Unable to join domain

[NoDoze]

I'm running build 7201 and am unable to join a domain.

I'm able to join the domain ok with WinXP.

Anyone have a solution or seen anything about this issue?

 

[pparks1]

I'm running build 7201 and am unable to join a domain.

I'm able to join the domain ok with WinXP.

Anyone have a solution or seen anything about this issue?

What version of Window 7 are you using and are you getting an error message when you try to join the domain?

 

[NoDoze]

I'm running build 7201 and am unable to join a domain.

The credentials popup, enter my username and password, then I get:

The specified domain either does not exist or could not be contacted

Trying to connect to a samba domain controller.

domain is 12 characters...domain, not domain.com

 

[NoDoze]

Anyone have any ideas?

 

[pparks1]

Try giving this a shot;

Control Panel - Administrative Tools - Local Security Policy

Local Policies - Security Options



Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

 

[NoDoze]

No go....didn't work, same error message

 

[SquonkSC]

No go....didn't work, same error message

This is very hard to troubleshoot, there are to many variables.
It's probably an active directory setting on the domainserver.

The best thing you can do is to contact the domain administrator for help.

Good luck.

 

[NoDoze]

LOL I AM THE DOMAIN ADMINISTRATOR! ROFLOL

It would help to explain what "all the variables" means...

XP and linux PCs all connect fine....it's something different in Windows 7...but what could it be???

 

[SquonkSC]

LOL I AM THE DOMAIN ADMINISTRATOR! ROFLOL

It would help to explain what "all the variables" means...

XP and linux PCs all connect fine....it's something different in Windows 7...but what could it be???

Ok,

What OS does the domain server have?

Have you disabled Home networking in win7?
Also checked the properties "Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing"
settings like "network discovery", "allow windows...." instead of "use useraccount to connect....."

Is the computer wired or wireless?
Have you done any tweaks or hacks to services, any services disabled?
(particularly TCP/IP net bios ... service)
What policies have you set on your domainserver regarding login security, password encryption?

Any of these things can be the reason why it won't work, that's why I said, to many variables.

But I'm willing to take the challenge and see if we can fix it.

So provide us with as much info as possible.
Also the system specs of the machines, type networkcard etc..

greetz

 

[fredjonze]

I'm also having problems joining a domain with Win7 RTM...

I previously used an XP computer on the domain wth a name like 'mylaptop'.
I replaced the drive and have Windows 7 Ultimate installed and am unable to join the computer 'mylaptop' to the domain. I've done these things...
1. Ran NSLOOKUP to verify I can see the domain controller
2. Manually entered the DC IP number in DNS
3. Disable IPv6
4. Enabled netbios over TCP
5. Can successfully ping both DCs
6. Disabled all firewalls
7. Tweaked secpol.msc settings as described in other posts
8. Asked the domain administrator to manually remove the mylaptop account from the domain.
I'm not an admin, but I was given rights to join a computer to the domain. I can successfully use remoted desktop to get to other computers. I can browse the network and manually enter credentials to see shares. Networking seems to be OK.
When I attempt to join, I get the message:
Your computer could not be joined to the domain because the following error has occurred: No mapping between account names and security IDs was done.
or this error:
The join operation was not successful. The could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Access is denied.

I verified that the account was in fact deleted.

I tried using Powershell's add-computer (run as admin) cmdlet with no success (apparently there are bugs).

I tried all of the suggestions below with no success...

LukeSkywalker wrote:
Hello,

Before I go any further, this posting is a solution (or an article to give ideas) for those people that are having problems with Vista in a corporate or advanced home networking environment. Sometimes, I am so upset by the problems I encounter when using computers that I have to do my bit for world peace and share some knowledge in the vain hope that others may be spared the frustration.

Problem: When adding a computer running Windows Vista to a domain, you receive the following error:

Access Denied

In fact, there's a lot more to the error message than this, but it ends with those two words. I've tried to recall the rest of the long message but the jist of it is that its saying it could be caused by an existing computer account on the domain and to rename the machine or remove the account - which is all lies.

Solution: Unsecure your Vista PC, because afterall, there's no way of pinpointing which of the millions of restrictions are preventing you from getting on with your life.

I admit that I have muddied the waters somewhat as another error I was receiving told me that the SRV record for my DC was not available in DNS*, but essentially I did the following:

Ensured that the problem was due to local rights by entering an intentionally incorrect domain administrator username and password - this gave a different error message
Opened MMC (mmc.exe) and added the Local Computer Policy snap-in (File menu).
Navigated to Computer Configuration\Windows Settings\Security Settings\Local Policies
Opened User Rights Assignments
Added the Administrators group to the right: Add workstations to domain
Opened Security Options
Disabled the option: Domain member: Digitally encrypt or sign secure channel data (always)
Disabled the option: Domain member: Disable machine account password changes
Disabled the option: User Account Control: Admin approval mode for the Built-in Administrator account
Set "Elevate without prompting" on: User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
Disabled the option: User Account Control: Run all administrators in Admin Approval Mode
Opened Windows Firewall with Advanced Security
Switched off Windows Firewall for all three profiles
Ensured that my time settings and timezone were the same as the server's
Upgraded my newly installed Windows 2000 domain controller to SP3
Note that once you've joined the domain, the local policy will become obsolete anyway.

Now Reboot. Although apparently happening live (Vista doesn't hesitate in putting up a red shield in the system tray as soon as you tweak the settings), the solution needs a restart. I only did this after reading that with UAC switched on, your administrative account actually runs Explorer with two security tokens, and most activities are performed using the plebian user token (so you're never really an admin) - this led me to think that the add to domain wizard was actually running in pleb mode. The restart worked and I was able to get myself on my domain. The end.

