# Symantec Ghost 7.5 domain problem



## clansman (Jul 30, 2003)

hi everyone!

i recently got in charge of about 100 windows 2000 workstations, 2 w2k adv server domain controllers and the "hot potato" that is the replacement of the 2 domain controllers to windows server 2003 and the replacement of the w2k workstations to windows xp pro.

of course, like the previous admins, we definately use ghost 7.5.

first of all, this is the first time i use ghost... so i am a real newbie!

here's what i've got:

. a sample wxp partition image
. a working boot partition

here's what i can sucessfully do:

. install the boot partition and the wxp image

here's what i cannot do:

. add the workstations to the domain.

------------------------------------------------------

1. first of all, i would like to ask if it is absolutely necessary that the ghost server belongs to the domain to make things work... with the old w2k domain controllers, it did not belong to the domain and things worked ok. now it needs do belong to the domain in order to recognize the domain in the machine configurations.

2. i have 3 tasks: clone boot partition, clone windows partition and configure windows. in the configuration task i have for each machine a configuration that has the machine name to be used in the domain. what happens is that when i try to configure the wss, the machine accounts are created ok, but in the "post-configuration" i receive a "failed to join domain RNL: access denied". now i ask you... has this anything to do with the SID thing? i don't use the sid walker or sysprep (yet!).

3. is it possible to join all my 3 tasks into only one? i created 3 tasks because the previous admins also did so, but i feel i can check the checkboxes to do something else...

---------------------------------------

those were the questions... i would really appreciate detailed answers. please ask whatever you feel necessary to better understand the problem.

thank you very much in advance!

[]


----------



## Jedi_Master (Mar 13, 2002)

Howdy there clansman...

Is there a Ghost user name, in the Domain users list ?

I think it should be named something like Ghost__<Ghost Server Name >_...

This is the user name that Ghost uses to add pc's to the Domain, also it should have the nessary privleages to add a pc to the Domain...


----------



## clansman (Jul 30, 2003)

hey!

the ghost interface asks you for a username and password which have privileges to add machine-trust accounts. since the accounts are created by ghost, i guess there are no problems there...

now that you mention it, there appeared a GHOST user, created by ghost... but that user has no privileges, so the accounts are created using the credentials given...

i guess...

[]


----------



## clansman (Jul 30, 2003)

i forgot to say:

i really need the help on this... especially from the gurus, who have the experience and expertise to quicly point out the possibilities of the problem...

i would be very interested in some information regarding the SID thing... does every machine REALLY need a different SID in order to join the domain?

should i use sysprep to add computers to the domain or the configure task from ghost?

thank you very much in advance. 

[]


----------



## Squashman (Apr 4, 2003)

You can you Ghostwalker to remove the SID or Run sysprep on a machine you are going to image. This will also remove the sid.


----------



## clansman (Jul 30, 2003)

hi everyone!

i tried the SID change...

still, i get a "Post-Configuration Status: Failed to join domain XXXX: Access denied".

i need help!!

i am cloning windows XP and the domain controller is windows server 2003.

[]


----------



## Jedi_Master (Mar 13, 2002)

Hmmm...

Just for a test...try manually adding a pc to the Domain using the Ghost user name, this way you will be able to test to see if it is the Ghost user name that is the problem...

Like I said this is the user name that Ghost uses to add pc's to the Domain...

Some more info here...


----------



## clansman (Jul 30, 2003)

> _Originally posted by Jedi_Master:_
> *Hmmm...
> 
> Just for a test...try manually adding a pc to the Domain using the Ghost user name, this way you will be able to test to see if it is the Ghost user name that is the problem...
> ...


i will be able to try that next monday...

still, i don't understand...

ghost creates the machine accounts... doesn't this mean that it has sufficient user rights??? maybe the "join domain" process is more restrictive in terms of security than the "computer account creation" process... just a guess..

anyway, i spent about 10 hours trying to figure out the problem... i found something out in the internet about a DNS misconfiguration, but it does not make sense, because the dns is configured in the same way that the old domain controllers were, and in the old domain, things worked ok.

next thing i will try is:

1. remove ghost account from domain
2. start ghost console with domain admin user
3. "add" the domain to ghost, so that it creates its user with sufficient admin rights
4. clone and configure images...

thank you very much for the replies... still i would appreciate any kind of tip anyone can give me! ESPECIALLY IF ANY OF YOU SOLVED A PROBLEM LIKE MINE!

[]


----------



## Jedi_Master (Mar 13, 2002)

A quick question...

When you dumped the XP image up was the pc still on the Domain ?


----------



## clansman (Jul 30, 2003)

hey!

no. the computer was under a neutral workgroup. i did it because i read about it... later ghost configuration task would add it into the domain.

why?

btw: i have no problem adding single machines to the domain using my domain admin account, so i guess the domain is ok.

[]


----------



## Jedi_Master (Mar 13, 2002)

Just asking seen problems such as this when the image was dumped to the server while still on the Domain...

And the reason I was asking you to add a pc to the Domain with the Ghost service accound ( aka the ghost domain user account ), was to test the user account so it could be ruled out, ( it's how we caught the problem with ours )...


----------



## clansman (Jul 30, 2003)

ok, i will test that as soon as possible... next monday i'm affraid.

thank you very much!

i will post the results.

[]


----------



## clansman (Jul 30, 2003)

i just remembered...

what do you mean "ghost user"???

ghost creates a "GHOST" user in the domain, but i don't know nothing about it...

i guess you meant the user i entered to allow ghost to recognize the domain... if so, i already tried to join computers with that user, it works ok.

back to square 1.

[]


----------



## Jedi_Master (Mar 13, 2002)

> ghost creates a "GHOST" user in the domain, but i don't know nothing about it...


That's the one I'm talking about, that's the one Ghost uses to add pc's to the domain...



