Another unobvious Windows problem

I have quite a lax administration policy concerning our network which is possible as long as we don’t have that many machines and employees: I for myself do not place many restrictions in choice of hardware and OS on our employees. They should work with whatever they want. Only restriction: The OS must be multi-user capable (means: no Windows 9x) and if the employee wants access to our file-server it must somehow support the SMB protocol.

Lukas, on the other hand, adds another requirement to the list above: The system must somehow provide support for our exchange based groupware. This can be native access or via the web interface.

So yesterday, someone wanted to add his computer to our network. It’s a IBM Thinkpad running Windows 2000 in a highly tweaked installation which should be preserved at all costs. Every other administrator would insist that at least the corporate configuration would be enforced, but I don’t care and put the users satisfaction above all easement for my task, so I let him keep his setup, but suggested him to join our Windows domain to make his life easier (no logging in to our fileserver, better exchange-support (remember: Lukas’ condition).

After some initial problems with the installed personal firewall (have I told you that I hate them? Yes I have), I went on and tried to join our Windows 2003 domain. After quite a long waiting time, the only thing I got was “Access Denied”. A quick look to the server’s event log showed nothing but success-messages.

Googling did not help (much), but told me about a certain netsetup.log windows is supposed to create on the client (it’s in %windir%Debug. Here’s the log I got:

03/30 16:19:28 -----------------------------------------------------------------
03/30 16:19:28 NetpDoDomainJoin
03/30 16:19:28 NetpMachineValidToJoin: 'THINKPAD'
03/30 16:19:28 NetpGetLsaPrimaryDomain: status: 0x0
03/30 16:19:28 NetpMachineValidToJoin: status: 0x0
03/30 16:19:28 NetpJoinDomain
03/30 16:19:28 	Machine: THINKPAD
03/30 16:19:28 	Domain:
03/30 16:19:28 	MachineAccountOU: (NULL)
03/30 16:19:28 	Account: office.sensational.chpilif
03/30 16:19:28 	Options: 0x3
03/30 16:19:28 	OS Version: 5.0
03/30 16:19:28 	Build number: 2195
03/30 16:19:28 	ServicePack: Service Pack 4
03/30 16:19:28 NetpValidateName: checking to see if '' is valid as type 3 name
03/30 16:19:28 NetpValidateName: '' is not a valid NetBIOS domain name: 0x7b
03/30 16:19:28 NetpCheckDomainNameIsValid [ Exists ] for '' returned 0x0
03/30 16:19:28 NetpValidateName: name '' is valid for type 3
03/30 16:19:28 NetpDsGetDcName: trying to find DC in domain '', flags: 0x1020
03/30 16:19:43 NetpDsGetDcName: failed to find a DC having account 'THINKPAD$': 0x525
03/30 16:19:43 NetpDsGetDcName: found DC '\' in the specified domain
03/30 16:19:43 NetUseAdd to \$ returned 5
03/30 16:19:43 NetpJoinDomain: status of connecting to dc '\': 0x5
03/30 16:19:43 NetpDoDomainJoin: status: 0x5

Not so useful besides: NetUseAdd to \$ returned 5

As the last entry was something about a status 0x5 and the error was “Access Denied”, I figured that this “returned 5” must mean “Access Denied” too.

A quick try to access the server showed me that I was right: I could not access any share – my password was not accepted (besides the server’s security log telling me otherwise).

Finally the guy owning the noteook had an idea: He has disabled Windows 2000’s packet signing and encryption via Administrative Tools/Local Security Policy. Enabling it and rebooting finally did the trick. When asked why he did so he said that it would greatly speed up access from a PC running Windows 98…

What did I learn: Maybe my policy is a bit too lax and if keep it, I should at least not try to fix problems I’m getting with it (it would have worked perfectly well without joining the domain)
What do you learn: If you have the same problem, here’s the solution. And this is what this blog is for.

%d bloggers like this: