Ghost Solution Suite

Hello,

 

I'm trying to image a number of WinXP SP2 to SP3 laptops with GSS 2.0.2 on a Windows Server 2008 (x64) domain server, and every step in the process is marked with Success except for the second Configuration which is marked with WARNING and the following error message "Failed to join domain [NEW_DOMAIN]: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

 

The server I'm running GSS on is a domain server on [NEW_DOMAIN] and should have no problem joining a computer to the domain, and the creation of the computer account goes through without a hitch.

 

I've tried adding the Ghost[SERVER] user to the Domain Admins group to see if the problem was insufficient rights on the domain but the error message remains.

 

Previous imagings on [OLD_DOMAIN] have been run without ghostwalker or sysprep (bad form I know) but we've had no problems doing so. I thought that Windows Server 2008 might be more sensitive to SSID conflicts so I've run a separate imaging with the GhostWalker SSID changer, but still no luck. Besides if it was a matter of SSID conflicts I should be blocked from joining the computers manually, but that's not a problem.

 

Part of the imaging process is moving the laptops from [OLD_DOMAIN] to [NEW_DOMAIN] and at first I thought that somehow the credentials from [OLD_DOMAIN] were being retained after the Clone-operation so I tested to add a laptop to [NEW_DOMAIN] manually and reinstall the client, but I'm still getting the same error.

 

Google and the GSS documentation are less than helpful, so I'm hoping someone here can shed some light on this, or at least point me in the right direction to resolve this.

Two supplementary comments to this problem:

1. This error occurs both with a Clone + Configure task and just a Configure task.
2. The error seems to be linked with the following errors in the System Event Log:
   Event ID: 5722 NETLOGON (The session setup from the computer [COMPUTER NAME] failed to authenticate. The name(s) of the account(s) referenced in the security database is [COMPUTER NAME]$.  The following error occurred:
   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. )
   Event ID: 5805 NETLOGON (The session setup from the computer [COMPUTER NAME] failed to authenticate. The following error occurred:
   Access is denied.)

I was able to get around the problem you are describing with Server 2008 by changing the default domain controller policy to allow cryptography algorithms compatible with Windows NT 4.0.  I believe the policy is located here:

 

Default Domain Controller Policy-->Computer Configuration-->Policies-->Administrative Templates-->System-->Net Logon

 

Hope this helps.

I was wondering if anyone from Symantec would comment on this.  We just recently upgraded our DCs to Server 2008 and at the same time are disallowing the NT 4.0 cryptography algorithms.  Are there any plans to change the method that Ghost uses to join computers to the domain?  I'm having limited success using netdom and would love to have the old way back.

gddickin: Thank you! That did the trick.

It didn't seem like an obvious solution considering the results I got from my own searches of the error message, how did you find this answer?

 

A follow-up question, that you or someone else here hopefully knows the answer to:

• Has this behavior been changed in GSS 2.5, i.e. would that be one reason to upgrade to the latest version of GSS?

---

DGymn wrote:

gddickin: Thank you! That did the trick.

It didn't seem like an obvious solution considering the results I got from my own searches of the error message, how did you find this answer?

 

A follow-up question, that you or someone else here hopefully knows the answer to:

• Has this behavior been changed in GSS 2.5, i.e. would that be one reason to upgrade to the latest version of GSS?

---

A post I read on this forum got me looking at the log file Windows creates when attempting to join a domain (%systemroot%\debug\netsetup.log).  In the logs from machines that failed to join the domain I found this error in common:

 

NetpJoinDomain: w9x: status of validating account: 0x4f1

 

A quick search lead me to this Microsoft KB article:

 

 http://support.microsoft.com/kb/942564

 

As for your second question, unfortunately this behavior still exists in GSS 2.5

Thanks for the heads-up on this patch; if this does resolve this particular message (which is innate to the internals of the NetJoinDomain API in Windows, rather than in our code) then that is great news. I'll pass this on to our QA team so they can have a look at this and see how it works in the test environments for GSS.

Hi

This works partly.

Now ghost is giving another error for joining domain. You were not connected because a duplicate name exist on the network

edit: OK now it works! It works with winpe but not with pcdos.

Hello everybody Question: Has this issue been fixed in the newest 2.5.1 GSS release ? It really would be time Asking because out IT Department ist going to upgrade our Windows domain to Windows 2008 R2 soon and they will for sure not accept changing the "Default DomainController Policy" to allow cryptography algorithms compatible with Windows NT 4.0. Can anybody confirm that the workaround proposed above (Windows 2008 RODC compatibility pack) fixes the issue for Windows XP SP3 100% ? What about Windows 7 clients ? Do they suffer from the same problem or is it working flawlessly there ? Kind regards, Oliver