Bruce,
My Sif file has always been %machinedomain% however I will try hardcoding it
in the SIF file to see if it resolves the problem. However is seems to be a
communication issue with the domain controllers. I downgraded the Domain
controller running RIS. The build works fine when the workstation resolves
the Pre SP1 domain controller, but fails if it resolves to the SP1 server
when it attempts to join the domain. I suspect it is additional security for
anymous connections.

Tim
"Bruce Musgrove" wrote:

>
> [Identification]
> JoinDomain=%MACHINEDOMAIN%
>
> In your sif file possibly?
>
> Something similar happened to me after one of my updates (maybe after
> mofiying the SIF ile using the answer file wizard) and
> "JoinDomain=my.domain.org" had changed to "
> "JoinDomain=%MACHINEDOMAIN%"
>
>
> "TIMM" <TIMM@discussions.microsoft.com> wrote in message
> news:B23195B0-3C7C-48B7-82F1-1FFFD1BCD815@microsoft.com...
> > I forgot to mention that the Setuperr.log reports the following
> > Error:
> > Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
> > proceed to add the workstation to the default domain.
> >
> > However I am able to add the workstation to the damain if I login locally
> > and then add the workstation to the domain.
> >
> > Tim
> >
> > "TIMM" wrote:
> >
> > > After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
> the
> > > domain even though the workstation account are being created by RIS
> during
> > > the built process. Prior to the upgrade over 300 pc's had been deployed
> via
> > > RIS and this issue is occuring on multiple servers. Rolling back SP1
> does
> > > seem to resolve the issue. Also RIS is running on domain controllers.
> > >
> > > Any assistance or recommendations would be appreciated
>
>
>

Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
notice in the book of SP1 there is a section about modifications to the SAMR
and LSAR protocols.

When my builds run successfully without SP1 you get the following lines in
the netsetup.log: -

09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0

The w9x is presumably a reference to old style domain joining. The book of
SP1 states that if the SAMR and LSAR modifications stop your code working you
will need to modify your code.

Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
problem that slipped under the testing radar?


"TIMM" wrote:

> Bruce,
> My Sif file has always been %machinedomain% however I will try hardcoding it
> in the SIF file to see if it resolves the problem. However is seems to be a
> communication issue with the domain controllers. I downgraded the Domain
> controller running RIS. The build works fine when the workstation resolves
> the Pre SP1 domain controller, but fails if it resolves to the SP1 server
> when it attempts to join the domain. I suspect it is additional security for
> anymous connections.
>
> Tim
> "Bruce Musgrove" wrote:
>
> >
> > [Identification]
> > JoinDomain=%MACHINEDOMAIN%
> >
> > In your sif file possibly?
> >
> > Something similar happened to me after one of my updates (maybe after
> > mofiying the SIF ile using the answer file wizard) and
> > "JoinDomain=my.domain.org" had changed to "
> > "JoinDomain=%MACHINEDOMAIN%"
> >
> >
> > "TIMM" <TIMM@discussions.microsoft.com> wrote in message
> > news:B23195B0-3C7C-48B7-82F1-1FFFD1BCD815@microsoft.com...
> > > I forgot to mention that the Setuperr.log reports the following
> > > Error:
> > > Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
> > > proceed to add the workstation to the default domain.
> > >
> > > However I am able to add the workstation to the damain if I login locally
> > > and then add the workstation to the domain.
> > >
> > > Tim
> > >
> > > "TIMM" wrote:
> > >
> > > > After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
> > the
> > > > domain even though the workstation account are being created by RIS
> > during
> > > > the built process. Prior to the upgrade over 300 pc's had been deployed
> > via
> > > > RIS and this issue is occuring on multiple servers. Rolling back SP1
> > does
> > > > seem to resolve the issue. Also RIS is running on domain controllers.
> > > >
> > > > Any assistance or recommendations would be appreciated
> >
> >
> >

SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
adds new entries to NULL Session Pipes. However if you set the " Network
access: Named Pipes that can be accessed anonymously" Group policy then the
updates that SP1 will be over written and thus the workstation will not have
the ability to access SAMR in order to confirm a workstation account exists
in AD.

To fix this problem, set the following registry key
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lan manserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.

COMNAP
COMNODE
SQL\QUERY
SPOOLSS
LLSRPC
EPMAPPER
LOCATOR
TrkWks
TrkSvr
Browser
Netlogon
LSArpc
samr

Please let me know if this resolves your problem

Good luck!
Tim


"gherkin" wrote:

> Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
> notice in the book of SP1 there is a section about modifications to the SAMR
> and LSAR protocols.
>
> When my builds run successfully without SP1 you get the following lines in
> the netsetup.log: -
>
> 09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0
>
> The w9x is presumably a reference to old style domain joining. The book of
> SP1 states that if the SAMR and LSAR modifications stop your code working you
> will need to modify your code.
>
> Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
> problem that slipped under the testing radar?
>
>
> "TIMM" wrote:
>
> > Bruce,
> > My Sif file has always been %machinedomain% however I will try hardcoding it
> > in the SIF file to see if it resolves the problem. However is seems to be a
> > communication issue with the domain controllers. I downgraded the Domain
> > controller running RIS. The build works fine when the workstation resolves
> > the Pre SP1 domain controller, but fails if it resolves to the SP1 server
> > when it attempts to join the domain. I suspect it is additional security for
> > anymous connections.
> >
> > Tim
> > "Bruce Musgrove" wrote:
> >
> > >
> > > [Identification]
> > > JoinDomain=%MACHINEDOMAIN%
> > >
> > > In your sif file possibly?
> > >
> > > Something similar happened to me after one of my updates (maybe after
> > > mofiying the SIF ile using the answer file wizard) and
> > > "JoinDomain=my.domain.org" had changed to "
> > > "JoinDomain=%MACHINEDOMAIN%"
> > >
> > >
> > > "TIMM" <TIMM@discussions.microsoft.com> wrote in message
> > > news:B23195B0-3C7C-48B7-82F1-1FFFD1BCD815@microsoft.com...
> > > > I forgot to mention that the Setuperr.log reports the following
> > > > Error:
> > > > Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
> > > > proceed to add the workstation to the default domain.
> > > >
> > > > However I am able to add the workstation to the damain if I login locally
> > > > and then add the workstation to the domain.
> > > >
> > > > Tim
> > > >
> > > > "TIMM" wrote:
> > > >
> > > > > After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
> > > the
> > > > > domain even though the workstation account are being created by RIS
> > > during
> > > > > the built process. Prior to the upgrade over 300 pc's had been deployed
> > > via
> > > > > RIS and this issue is occuring on multiple servers. Rolling back SP1
> > > does
> > > > > seem to resolve the issue. Also RIS is running on domain controllers.
> > > > >
> > > > > Any assistance or recommendations would be appreciated
> > >
> > >
> > >

Bingo! It works now I have addedd the extra entries to that key.

It appears that the policy had been set previoulsy but when the policy was
removed the settings remained in the registry. I notice the registry key
HKLM\system\currentcontrolset\services\lanmanserve r\parameters\restrictnullsessaccess
is set to 1. Is this turned on by default by SP1 or is it that if the group
policy setting is set to not defined any settings placed there by previous
policies are not specifically removed unless you select diabled?

Thanks.

"TIMM" wrote:

> SP1 introduced additonal RPC and SAMR security and during the upgrade SP1
> adds new entries to NULL Session Pipes. However if you set the " Network
> access: Named Pipes that can be accessed anonymously" Group policy then the
> updates that SP1 will be over written and thus the workstation will not have
> the ability to access SAMR in order to confirm a workstation account exists
> in AD.
>
> To fix this problem, set the following registry key
> "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lan manserver\parameters\NullSessionPipes" and or Group Policy should include the following entries.
>
> COMNAP
> COMNODE
> SQL\QUERY
> SPOOLSS
> LLSRPC
> EPMAPPER
> LOCATOR
> TrkWks
> TrkSvr
> Browser
> Netlogon
> LSArpc
> samr
>
> Please let me know if this resolves your problem
>
> Good luck!
> Tim
>
>
> "gherkin" wrote:
>
> > Thanks for the advice TIMM. I have removed SP1 and RIS builds work fine. I
> > notice in the book of SP1 there is a section about modifications to the SAMR
> > and LSAR protocols.
> >
> > When my builds run successfully without SP1 you get the following lines in
> > the netsetup.log: -
> >
> > 09/13 13:44:54 NetpJoinDomain: w9x: status of validating account: 0x0
> >
> > The w9x is presumably a reference to old style domain joining. The book of
> > SP1 states that if the SAMR and LSAR modifications stop your code working you
> > will need to modify your code.
> >
> > Could this mean that the Sysprep\RIS\Riprep needs patching, or is it a
> > problem that slipped under the testing radar?
> >
> >
> > "TIMM" wrote:
> >
> > > Bruce,
> > > My Sif file has always been %machinedomain% however I will try hardcoding it
> > > in the SIF file to see if it resolves the problem. However is seems to be a
> > > communication issue with the domain controllers. I downgraded the Domain
> > > controller running RIS. The build works fine when the workstation resolves
> > > the Pre SP1 domain controller, but fails if it resolves to the SP1 server
> > > when it attempts to join the domain. I suspect it is additional security for
> > > anymous connections.
> > >
> > > Tim
> > > "Bruce Musgrove" wrote:
> > >
> > > >
> > > > [Identification]
> > > > JoinDomain=%MACHINEDOMAIN%
> > > >
> > > > In your sif file possibly?
> > > >
> > > > Something similar happened to me after one of my updates (maybe after
> > > > mofiying the SIF ile using the answer file wizard) and
> > > > "JoinDomain=my.domain.org" had changed to "
> > > > "JoinDomain=%MACHINEDOMAIN%"
> > > >
> > > >
> > > > "TIMM" <TIMM@discussions.microsoft.com> wrote in message
> > > > news:B23195B0-3C7C-48B7-82F1-1FFFD1BCD815@microsoft.com...
> > > > > I forgot to mention that the Setuperr.log reports the following
> > > > > Error:
> > > > > Netsetup:Join domain XXXXXXXX in full unattended mode failed. Setup will
> > > > > proceed to add the workstation to the default domain.
> > > > >
> > > > > However I am able to add the workstation to the damain if I login locally
> > > > > and then add the workstation to the domain.
> > > > >
> > > > > Tim
> > > > >
> > > > > "TIMM" wrote:
> > > > >
> > > > > > After upgrading to W2k3 sp1, XP sp2 pc's built via RIS fail to join the
> > > > the
> > > > > > domain even though the workstation account are being created by RIS
> > > > during
> > > > > > the built process. Prior to the upgrade over 300 pc's had been deployed
> > > > via
> > > > > > RIS and this issue is occuring on multiple servers. Rolling back SP1
> > > > does
> > > > > > seem to resolve the issue. Also RIS is running on domain controllers.
> > > > > >
> > > > > > Any assistance or recommendations would be appreciated
> > > >
> > > >
> > > >