 Professional PC to a domain controlled by a Linux server, when doing it on XP PC's is fine?
ASKER
Yes, we are using Samba but I do not know which version. I will have a look at the link and get back to you shortly. Thanks
ASKER
The content of that link looked promising, but I have made the change and it still doesn't work.
ASKER
I have found more links that maybe of help to anyone who has a similar problem
http://samba.2283325.n4.nabble.com/Windows-7-RC-td2452204.html#a2452204
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/dfd79bc1-cf36-42b7-9911-346912f4def6
http://www.tomshardware.com/forum/75-63-windows-samba-issue
I will check these and post back with my results.
http://samba.2283325.n4.nabble.com/Windows-7-RC-td2452204.html#a2452204
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/dfd79bc1-cf36-42b7-9911-346912f4def6
http://www.tomshardware.com/forum/75-63-windows-samba-issue
I will check these and post back with my results.
I have quite a bit of experience in doing this... there are basically just 2 things you need to do:
1) Make sure your Samba is version 3.5 or higher. Why? Read my article at https://www.experts-exchange.com/A_3545.html for complete details.
2) Make the following TWO registry changes in the Windows 7 client (NOTE: Windows 7 retains the XP & Vista regulation that HOME editions cannot join domains)
a) HKLM\System\CurrentControl Set\Servic es\LanmanW orkstation \Parameter s\DomainCo mpatibilit yMode = DWORD = 1
b) HKLM\System\CurrentControl Set\Servic es\LanmanW orkstation \Parameter s\DNSNameR esolutionR equired = DWORD = 0
You can make these changes "live", but to do so, you need to stop the following 3 services, apply the changes, then re-start them:
- "Computer Browser"
- Netlogon
- LanmanWorkstation
Finally, there will be a "warning"/"error" message after you join the domain -- that is normal & you can ignore it.
I hope this helps!
Dan
IT4SOHO
PS: I have a BATCH file that makes the appropriate changes on the client end... it is attached below
1) Make sure your Samba is version 3.5 or higher. Why? Read my article at https://www.experts-exchange.com/A_3545.html for complete details.
2) Make the following TWO registry changes in the Windows 7 client (NOTE: Windows 7 retains the XP & Vista regulation that HOME editions cannot join domains)
a) HKLM\System\CurrentControl
b) HKLM\System\CurrentControl
You can make these changes "live", but to do so, you need to stop the following 3 services, apply the changes, then re-start them:
- "Computer Browser"
- Netlogon
- LanmanWorkstation
Finally, there will be a "warning"/"error" message after you join the domain -- that is normal & you can ignore it.
I hope this helps!
Dan
IT4SOHO
PS: I have a BATCH file that makes the appropriate changes on the client end... it is attached below
REM :@ECHO OFF
C:
net stop "Computer Browser"
net stop Netlogon
net stop LanmanWorkstation
REM Force Vista/7 systems to allow joining a domain
REG ADD "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v
"DomainCompatibilityMode" /t REG_DWORD /d "1" /f
REG ADD "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v
"DNSNameResolutionRequired" /t REG_DWORD /d "0" /f
net start LanmanWorkstation
net start Netlogon
net start "Computer Browser"
ASKER
Dan,
Thanks for the info.
I decided to have a quick look at the services before running your batch file.
Computer Browser and Netlogon were set to MANUAL (that can't be right) and I can't even find a LanmaWorkstation service.
When i start the computer browser service, it starts, then stops after a few seconds.
This is a brand new Windows 7 Pro PC. I just unboxed it an hour ago.
Thanks for the info.
I decided to have a quick look at the services before running your batch file.
Computer Browser and Netlogon were set to MANUAL (that can't be right) and I can't even find a LanmaWorkstation service.
When i start the computer browser service, it starts, then stops after a few seconds.
This is a brand new Windows 7 Pro PC. I just unboxed it an hour ago.
ASKER
Dan,
Actually, I found out why the Netlogon service will not start unless the PC is part of a domain. I don't know why the browser service won't start or why I have no LanmanWorkstation service.
Also, I think the syntax for the reg additions might be slightly wrong. However, I have already manually added those values into the registry.
I am sure we have a few Windows 7 PC's on the domain. I will have to find out from the IT Manager tomorrow about the version of Samba we have. I'm leaving work now.
