Microsoft KB Archive/925632

= A computer cannot join a domain after you upgrade to Windows Server 2003 Service Pack 1 =

Article ID: 925632

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003 SP1
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
A computer that is running Microsoft Windows Server 2003 may be unable to join the domain of which it is a member after you upgrade it to Windows Server 2003 Service Pack 1 (SP1).

When this problem occurs, entries that resemble the following may be logged in the Netsetup.log file: 11/02 11:07:37 NetpDoDomainJoin

11/02 11:07:37 NetpMachineValidToJoin: 'SERVER2'

11/02 11:07:37 NetpGetLsaPrimaryDomain: status: 0x0

11/02 11:07:37 NetpMachineValidToJoin: status: 0x0

11/02 11:07:37 NetpJoinDomain

11/02 11:07:37 Machine: SERVER2

11/02 11:07:37 Domain: corp.woodgrove.com

11/02 11:07:37 MachineAccountOU: (NULL)

11/02 11:07:37 Account: woodgrove\administrator

11/02 11:07:37 Options: 0x25

11/02 11:07:37 OS Version: 5.2

11/02 11:07:37 Build number: 3790

11/02 11:07:37 ServicePack: Service Pack 1, v.2438

11/02 11:07:37 NetpValidateName: checking to see if 'corp.woodgrove.com' is valid as type 3 name

11/02 11:07:37 NetpValidateName: 'corp.woodgrove.com' is not a valid NetBIOS domain name: 0x7b

11/02 11:07:37 NetpCheckDomainNameIsValid [ Exists ] for 'corp.woodgrove.com' returned 0x0

11/02 11:07:37 NetpValidateName: name 'corp.woodgrove.com' is valid for type 3

11/02 11:07:37 NetpDsGetDcName: trying to find DC in domain 'corp.woodgrove.com', flags: 0x1020

11/02 11:07:37 NetpDsGetDcName: found DC '\\SERVER1.corp.woodgrove.com' in the specified domain

11/02 11:07:38 NetUseAdd to \\SERVER1.corp.woodgrove.com\IPC$ returned 59

11/02 11:07:38 NetpJoinDomain: status of connecting to dc '\\SERVER1.corp.woodgrove.com': 0x3b

11/02 11:07:38 NetpDoDomainJoin: status: 0x3b

Additionally, the following symptoms may occur:
 * There are no icons for network connections in My Network Places or in Network Connections.
 * When you try to start the remote procedure call (RPC) service, you receive an &quot;Access denied&quot; error message.



CAUSE
This problem occurs if the &quot;Impersonate a client after authentication&quot; policy is defined for a Group Policy object (GPO) that is linked to the domain.



RESOLUTION
To resolve this problem, use one of the following methods.

Method 1
Disable the Impersonate a client after authentication policy for every GPO that is linked to the domain. To do this, follow these steps:  On any domain controller for the domain that you are trying to join, locate all the GPOs that define the &quot;Impersonate a client after authentication&quot; policy. You can use the Directory Services version of the Microsoft Product Support Reporting Tool to locate these GPOs. To do this, follow these steps:  Download the Microsoft Product Support Reporting Tool from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:

Download the MPSRPT_DirSvc.exe package now.

Release Date: September 29, 2004

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Note For more information about how to use the Directory Services version of the Microsoft Product Support Reporting Tool, download the MPSRPT_DirSvc_REadme.txt file from the Microsoft Download Center.

The following file is available for download from the Microsoft Download Center:

Download the Readme.txt package now.

Release Date: September 29, 2004

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. Open the MPSRPT_DirSvc.exe file. Read the Microsoft Software License Terms, and then click Yes. In the %Systemroot%\MPSReports\DirSvc\Logs folder, open the _GPRESULT.txt file. In this file, find all occurrences of &quot;ImpersonatePrivilege&quot; (without the quotation marks). For each occurrence of &quot;ImpersonatePrivilege,&quot; note the name of the GPO that is associated with this policy.</ol> </li> Click Start, click Run, type dsa.msc, and then click OK.</li> In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, right-click .com, and then click Properties.</li> For each GPO that defines the &quot;Impersonate a client after authentication&quot; policy at the domain level, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Group Policy tab, click the GPO link, and then click Edit.</li> In the GPO Editor MMC snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Polices, and then click User Rights Assignment.</li> Right-click Impersonate a client after authentication, and then click Properties.</li> Click to clear the Define these policy settings check box, and then click OK.</li> On the File menu of the GPO Editor MMC snap-in, click Exit.</li></ol> </li> Restart the domain controller.</li></ol>

Method 2
Grant the Full Control permission to the Svchost.exe file for the Network Service account. To do this, follow these steps:
 * 1) On the computer that cannot join the domain, click Start, click Run, type system32, and then click OK.
 * 2) Right-click Svchost.exe, and then click Properties.
 * 3) Click the Security tab, and then click Add.
 * 4) In the Enter the object names to select area, type Network Service, click Check Names, and then click OK.
 * 5) In the Group or user names area, click NETWORK SERVICE.
 * 6) In the Permissions area, in the Allow column, click to select the Full Control check box.
 * 7) Click OK, and then click Yes.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in Windows Server 2003 Service Pack 1.

<div class="moreinformation_section">

MORE INFORMATION
For more information about how to use Group Policy in Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

Keywords: kbtshoot kbservice kbnetwork kbprb kbgpo kbdomain KB925632

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.