Domain join during an unattended setup fails with an unexpected error message in computers that are running Windows 2000, Windows XP, or Windows Server 2003

You configure an unattended setup to install and join computers to a domain. These computers are running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003. When you do this, you receive an error message that resembles the following:

This problem occurs when the Kerberos version 5 protocol token for a user account that is listed in the unattended answer file is too large.

Consider the following scenario. A user who performs the domain join as specified in the unattended answer file is a member of a security group either directly or by membership in another security group. In this scenario, the security identifier (SID) for each security group is added to the user's token. The Kerberos token is used to communicate that a SID must be added to the user's token.

However, the Kerberos token has a fixed size. If the required SID information exceeds the size of the Kerberos token, authentication is unsuccessful. The number of security groups varies, but the minimum number is approximately 70 to 80 security groups.

For many operations, NTLM authentication succeeds. Also, the Kerberos authentication problem may not be easy to find without analysis. However, operations that include Group Policy settings do not work at all.

To work around this issue, modify the Hivesys.inf file in i386 folder of the Windows distribution share.
Note Editing .inf files incorrectly can cause fatal errors to occur during the Setup process. We recommend that you create a backup copy of the Hivesys.inf file before you modify the file.

1. Use any text editor, such as Notepad, to open the Hivesys.inf file. This file is located in the i386 folder of the distribution share.
2. Locate the following line:
   HKLM,"SYSTEM\CurrentControlSet\Control\MediaProperties",,0x00000012
3. Above the line that you located in step 2, add a new line as follows:
   HKLM,"SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters","MaxTokenSize",0x00010003,0xffff
4. Save and then close the file.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about how to perform an unattended installation of Windows 2000 from a CD-ROM, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to perform an unattended installation of Windows XP from a CD-ROM, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to use Setup Manager to create an answer file in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: For more information about unattended setup parameters for the Unattend.txt file, click the following article number to view the article in the Microsoft Knowledge Base: