locked
Error Adding Vista to a Domain RRS feed

  • Question

  • Hello,

    Before I go any further, this posting is a solution (or an article to give ideas) for those people that are having problems with Vista in a corporate or advanced home networking environment. Sometimes, I am so upset by the problems I encounter when using computers that I have to do my bit for world peace and share some knowledge in the vain hope that others may be spared the frustration.

    Problem: When adding a computer running Windows Vista to a domain, you receive the following error:

    Access Denied

    In fact, there's a lot more to the error message than this, but it ends with those two words. I've tried to recall the rest of the long message but the jist of it is that its saying it could be caused by an existing computer account on the domain and to rename the machine or remove the account - which is all lies.

    Solution: Unsecure your Vista PC, because afterall, there's no way of pinpointing which of the millions of restrictions are preventing you from getting on with your life.

    I admit that I have muddied the waters somewhat as another error I was receiving told me that the SRV record for my DC was not available in DNS*, but essentially I did the following:

    • Ensured that the problem was due to local rights by entering an intentionally incorrect domain administrator username and password - this gave a different error message
    • Opened MMC (mmc.exe) and added the Local Computer Policy snap-in (File menu).
    • Navigated to Computer Configuration\Windows Settings\Security Settings\Local Policies
    • Opened User Rights Assignments
    • Added the Administrators group to the right: Add workstations to domain
    • Opened Security Options
    • Disabled the option: Domain member: Digitally encrypt or sign secure channel data (always)
    • Disabled the option: Domain member: Disable machine account password changes
    • Disabled the option: User Account Control: Admin approval mode for the Built-in Administrator account
    • Set "Elevate without prompting" on: User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
    • Disabled the option: User Account Control: Run all administrators in Admin Approval Mode
    • Opened Windows Firewall with Advanced Security
    • Switched off Windows Firewall for all three profiles
    • Ensured that my time settings and timezone were the same as the server's
    • Upgraded my newly installed Windows 2000 domain controller to SP3

    Note that once you've joined the domain, the local policy will become obsolete anyway.

    Now Reboot. Although apparently happening live (Vista doesn't hesitate in putting up a red shield in the system tray as soon as you tweak the settings), the solution needs a restart. I only did this after reading that with UAC switched on, your administrative account actually runs Explorer with two security tokens, and most activities are performed using the plebian user token (so you're never really an admin) - this led me to think that the add to domain wizard was actually running in pleb mode. The restart worked and I was able to get myself on my domain. The end.

    I must admit that it is a shame that Windows cannot tell you what settings are effecting a security block. The solution becomes one of all or nothing; my new-build apartment has a legally required smoke-detector just above the door to the kitchen - you know, that place where you make heat and smoke - consequently I've had to crippled it with a rubber item usually associated with birth control. So I am unprotected from fire in the living room and I am unprotected by Microsoft's new security features.

    *the Access Denied and the DNS errors were appearing randomly on each try. The DNS one was caused by having my secondary DNS server set to my broadband router and my primary to the AD DC. Despite having the right entries in the local DNS cache (ipconfig /displaydns) the Windows add to domain wizard seems to have its own way of resolving names and doesn't seem to have any morals about using your secondary server first.

    Additional query words: AD member netdom 2003 2000 server unsuccessful cannot already exists

    Saturday, March 3, 2007 6:49 PM

Answers

All replies

  • thansk for a great article
    Tuesday, March 6, 2007 11:35 AM
  •  LukeSkywalker wrote:

    Hello,

    Before I go any further, this posting is a solution (or an article to give ideas) for those people that are having problems with Vista in a corporate or advanced home networking environment. Sometimes, I am so upset by the problems I encounter when using computers that I have to do my bit for world peace and share some knowledge in the vain hope that others may be spared the frustration.

    Problem: When adding a computer running Windows Vista to a domain, you receive the following error:

    Access Denied

    In fact, there's a lot more to the error message than this, but it ends with those two words. I've tried to recall the rest of the long message but the jist of it is that its saying it could be caused by an existing computer account on the domain and to rename the machine or remove the account - which is all lies.

    Solution: Unsecure your Vista PC, because afterall, there's no way of pinpointing which of the millions of restrictions are preventing you from getting on with your life.

    I admit that I have muddied the waters somewhat as another error I was receiving told me that the SRV record for my DC was not available in DNS*, but essentially I did the following:

    • Ensured that the problem was due to local rights by entering an intentionally incorrect domain administrator username and password - this gave a different error message
    • Opened MMC (mmc.exe) and added the Local Computer Policy snap-in (File menu).
    • Navigated to Computer Configuration\Windows Settings\Security Settings\Local Policies
    • Opened User Rights Assignments
    • Added the Administrators group to the right: Add workstations to domain
    • Opened Security Options
    • Disabled the option: Domain member: Digitally encrypt or sign secure channel data (always)
    • Disabled the option: Domain member: Disable machine account password changes
    • Disabled the option: User Account Control: Admin approval mode for the Built-in Administrator account
    • Set "Elevate without prompting" on: User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
    • Disabled the option: User Account Control: Run all administrators in Admin Approval Mode
    • Opened Windows Firewall with Advanced Security
    • Switched off Windows Firewall for all three profiles
    • Ensured that my time settings and timezone were the same as the server's
    • Upgraded my newly installed Windows 2000 domain controller to SP3

    Note that once you've joined the domain, the local policy will become obsolete anyway.

    Now Reboot. Although apparently happening live (Vista doesn't hesitate in putting up a red shield in the system tray as soon as you tweak the settings), the solution needs a restart. I only did this after reading that with UAC switched on, your administrative account actually runs Explorer with two security tokens, and most activities are performed using the plebian user token (so you're never really an admin) - this led me to think that the add to domain wizard was actually running in pleb mode. The restart worked and I was able to get myself on my domain. The end.

    I must admit that it is a shame that Windows cannot tell you what settings are effecting a security block. The solution becomes one of all or nothing; my new-build apartment has a legally required smoke-detector just above the door to the kitchen - you know, that place where you make heat and smoke - consequently I've had to crippled it with a rubber item usually associated with birth control. So I am unprotected from fire in the living room and I am unprotected by Microsoft's new security features.

    *the Access Denied and the DNS errors were appearing randomly on each try. The DNS one was caused by having my secondary DNS server set to my broadband router and my primary to the AD DC. Despite having the right entries in the local DNS cache (ipconfig /displaydns) the Windows add to domain wizard seems to have its own way of resolving names and doesn't seem to have any morals about using your secondary server first.

    Additional query words: AD member netdom 2003 2000 server unsuccessful cannot already exists

     

    Hi Skywalker,

     

    I did your tips in my company but it didnt work

    My infra:

    DC=windows 2000 SP4 PT-BR

    Vista Enterprise

     

    I looked about this problem and I found this solution http://blogs.technet.com/asiasupp/archive/2007/01/16/pay-attention-when-deploying-vista-client-in-windows-2000-domain.aspx but the windows 2000 doesnt have the local service account

     

    could you help me!!!!!!!!!!

     

    Tuesday, April 10, 2007 2:42 PM
  • Hi

     

    This is mainly a courteousy post, as its a bit late on a Sunday night to get my head around the issue in any detail - let me know if you've gotten any further - your posting was a while ago (sorry to have missed it).

     

    Firstly, I think the article you read was more to do with the Firewall than adding a Vista box to AD. The Firewall is a pain as I've found that it can be switched off and actually still be on - a kind of "MS knows best" feature to keep clients secure, I guess. Incidentally, I've found the only sure way to switch it off, short of removing all the rights from its key files, is to define the policy in a GPO or the local GPO. Still its possible that the Firewall is blocking the comms with your DC - in my experience, it pays to have an open-mind when troubleshooting.

     

    Second, can you post any errors you get and whether you get different ones in different situations.

     

    Else, have you tried NETDOM while running a command prompt with elevated privileges?

     

    - Locate NETDOM on the web or resource kit, I suggest using the version for Win2003 Server.

    - Type CMD into the search box on the Vista Start menu, right-click Cmd in the list and select Run as administrator...

    - This will run the command prompt in "real" admin mode.

    - Try using the NETDOM utility (command line) to add the machine - my theory is that the command prompt can now assure us that we have a "real" admin session going on, and the NETDOM tool is tried and tested.

     

    Something I didn't try was to look at either a NETMON or REGMON trace to see if some process of part of the registry "lit up" when it failed, or even trying a network trace using something like Ethereal.

     

    Good luck!

