Microsoft KB Archive/920599

= Domain join during an unattended setup fails with an unexpected error message in computers that are running Windows 2000, Windows XP, or Windows Server 2003 =

Article ID: 920599

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-





SYMPTOMS
You configure an unattended setup to install and join computers to a domain. These computers are running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003. When you do this, you receive an error message that resembles the following:

An unexpected error has occurred while changing your computer's network identification. Would you like to proceed for now and try joining a domain later?



CAUSE
This problem occurs when the Kerberos version 5 protocol token for a user account that is listed in the unattended answer file is too large.

Consider the following scenario. A user who performs the domain join as specified in the unattended answer file is a member of a security group either directly or by membership in another security group. In this scenario, the security identifier (SID) for each security group is added to the user's token. The Kerberos token is used to communicate that a SID must be added to the user's token.

However, the Kerberos token has a fixed size. If the required SID information exceeds the size of the Kerberos token, authentication is unsuccessful. The number of security groups varies, but the minimum number is approximately 70 to 80 security groups.

For many operations, NTLM authentication succeeds. Also, the Kerberos authentication problem may not be easy to find without analysis. However, operations that include Group Policy settings do not work at all.



WORKAROUND
To work around this issue, modify the Hivesys.inf file in i386 folder of the Windows distribution share.

Note Editing .inf files incorrectly can cause fatal errors to occur during the Setup process. We recommend that you create a backup copy of the Hivesys.inf file before you modify the file.
 * 1) Use any text editor, such as Notepad, to open the Hivesys.inf file. This file is located in the i386 folder of the distribution share.
 * 2) Locate the following line:

HKLM,&quot;SYSTEM\CurrentControlSet\Control\MediaProperties&quot;,,0x00000012
 * 1) Above the line that you located in step 2, add a new line as follows:

HKLM,&quot;SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters&quot;,&quot;MaxTokenSize&quot;,0x00010003,0xffff
 * 1) Save and then close the file.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

