|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
William P
Guest
|
 Posted: Mon May 15, 2006 7:08 pm Post subject: problems with NET LOCALGROUP |
 |
|
Background:
We have a mixed environment of W2K and W2K3 Domain Controllers. We are
slowly replacing our W2K DCs with W2K3 DCs. We are not upgrading them,
instead we are demoting them and reinstalling then.
All server (W2K, W2K3), workstation (XP) installations are performed via
script.
Given a Site with a mixture of W2K and W2K3 DCs, we have had no problem
installing all types of workstations or servers. A Site which has been
upgraded to all W2K3 DCs, we now have a problem installing ONLY W2K servers.
W2K3 member servers and XP workstations are no problem.
Our installation procedure is as follows:
Immediately after joiing the domain using NETDOM and before rebooting, we
add a special account to the local Administrators using NET LOCALGROUP
Administrators <special acct> /ADD. In a mixed DC environment, this works
without a hitch. As soon as a Site has ALL W2K3 DCs, this procedure for a W2K
server does not work anymore. Running the NET LOCALGROUP command returns the
error message "System error 1789: The trust relationship between this
workstation and the primary domain failed.". Rebooting the server after
joining the domain and then performing the NET LOCALGROUP works perfect.
The only major difference in the setup of a W2K3 DC compared to an
installation of a W2K DC is that we have applied Hardening settings to all
W2K3 DCs, according to the MS W2K3 Secuirty Planning Guide
I would like to find out why we cannot use NETDOM immediately followed by
NET LOCALGROUP when joining a W2K server to a Site with all W2K3 DCs in it.
In a site with mixed W2K and W2K3 DCs, we have no problem. I am wondering if
there is a specific setting in the Security Options of the Hardening
Guidelines which we have overlooked or if it is just NOT POSSIBLE to add a
domain account to the local Admins after joining the domain (without reboot)
in a pure W2K3 DC environment.
Any help would be greatly appreciated.
William |
|
| Back to top |
|
 |
|
|
Joe Richards [MVP]
Guest
|
| Posted: Mon May 15, 2006 9:01 pm Post subject: Re: problems with NET LOCALGROUP |
|
|
This could be an issue with anonymous resolution of the SIDs or it could be a
signing/sealing issue with the network traffic. Both of those items are found in
your domain controller GPOs.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
William P wrote:
| Quote: | Background:
We have a mixed environment of W2K and W2K3 Domain Controllers. We are
slowly replacing our W2K DCs with W2K3 DCs. We are not upgrading them,
instead we are demoting them and reinstalling then.
All server (W2K, W2K3), workstation (XP) installations are performed via
script.
Given a Site with a mixture of W2K and W2K3 DCs, we have had no problem
installing all types of workstations or servers. A Site which has been
upgraded to all W2K3 DCs, we now have a problem installing ONLY W2K servers.
W2K3 member servers and XP workstations are no problem.
Our installation procedure is as follows:
Immediately after joiing the domain using NETDOM and before rebooting, we
add a special account to the local Administrators using NET LOCALGROUP
Administrators <special acct> /ADD. In a mixed DC environment, this works
without a hitch. As soon as a Site has ALL W2K3 DCs, this procedure for a W2K
server does not work anymore. Running the NET LOCALGROUP command returns the
error message "System error 1789: The trust relationship between this
workstation and the primary domain failed.". Rebooting the server after
joining the domain and then performing the NET LOCALGROUP works perfect.
The only major difference in the setup of a W2K3 DC compared to an
installation of a W2K DC is that we have applied Hardening settings to all
W2K3 DCs, according to the MS W2K3 Secuirty Planning Guide
I would like to find out why we cannot use NETDOM immediately followed by
NET LOCALGROUP when joining a W2K server to a Site with all W2K3 DCs in it.
In a site with mixed W2K and W2K3 DCs, we have no problem. I am wondering if
there is a specific setting in the Security Options of the Hardening
Guidelines which we have overlooked or if it is just NOT POSSIBLE to add a
domain account to the local Admins after joining the domain (without reboot)
in a pure W2K3 DC environment.
Any help would be greatly appreciated.
William |
|
|
| Back to top |
|
|
William P
Guest
|
| Posted: Wed May 17, 2006 12:07 am Post subject: Re: problems with NET LOCALGROUP |
|
|
Thanks Joe,
We tried relaxing these settings completely and no luck.
Do you know of any ssources of information which detail the differences in a
W2K DC environment vs, a W2K3 DC environment?
