Discussion:
Joining domain with Ghost Console 8
(too old to reply)
CBO
2008-04-14 13:47:13 UTC
Permalink
Hi all,

We are using Symantec Ghost 8 Corporate to ghost the machines and then
join the domain automatically so we haven't to visit the workstation
at all after ghosting. We have recently upgraded the Domain Controller
from Server 2003 to Server 2008 and now on the Post Configuration
Status it is giving warning. The warning is Failed to join domain ...
Access Denied.

Any help in this matter would be highly appreciated.

Thank you
n***@gmail.com
2008-04-14 19:18:41 UTC
Permalink
Post by CBO
We have recently upgraded the Domain Controller
from Server 2003 to Server 2008 and now on the Post Configuration
Status it is giving warning. The warning is Failed to join domain ...
Access Denied.
This is likely to be due to some incompatible change in the default
Domain Controller Security Policy settings by default in Windows
Server 2008. In particular, it seems likely that it's may be set to
deny outright the methods use by the client-side call to
NetJoinDomain() that the Ghost console client is doing to complete the
negotiation of the the workstation trust account. The inner workings
of that are undocumented (although some new details might be buried
somewhere in the reams of protocol documentation MS recently released
to belated comply with the EU antitrust rulings) but one consequence
of the way Ghost uses this API can be gleaned from the C:\Windows\Debug
\NetSetup.LOG file to which this API writes out some internal logging.

When working normally, it is authenticating to a domain account that
the Ghost server has precreated for it using a convention for initial
domain joining that has existed since NT3.1 ; one of the protocol
steps that appears in the NetSetup.LOG during this process is
annotated "w9x" which suggests that for some reason, one of the inner
steps of this API is using a downlevel Lan Manager authentication
method which may be disabled by default in the security policy for
Server 2008. I don't have a Server 2008 install handy right this
second to check what that security policy setting might be called, but
that may need changing to match Server 2003 in order to allow this to
continue working.

Incidentally, to answer the question you asked in the Java support
group recently about retrieving machine serial numbers, this
information is stored in the SMBIOS data table in machines which
comply with the Intel System Management BIOS Specification. If they
have a serial number field present, it will be recorded there. It's
readily available to quite simple scripts by querying the WMI data
tables which expose this in the \\root
\CimV2\Win32_ComputerSystemProduct table - you can even query this
from a command line using "wmic csproduct"

Indeed, the inventory system on the Ghost console can get this data
for you, if you configure it to collect it (the set of WMI tables to
collect is normally a hidden "advanced", but if you enable it under
"Tools..." "Options..." in the console you should be able to add
Win32_ComputerSystemProduct to the set of things you can collect. Be
warned though, a large number of some machines (particularly older
models of Dells such as Optiplex GX270s were manufactured in vast
numbers all with completely identical SMBIOS data, including identical
"unique" hardware IDs and identical serial numbers, and plenty others
don't have functioning SMBIOS implementations at all, in which case
the serial number field will be a default string.

A useful place to go for answers to questions like this about Ghost is
the Symantec forums for the product at https://forums.symantec.com/syment/board?board.id=109

- Nigel

Loading...