So, as we continue to upgrade our DCs in our domain to WS08, we ran across a new problem. Thought I'd share as it may just save some pain or even a PSS call for anyone else who might run across this.
Our techs started reporting that when imaging machines in our AD site, machines would "randomly" not join the domain. You could re-image the same machine, and it might or might not join the domain the next time. We currently use WDS in mixed mode with flat-file RIS images, with WDS running on a WS03 R2 SP2 server. Imaging servers are not being upgraded yet as we are not ready to run WDS in native mode. As of last Monday when the problems escalated, I'd upgraded 2 of 3 dcs in our AD site to WS08, and our techs were doing an increased amount of imaging last week due to our being on Spring Break. So after MUCH digging and discovery of the very useful c:\windows\debug\netsetup.log (http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1224892,00.html#), I confirmed that the domain joins were failing if the computers would talk to a WS08 dc, but were fine against a WS03 dc. I found the following KB: http://support.microsoft.com/kb/942564, which describes the problem. To find the policy you need to set in the kb, you must first load the WS08 .admx templates - I could not even see the option prior to loading them. This alone did not fix it though. I had to combine adding the policy with something I found on google and had tried previously. Many people reported a similar problem after upgrading WS03 to SP1 (http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.general/2005-11/msg01171.html), and had to edit the value for HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes. I compared this value on my upgraded DCs to what existed on the single WS03 DC, made adjustments, and rebooted, after which imaging talking to WS08 dcs started working again. The list in this value after a WS08 upgrade includes ONLY "Browser". From the WS03 DC, it includes: COMNAP COMNODE SQL\QUERY SPOOLSS NETLOGON LSARPC SAMR BROWSER I still have as-of-yet to back off the registry values a few at a time to pinpoint which one specifically is needed-I suspect NETLOGON did the trick, but have other fish to fry at the moment. -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