William
"Joe Richards [MVP]" wrote:
| Quote: | This could be an issue with anonymous resolution of the SIDs or it could be a
signing/sealing issue with the network traffic. Both of those items are found in
your domain controller GPOs. |
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted: Wed May 17, 2006 2:12 am Post subject: Re: problems with NET LOCALGROUP |
|
|
There really isn't a lot out there at this level. You can fish around the MSKB
trying to find things.
Possibly you will want to do a network trace and see if you can see where the
failure is coming in.
Also look at my lg command with the -r option. That was designed with this kind
of work in mind. It will let you add a non-trusted security principal to a group
before you even do the join.
http://www.joeware.net/win/free/tools/lg.htm
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
William P wrote:
| Quote: | Thanks Joe,
We tried relaxing these settings completely and no luck.
Do you know of any ssources of information which detail the differences in a
W2K DC environment vs, a W2K3 DC environment?
William
"Joe Richards [MVP]" wrote:
This could be an issue with anonymous resolution of the SIDs or it could be a
signing/sealing issue with the network traffic. Both of those items are found in
your domain controller GPOs.
|
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Wed May 17, 2006 5:31 am Post subject: Re: problems with NET LOCALGROUP |
|
|
Hi
Check here for some changes between 2000 and 2003:
How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003
http://support.microsoft.com/?id=325379
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator
"William P" <WilliamP@discussions.microsoft.com> wrote in message
news:5F1CA7A3-2E93-4995-A65E-E7EC21530652@microsoft.com...
| Quote: | Background:
We have a mixed environment of W2K and W2K3 Domain Controllers. We are
slowly replacing our W2K DCs with W2K3 DCs. We are not upgrading them,
instead we are demoting them and reinstalling then.
All server (W2K, W2K3), workstation (XP) installations are performed via
script.
Given a Site with a mixture of W2K and W2K3 DCs, we have had no problem
installing all types of workstations or servers. A Site which has been
upgraded to all W2K3 DCs, we now have a problem installing ONLY W2K
servers.
W2K3 member servers and XP workstations are no problem.
Our installation procedure is as follows:
Immediately after joiing the domain using NETDOM and before rebooting, we
add a special account to the local Administrators using NET LOCALGROUP
Administrators <special acct> /ADD. In a mixed DC environment, this works
without a hitch. As soon as a Site has ALL W2K3 DCs, this procedure for a
W2K
server does not work anymore. Running the NET LOCALGROUP command returns
the
error message "System error 1789: The trust relationship between this
workstation and the primary domain failed.". Rebooting the server after
joining the domain and then performing the NET LOCALGROUP works perfect.
The only major difference in the setup of a W2K3 DC compared to an
installation of a W2K DC is that we have applied Hardening settings to all
W2K3 DCs, according to the MS W2K3 Secuirty Planning Guide
I would like to find out why we cannot use NETDOM immediately followed by
NET LOCALGROUP when joining a W2K server to a Site with all W2K3 DCs in
it.
In a site with mixed W2K and W2K3 DCs, we have no problem. I am wondering
if
there is a specific setting in the Security Options of the Hardening
Guidelines which we have overlooked or if it is just NOT POSSIBLE to add a
domain account to the local Admins after joining the domain (without
reboot)
in a pure W2K3 DC environment.
Any help would be greatly appreciated.
William |
|
|
| Back to top |
|
|
William P
Guest
|
| Posted: Wed May 17, 2006 10:29 am Post subject: Re: problems with NET LOCALGROUP |
|
|
Thanks again Joe,
The network trace is worth trying.
In our environment, all workstations and servers are installed and
configured using an unattended procedure. This unattended procedure can only
be changed when we release a new version of the procedure. Therefore, I
cannot modify the installation procedure to use your tool.
We have a work-around for the next version of our release which simlpy
reboots the server after joining the domain before it adds our special
account to the local administrators.
We have the notion that it is caused by a setting in our "Hardening"
settings for W2K3 DCs. This is the only difference between older W2K DCs and
our new W2K3 DCs. I was hping it would be easy to rectify by changing a
security setting.
Another option I have would be to install a new Child domain with only W2K3
DCs and NO hardening settings. My problem is time!
Thanks for the info.
William
"Joe Richards [MVP]" wrote:
| Quote: | There really isn't a lot out there at this level. You can fish around the MSKB
trying to find things.
Possibly you will want to do a network trace and see if you can see where the
failure is coming in.
Also look at my lg command with the -r option. That was designed with this kind
of work in mind. It will let you add a non-trusted security principal to a group
before you even do the join.
http://www.joeware.net/win/free/tools/lg.htm
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
|
|
|
| Back to top |
|
|
|
|
