Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A computer cannot join a domain after you upgrade to Windows Server 2003 Service Pack 1

A computer cannot join a domain after you upgrade to Windows Server 2003 Service Pack 1

View products that this article applies to.

Symptoms

A computer that is running Microsoft Windows Server 2003 may be unable to join the domain of which it is a member after you upgrade it to Windows Server 2003 Service Pack 1 (SP1).

When this problem occurs, entries that resemble the following may be logged in the Netsetup.log file:

11/02 11:07:37 NetpDoDomainJoin
11/02 11:07:37 NetpMachineValidToJoin: 'SERVER2'
11/02 11:07:37 NetpGetLsaPrimaryDomain: status: 0x0
11/02 11:07:37 NetpMachineValidToJoin: status: 0x0
11/02 11:07:37 NetpJoinDomain
11/02 11:07:37 Machine: SERVER2
11/02 11:07:37 Domain: corp.woodgrove.com
11/02 11:07:37 MachineAccountOU: (NULL)
11/02 11:07:37 Account: woodgrove\administrator
11/02 11:07:37 Options: 0x25
11/02 11:07:37 OS Version: 5.2
11/02 11:07:37 Build number: 3790
11/02 11:07:37 ServicePack: Service Pack 1, v.2438
11/02 11:07:37 NetpValidateName: checking to see if 'corp.woodgrove.com' is valid as type 3 name
11/02 11:07:37 NetpValidateName: 'corp.woodgrove.com' is not a valid NetBIOS domain name: 0x7b
11/02 11:07:37 NetpCheckDomainNameIsValid [ Exists ] for 'corp.woodgrove.com' returned 0x0
11/02 11:07:37 NetpValidateName: name 'corp.woodgrove.com' is valid for type 3
11/02 11:07:37 NetpDsGetDcName: trying to find DC in domain 'corp.woodgrove.com', flags: 0x1020
11/02 11:07:37 NetpDsGetDcName: found DC '\\SERVER1.corp.woodgrove.com' in the specified domain
11/02 11:07:38 NetUseAdd to \\SERVER1.corp.woodgrove.com\IPC$ returned 59
11/02 11:07:38 NetpJoinDomain: status of connecting to dc '\\SERVER1.corp.woodgrove.com': 0x3b
11/02 11:07:38 NetpDoDomainJoin: status: 0x3b

Additionally, the following symptoms may occur:
  • There are no icons for network connections in My Network Places or in Network Connections.
  • When you try to start the remote procedure call (RPC) service, you receive an "Access denied" error message.

↑ Back to the top

Cause

This problem occurs if the "Impersonate a client after authentication" policy is defined for a Group Policy object (GPO) that is linked to the domain.

↑ Back to the top

Resolution

To resolve this problem, use one of the following methods.

Method 1

Disable the Impersonate a client after authentication policy for every GPO that is linked to the domain. To do this, follow these steps:
  1. On any domain controller for the domain that you are trying to join, locate all the GPOs that define the "Impersonate a client after authentication" policy. You can use the Directory Services version of the Microsoft Product Support Reporting Tool to locate these GPOs. To do this, follow these steps:
    1. Download the Microsoft Product Support Reporting Tool from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:


      Download the MPSRPT_DirSvc.exe package now.

      Release Date: September 29, 2004

      For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
      119591� How to obtain Microsoft support files from online services
      Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
      Note For more information about how to use the Directory Services version of the Microsoft Product Support Reporting Tool, download the MPSRPT_DirSvc_REadme.txt file from the Microsoft Download Center.

      The following file is available for download from the Microsoft Download Center:


      Download the Readme.txt package now.

      Release Date: September 29, 2004

      For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
      119591� How to obtain Microsoft support files from online services
      Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
    2. Open the MPSRPT_DirSvc.exe file.
    3. Read the Microsoft Software License Terms, and then click Yes.
    4. In the %Systemroot%\MPSReports\DirSvc\Logs folder, open the ComputerName_GPRESULT.txt file.
    5. In this file, find all occurrences of "ImpersonatePrivilege" (without the quotation marks). For each occurrence of "ImpersonatePrivilege," note the name of the GPO that is associated with this policy.
  2. Click Start, click Run, type dsa.msc, and then click OK.
  3. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, right-click domain_name.com, and then click Properties.
  4. For each GPO that defines the "Impersonate a client after authentication" policy at the domain level, follow these steps:
    1. On the Group Policy tab, click the GPO link, and then click Edit.
    2. In the GPO Editor MMC snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Polices, and then click User Rights Assignment.
    3. Right-click Impersonate a client after authentication, and then click Properties.
    4. Click to clear the Define these policy settings check box, and then click OK.
    5. On the File menu of the GPO Editor MMC snap-in, click Exit.
  5. Restart the domain controller.

Method 2

Grant the Full Control permission to the Svchost.exe file for the Network Service account. To do this, follow these steps:
  1. On the computer that cannot join the domain, click Start, click Run, type system32, and then click OK.
  2. Right-click Svchost.exe, and then click Properties.
  3. Click the Security tab, and then click Add.
  4. In the Enter the object names to select area, type Network Service, click Check Names, and then click OK.
  5. In the Group or user names area, click NETWORK SERVICE.
  6. In the Permissions area, in the Allow column, click to select the Full Control check box.
  7. Click OK, and then click Yes.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in Windows Server 2003 Service Pack 1.

↑ Back to the top

More information

For more information about how to use Group Policy in Windows Server 2003, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

↑ Back to the top

Keywords: kbtshoot, kbgpo, kbdomain, kbnetwork, kbservice, kbprb, KB925632

↑ Back to the top

Article Info
Article ID : 925632
Revision : 4
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 934