I must admit that it is a shame that Windows cannot tell you what settings are effecting a security block. The solution becomes one of all or nothing; my new-build apartment has a legally required smoke-detector just above the door to the kitchen - you know, that place where you make heat and smoke - consequently I've had to crippled it with a rubber item usually associated with birth control. So I am unprotected from fire in the living room and I am unprotected by Microsoft's new security features.

 

[NoDoze]

What OS does the domain server have?

It's a zimbra server running OpenLDAP on centos 5.

Have you disabled Home networking in win7?

Nope, I dunno how to...

Also checked the properties "Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing"
settings like "network discovery", "allow windows...." instead of "use useraccount to connect....."

Network Discovery is on, and HomeGroup connections "allow Windows..." is checked on.

Is the computer wired or wireless?

wired.

Have you done any tweaks or hacks to services, any services disabled?
(particularly TCP/IP net bios ... service)

Not that I know of...everything is still default...

What policies have you set on your domainserver regarding login security, password encryption?

zimbra's openldap uses posix and samba.

I'm wondering if an update to Win7RC may solve the problem...? Downloading it now....

 

[SquonkSC]

I'm also having problems joining a domain with Win7 RTM...

Your computer could not be joined to the domain because the following error has occurred: No mapping between account names and security IDs was done.
or this error:
The join operation was not successful. This could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Access is denied.

Did the administrator delete the machine account as well?
the machine account logs the machine ID in active directory.

The user account is tied to the machine account.
So deleting only the user account is not sufficient.

the only way to solve this is to make sure the affected computer is physically disconnected from the network.

then the admin deletes both the user and the machine account.

Then it has to work.

good luck


EDIT: The user profile also has to be deleted. (after data has been backed up)

 

[zigzag3143]

nodoze

Win 7 can either make a homegroup (for home networking) or set up a "work" network connection. If you are in homegroup on win 7 it will give you grief
Ken

 

[NoDoze]

I'm in the Work Network.

1. Ran NSLOOKUP to verify I can see the domain controller - Yes I can.
2. Manually entered the DC IP number in DNS - Yes I have.
3. Disable IPv6 - Yes, disabled
4. Enabled netbios over TCP - Yes, enabled.
5. Can successfully ping both DCs - Yes, can ping both.
6. Disabled all firewalls - no firewalls enabled.
7. Tweaked secpol.msc settings as described in other posts - yes, tweaked everything.

 

[SquonkSC]

I'm in the Work Network.

1. Ran NSLOOKUP to verify I can see the domain controller - Yes I can.
2. Manually entered the DC IP number in DNS - Yes I have.
3. Disable IPv6 - Yes, disabled
4. Enabled netbios over TCP - Yes, enabled.
5. Can successfully ping both DCs - Yes, can ping both.
6. Disabled all firewalls - no firewalls enabled.
7. Tweaked secpol.msc settings as described in other posts - yes, tweaked everything.

Thanks NoDoze,

In one previous post you wrote

and HomeGroup connections "allow Windows..." is checked on.

It needs to be on "use user accounts and password......"

Not that this alone will fix it, but it's one of the possibly several settings blocking the access.

Sadly I don't know any thing about samba servers, so if maybe my next questions are ignorant, forgive me.

On windows domains you need to make machine accounts, not only user accounts and userprofiles.

How does that work on your server? Do you have to make a machine account? And did you make one? did you delete it before connecting the win7 client to the server?

Did you flush the dns cache on both the server and the client?

On the client it's ipconfig /flushdns (in command prompt)

I'm sorry if I can't be more helpful to you. I only have the knowledge of Windows servers.

Good luck

 

[NoDoze]

Made the changes you mentioned....
I flushed the DNS and made the change u mentioned above....

The way the zimbra server is setup, when the user logs into the domain the first time, the PC is authorized and added to the DC. So far, since I haven't been able to connect with the Win7 PC, the PC still isn't authorized with the DC.

same error...

Hopefully the update to RC does the trick! heh....

 

[SquonkSC]

Made the changes you mentioned....

The way the zimbra server is setup, when the user logs into the domain the first time, the PC is authorized and added to the DC. So far, since I haven't been able to connect with the Win7 PC, the PC still isn't authorized with the DC.

And there are no traces of the previous install still on the server?

On a windows server you have to erase user account, machine account and user profile.

On the Win7 machine go through the services to see if some service to do with domain is stopped.

Also in the policies of the win7 computer there might be some setting about how authentication is checked when login on to a domain.
Maybe there is a discrepancy there.

Like I said in my first post, this is complicated stuff because it can be a culmination of factors.

Sorry if this doesn't help.

greetz

 

[fredjonze]

Unable to join domain, update

Update:
I took the laptop to a domain admin and he was able to join the computer to the domain. It appears that even though I have rights to join to a domain, in XP, that doesn't mean it will work in Win7. Is there another permission that needs to be granted for a non-domain admin to be able to join to a domain?
Thx

 

[Captain Zero]

Is there a router involved? This could be a simple firewall/port issue.

 

[zigzag3143]

LOL I AM THE DOMAIN ADMINISTRATOR! ROFLOL

It would help to explain what "all the variables" means...

XP and linux PCs all connect fine....it's something different in Windows 7...but what could it be???

You are the Domain admin right

Update:
I took the laptop to a domain admin and he was able to join the computer to the domain. It appears that even though I have rights to join to a domain, in XP, that doesn't mean it will work in Win7. Is there another permission that needs to be granted for a non-domain admin to be able to join to a domain?
Thx

You took this to a domain admin?? different domain? he was able to join it. whats different abt his setup from yours?

Ken