     

     

    Sunday, April 22, 2007 8:19 PM
  • For the record I've added numerous Vista boxes to a Windows Domain (Server 2003 R2 at a 2003 Forest Functional Level) without any issue whatsoever. Have you tried running NetDiag and DCdiag to check for any issues with your domain?
    Monday, April 23, 2007 2:25 PM
  • I agree Andy, there's certainly something awry as many thousands of Vista builds will have been happily added to domains in the past couple of years. Of course, I've acheived what I wanted and so the motive for further investigation has been removed.

     

    I obviously had that right combination of variables in which a bug or oversight showed up; I've another four non-Vista Windows clients that did join the domain without a struggle, so I'm more inclined to think that Vista and its extra layers of armour was the culprit, but still you never know, maybe it exposed a deeper problem.

     

    Thanks for the tips - not heard of those tools, and may take a look out of shear curiosity Smile

    Monday, April 23, 2007 2:53 PM
  •  LukeSkywalker wrote:

    Hi

     

    This is mainly a courteousy post, as its a bit late on a Sunday night to get my head around the issue in any detail - let me know if you've gotten any further - your posting was a while ago (sorry to have missed it).

     

    Firstly, I think the article you read was more to do with the Firewall than adding a Vista box to AD. The Firewall is a pain as I've found that it can be switched off and actually still be on - a kind of "MS knows best" feature to keep clients secure, I guess. Incidentally, I've found the only sure way to switch it off, short of removing all the rights from its key files, is to define the policy in a GPO or the local GPO. Still its possible that the Firewall is blocking the comms with your DC - in my experience, it pays to have an open-mind when troubleshooting.

     

    Second, can you post any errors you get and whether you get different ones in different situations.

     

    Else, have you tried NETDOM while running a command prompt with elevated privileges?

     

    - Locate NETDOM on the web or resource kit, I suggest using the version for Win2003 Server.

    - Type CMD into the search box on the Vista Start menu, right-click Cmd in the list and select Run as administrator...

    - This will run the command prompt in "real" admin mode.

    - Try using the NETDOM utility (command line) to add the machine - my theory is that the command prompt can now assure us that we have a "real" admin session going on, and the NETDOM tool is tried and tested.

     

    Something I didn't try was to look at either a NETMON or REGMON trace to see if some process of part of the registry "lit up" when it failed, or even trying a network trace using something like Ethereal.

     

    Good luck!

     

     

     

    Hi,

     

    I'll take a look in your tips .... and post the result here

     

    Thanks a lot

    Fábio - Brazil

    Monday, April 23, 2007 2:54 PM
  •  AndyCadley wrote:
    For the record I've added numerous Vista boxes to a Windows Domain (Server 2003 R2 at a 2003 Forest Functional Level) without any issue whatsoever. Have you tried running NetDiag and DCdiag to check for any issues with your domain?

     

    Hi,

     

    My Domain/Forest level is 2000 ... how can I raise this if all my DC servers are Windows 2000 SP4

     

    I talked to my "boss" to upgrade our server to Windows 2003 R2 .... He says he will ask to directors some money to upgrade them .... I hope the directors are in a good mud ...

     

     

    Thanks a lot

     

    Fábio - Brazil

    Monday, April 23, 2007 2:59 PM
  • Hello Mr.LukeSkywalker
    my workstation Windows Vista Business  does not initiate some services of the Windows. Later that I placed it in the Domain  it not initiate the Firewall service , Telephony and other services. As I can decide this great problem.

    Thanks

    Thursday, July 26, 2007 5:23 PM
  • Hi, I have a AD2003 domain that was upgraded from a AD 2000 Domain. When I add a Vista ultimate SP1 workstation everything goes fine untill another reboot after the domain is joined.

    Services then refuse to start! Some that do not want to start is DHCP Client, Network location awareness, WIndows Firewall
    DHCP service says access denied when started manually.

    I have read the following article:

    http://blogs.technet.com/asiasupp/archive/2007/01/16/pay-attention-when-deploying-vista-client-in-windows-2000-domain.aspx

    The workstation now can not get an IP from a DHCP Server. I suspect that it has got to do with the Default domain policy. I have added local service and network service to the Adjust memory quotas for a process in the Default domain policy under User rights assignment. Also added these account to the log on as a service policy. Still to no avail. The vista machine's networking basically self-destructs after joining the domain.

    I have tested this in a test environment that was installed with AD2003.(Not upgraded from AD2000) Everything seems to be working fine. Surely it has something to do with the fact that my production domain was upgraded from AD2000.

    Any ideas of what I could try to rectify this?
    Wednesday, June 4, 2008 5:44 PM