Feel free everyone to chip in with suggestions. Thanks for your help.
Actually, I found out why the Netlogon service will not start unless the PC is part of a domain. I don't know why the browser service won't start or why I have no LanmanWorkstation service.
Also, I think the syntax for the reg additions might be slightly wrong. However, I have already manually added those values into the registry.
I am sure we have a few Windows 7 PC's on the domain. I will have to find out from the IT Manager tomorrow about the version of Samba we have. I'm leaving work now.
Feel free everyone to chip in with suggestions. Thanks for your help.
ASKER
it appears the computer browser service not starting had something to do with the firewall. I disabled the Windows firewall and the browser service starts and stays on. A rule in the firewall must have been blocking it. I still cannot join the Linux domain. Everyone else on the sites I'm reading seemed to have success after making the registry edits.
ASKER
I have finally got the bloody thing working!
There are quite a lot of things to check before Win 7 Pro PC's can connect to a Samba domain
1) The general consesus is that only Samba versions 3.3.4 or higher will work. My manager confirmed we had version 3.5
2) Editing the registry with the below entries....
HKLM\System\CCS\Services\L anmanWorks tation\Par ameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
HKLM\System\CCS\Services\N etlogon\Pa rameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
3) Editing the local security policy with the entries below....
Control Panel - Administrative Tools - Local Security Policy
Local Policies - Security Options
Network security: LAN Manager authentication level
Send LM & NTLM responses
Minimum session security for NTLM SSP
Disable Require 128-bit encryption
4) I even edited the LMHOSTS file by adding this entry...
IPADDRESS DC #PRE #DOM:DOMAIN
IPADDRESS "DOMAIN \0x1b" #PRE
After making the four changes above, I still could not join the Samba domain.
5) I spoke to my IT Manager and he added a machine account in Samba for the Win 7 PC.
I believe the command is "useradd -a -m HOSTNAME"
THEN IT WORKED.
It's possible some of the changes in 2-4 are not really necessary, but in order to find out, I would have to change them back to their defaults and see what happens. I reckon changes 1 and 5 are absolutely necessary in order for a Win 7 PC to join a Samba domain.
Here are the webpages I found and were of some help to me.
http://samba.2283325.n4.nabble.com/Windows-7-RC-td2452204.html#a2452204
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/dfd79bc1-cf36-42b7-9911-346912f4def6
http://www.tomshardware.com/forum/75-63-windows-samba-issue
http://www.enterprisenetworkingplanet.com/_featured/article.php/3849061/Use-Samba-With-Windows-7-Clients.htm
http://technet.microsoft.com/en-us/library/ee681622(WS.10).aspx
Thanks also to everyone who contributed with suggestions.
There are quite a lot of things to check before Win 7 Pro PC's can connect to a Samba domain
1) The general consesus is that only Samba versions 3.3.4 or higher will work. My manager confirmed we had version 3.5
2) Editing the registry with the below entries....
HKLM\System\CCS\Services\L
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
HKLM\System\CCS\Services\N
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
3) Editing the local security policy with the entries below....
Control Panel - Administrative Tools - Local Security Policy
Local Policies - Security Options
Network security: LAN Manager authentication level
Send LM & NTLM responses
Minimum session security for NTLM SSP
Disable Require 128-bit encryption
4) I even edited the LMHOSTS file by adding this entry...
IPADDRESS DC #PRE #DOM:DOMAIN
IPADDRESS "DOMAIN \0x1b" #PRE
After making the four changes above, I still could not join the Samba domain.
5) I spoke to my IT Manager and he added a machine account in Samba for the Win 7 PC.
I believe the command is "useradd -a -m HOSTNAME"
THEN IT WORKED.
It's possible some of the changes in 2-4 are not really necessary, but in order to find out, I would have to change them back to their defaults and see what happens. I reckon changes 1 and 5 are absolutely necessary in order for a Win 7 PC to join a Samba domain.
Here are the webpages I found and were of some help to me.
http://samba.2283325.n4.nabble.com/Windows-7-RC-td2452204.html#a2452204
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/dfd79bc1-cf36-42b7-9911-346912f4def6
http://www.tomshardware.com/forum/75-63-windows-samba-issue
http://www.enterprisenetworkingplanet.com/_featured/article.php/3849061/Use-Samba-With-Windows-7-Clients.htm
http://technet.microsoft.com/en-us/library/ee681622(WS.10).aspx
Thanks also to everyone who contributed with suggestions.
