Access denied when adding PC to domain

**Stewart_Harding** · August 29th, 2005, 03:13 PM

I have just installed a brand new 2003 server SP1 and everytime I try to join a computer to the domain I get access denied..
I am new to 2003 and must be missing something that has to be done to allow computers to join the domain.
So far there are no accounts apart from administrator on AD and I was using the administrators account to try and join the PC to the domain..
Anyone got any ideas ?

**SeanC** · August 29th, 2005, 03:19 PM

What is the OS on the PCs you're trying to add to the domain?

Sean

**bwcc** · August 29th, 2005, 03:29 PM

Is the local admin account part of the 'domain admin' group?

**Stewart_Harding** · August 29th, 2005, 03:44 PM

The OS of the PCs is XP Pro SP2..
I am using the default administrators account so I rekon its should be automatically in the domain admin group..

**Stewart_Harding** · August 29th, 2005, 03:46 PM

I just checked.. administrator is a member of domain admins..

**VHockey86** · August 29th, 2005, 03:58 PM

Dumb question, but just checking to make sure.

first of, do you get a username/password prompt when you attempt to join the domain? If not, you might need to take a look at your domain security policies. Windows might be attempting to use pass-through authentication, and if the administrator passwords dont match it wont work (and you DO NOT want this anyways).

Secondly, if it is prompting, you are entering the domain administrator password, not the local password, correct?

Generally speaking I join to the domain as the default admin, then I add a username to domain users, and then finally add that user to the local computer under the domain (taht way you don't end up with multiple profiles for the same user on that PC (one for off the domain, and one for on the domain)).

**SeanC** · August 29th, 2005, 04:03 PM

That's an important part. If it's not prompting for a domain admin account to add the system to the domain then it won't work.

I always use the domain admin account to connect computers to the domain.

Sean

**meese** · August 29th, 2005, 04:09 PM

Is DNS configured properly?

**Stewart_Harding** · August 29th, 2005, 04:28 PM

Yes I have the DNS on the workstation pointing at the Server. I let AD instal Wizard configure the DNS on the server..

**Stewart_Harding** · August 29th, 2005, 04:32 PM

Yes I do get the logon box for both the FQDN and the Netbios name.
The account that I am using to join the computer with is the Domain administrators account.. however the local administrators account has the same password... Surely this would not cause a problem??

Hres some more info..
When it was a standalone server I setup a folder share and connected to it with the usual \\10.0.254.11 Then used the local administrators account and password to browse the HDD.

Once I installed active directory I get access denied...
I will go and setup another admin account with a different name and password and see if that works..

**Stewart_Harding** · August 29th, 2005, 04:51 PM

No.. that did not solve the problem...

**Stewart_Harding** · August 29th, 2005, 04:52 PM

I have noticed lots of other posts on other forums for the same problem and yet I cannot find any replies that discuss how it was fixed..

**meese** · August 29th, 2005, 04:54 PM

Are there any warnings or errors in the server event logs, or the client pc event logs, that may be relevant to this?

**meese** · August 29th, 2005, 04:56 PM

maybe have a look here: http://x220.minasi.com/forum/

**bwcc** · August 29th, 2005, 05:08 PM

Ok, its been awhile since I setup my 2003 domain at home, but if I remember correctly, it has the same XP security feature of 'allow remote users to connect' under the System Properties... I vaguely remember having to set this, but I think it was for terminal services, rather than domain access. May give that a shot...

*EDIT*

Sorry, got home and its "allow Remote access" - so its geared towards setting it up for Terminal Services rather than domain access...

There isn't any other software on the 2003 server that might be preventing access to it is there? Like a software firewall? Speaking of which - windows firewall is disabled, right?

**Stewart_Harding** · August 30th, 2005, 05:04 AM

No firewall, I can log onto the machine using TS..
I have now tried adding the computer account manually and it says it has found a computer on the DC and I click OK..
It then comes back with
No mapping between account names and security ID's was done ??

I look in the logs and there is an alert during bootup that says..
MS DTC could not correctly process a DC promotion event..

The MS Knowledgebase says there is nothing regarding this at this time..

**kwebb** · August 30th, 2005, 06:57 AM

Create a new account in AD. Add it to the domain admins group. Log onto the workstation with those credentials and add it to the domain. You can also create the computer account in AD first but it's not necessary. The user you want to have the ability to add computers to the domain does not HAVE to be a domain admin by the way. You just need to delegate that ability.

**Stewart_Harding** · August 30th, 2005, 03:20 PM

Thanks for all the help...
Finally I read a post that said..
Install tools on the server..
then

dfsutil /PurgeMupCache

Did this.. and the workstation joined the domain as if by magic..