ASKER
I need to amend my solution asap
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First of all, I'm glad you got it working, although in our environment we have never had to manually add the system name to the UNIX system, Samba has always done that for us.
-- Check your smb.conf file for the add machine script. If it's old or broken, that could explain your reported behavior.
====
HOWEVER: The registry edits you noted included mine, but also included:
HKLM\System\CCS\Services\N etlogon\Pa rameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
NOTE that you will find recommendations at several sites suggesting this, but the Samba developers STRONGLY URGE you NOT to make these two changes. THEY ARE NOT NECESSARY for the RIGHT versions of SAMBA, and significantly reduce the security of your LAN! For more info, read here: http://wiki.samba.org/index.php/Windows7
Also, There should be no reason to modify LMHOSTS.
====
So again, to summarize the steps:
1) Make sure your Samba is version 3.5 or better
2) Make the following TWO registry edits:
HKLM\System\CCS\Services\L anmanWorks tation\Par ameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
3) If necessary, manually add the system name to the Samba server with:
NEWHOSTNAME=
useradd $NEWHOSTNAME\$
smbpasswd -a -m $NEWHOSTNAME
4) Ignore the DNS Domain Name Change Error that Windows 7 will show when you SUCCESSFULLY join the Samba Domain
NOTES on step 3:
1) The hostname in the local UNIX password database must end in a $ -- thus, the "\$" at the end of the useradd command
2) The smbpasswd command will automagically add the $ at the end of the name --- that's what the -m switch does!
Because this is such a common issue, I'm in the process of writing an article for it...
Dan
IT4SOHO
PS: I am not objecting to the closure of this question -- I don't really care about points, and if DonKwizote doesn't think our assistance was worth it, that's his call to make.
-- Check your smb.conf file for the add machine script. If it's old or broken, that could explain your reported behavior.
====
HOWEVER: The registry edits you noted included mine, but also included:
HKLM\System\CCS\Services\N
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
NOTE that you will find recommendations at several sites suggesting this, but the Samba developers STRONGLY URGE you NOT to make these two changes. THEY ARE NOT NECESSARY for the RIGHT versions of SAMBA, and significantly reduce the security of your LAN! For more info, read here: http://wiki.samba.org/index.php/Windows7
Also, There should be no reason to modify LMHOSTS.
====
So again, to summarize the steps:
1) Make sure your Samba is version 3.5 or better
2) Make the following TWO registry edits:
HKLM\System\CCS\Services\L
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
3) If necessary, manually add the system name to the Samba server with:
NEWHOSTNAME=
useradd $NEWHOSTNAME\$
smbpasswd -a -m $NEWHOSTNAME
4) Ignore the DNS Domain Name Change Error that Windows 7 will show when you SUCCESSFULLY join the Samba Domain
NOTES on step 3:
1) The hostname in the local UNIX password database must end in a $ -- thus, the "\$" at the end of the useradd command
2) The smbpasswd command will automagically add the $ at the end of the name --- that's what the -m switch does!
Because this is such a common issue, I'm in the process of writing an article for it...
Dan
IT4SOHO
PS: I am not objecting to the closure of this question -- I don't really care about points, and if DonKwizote doesn't think our assistance was worth it, that's his call to make.
ASKER
I've decided split the points to say thanks to all who contributed their time.
ASKER
Admin, Moderator,
I cannot seem to find an option to split the points..
Please split 500 points among it4soho's comment (ID 33789750 - as it does have some corrections to my post), My comment (ID 33787754), it4soho's comment (ID 33781461) and stpm11's comment (ID 33781137)
Also, close the ticket and add it to the knowledgebase.
Or, show me how to do all of the above.
Thanks,
I cannot seem to find an option to split the points..
Please split 500 points among it4soho's comment (ID 33789750 - as it does have some corrections to my post), My comment (ID 33787754), it4soho's comment (ID 33781461) and stpm11's comment (ID 33781137)
Also, close the ticket and add it to the knowledgebase.
Or, show me how to do all of the above.
Thanks,
http://www.msfn.org/board/topic/128488-solved-join-windows-7-machine-to-domain/