> _Quoted from the Symantec link_
> Why Ghost needs the service account
> This account provides the Ghost service with the rights necessary for adding computers to the domain or Active Directory.
> 
> ...


----------



## clansman (Jul 30, 2003)

ok, but how can i manually add a computer to the domain if i don't have the GHOST user password??

last time i tried, that action asks for a username and password.

maybe that's configured at the ghost installation time... i never installed the ghost server program...

[]


----------



## Jedi_Master (Mar 13, 2002)

Here is how you change the password...



> To change the Ghost service user account password:
> 
> 1. Use the Administrator user ID and password to log onto the computer on which you want to install the Ghost Console.
> 2. For Windows 2000 workstations:
> ...


Also here is some more on the access denied error...

Symantec


----------



## clansman (Jul 30, 2003)

so, the strategy lies in the admin rights that let me give a password to the created GHOST user in the domain.

is this the user that adds the computers to the domain?

[]


----------



## clansman (Jul 30, 2003)

i searched a bit and found that i also need to tell ghost the new password for that user.

i learned that the user definitions are created upon installation and that there is a registry location with information about the user/pass.

i will try to see if the user in the domain has the user/pass that ghost thinks it has and if not, i will certainly change it.

it it still doesn't work, i will simply re-install the software and hope to get it well configured, this time.

thanks for all the help. i'll post the results.

[]


----------



## caledonian (Aug 5, 2003)

i'm experiencing the same problem

from what I can see it looks as if the GHOST account on the domain is successfully creating a computer account in the domain so there doesn't seem to be problem on the domain side

it seems to be the point where ghost tries to change the local PC configuration to tell it that it's now a member of the domain where the problem occurs

i'm assuming that ghost uses the local PC administrator account to make the changes to the local machine because there is no local GHOST user (and it can't use the domain admin or the domain GHOST account as it isn't yet a domain member)

could it be that ghost doesn't have the rights to make changes to the local PC configuration?

i'm not sure if this is what's actually happening or if it is relevant to your problem but here's hoping

cheers


----------



## clansman (Jul 30, 2003)

hi!

oh, you hit the "mouche".

that is exactly my problem.

i tried what jedi_master pointed me to... to use the GHOST domain account to manually add the machine to the domain. it works, so i think there are no problems with the GHOST domain account privileges.

ghost does create the machine accounts, but the machines never join the domain due to a "access denied" error in the "post configuration status" of the ghost task...

i really don't have a clue on who is denying what... that would be a VERY helpful information to start looking for solutions!

about the local privileges... the computer name changes, but the domain doesn't... certainly because the machine never joins the domain... i guess the privileges are enough to change the domain since they are enough to change the computer name...

the most weird thing is that in the old domain, it worked well...

everything seems to point out to a domain problem or misconfiguration... but how can i know where to start looking???

[]


----------



## Jedi_Master (Mar 13, 2002)

Ok thats good that it is working...

Do you have a WINS server ?

Also have you checked under Security in the event viewer, on the Domain server, and see if it will give shed more light on the problem ?


----------



## clansman (Jul 30, 2003)

i haven't installed the wins role in the windows 2003 domain controller, but i don't think it is necessary, because in the old windows 2000 domain, there were no wins servers and i had no problems with ghost...

but then again, i better check that too.

[]


----------



## clansman (Jul 30, 2003)

i checked. i do have a wins server running in the old domain but NOT on the windows 2003... could it be the cause of the access denied??

[]


----------



## Jedi_Master (Mar 13, 2002)

It's possible...I don't know anything about the 2003 server environment, so I can't advise on that...


----------



## clansman (Jul 30, 2003)

ok, but if it were on a win2k dc, what would you advise?

[]


----------



## Jedi_Master (Mar 13, 2002)

Well...IMHO yes it might help...

Have you checked the Security under Event viewer on the dc, to see if there are any errors ?


----------



## clansman (Jul 30, 2003)

no, not yet, i have been away.

i will do it today.

[]


----------



## clansman (Jul 30, 2003)

checked the event log... nothing notable.

i am lost. i haven't got a clue on where to start searching the problem source.

[]


----------



## plate (Aug 17, 2003)

Same here.

We've upgraded our server from win2k to win2k3. Ghost 7.5 worked prior to the upgrade. Now we see the same error. Failed to join domain ... access is denied. Nothing in the event logs.


Manually joining the domain using the ghost account works without problems.

Is this a known issue? Nothing in Symantec's website.

If anyone has a solution please let me know.

Much thanks.


----------



## MarcS (Aug 20, 2003)

Hi there,

I'm dealing with the same kind of problems here. We use Ghost in an educational environment to quickly restore computer configurations between courses. I use Ghost Enterprise 7.5, and most of the times its works ok, even registering the computers on the domain!!!

At first I had some trouble getting it to work: here's what I think about all this:
1) I do not believe WINS is the problem: if you get an access denied rejection, you're already on the right computer (W2k DC), you just don't have sufficient rights. WINS will never solve that.

2) After some trial and error (typing this its looks like it was quick'n'easy, where in the real world I've hacked away for days and days to get it to work) and some REAL GOOD RTFM'ing (always a good thing to do) I found that the Ghost console is only able to register a machine's account in the domain, if that account is free of any tampering by an admin account. I repeat (I think this is a big clue, here):
The Ghost console is only ever able to register a machine's account in the domain if that account hasn't been created, changed or removed by an administrator! (The manual just casually mentions this once, somewhere, not at all clear.)
So *DO* use the Ghost console option to let the console remove the computer from the domain. In my case, this was one of the most important things I had to do to get it all working.

3) There's a difference in dumping an image to roll it out on many computers, or just cloning the same computer over and over again (like I do most of the time). In the latter case you don't have to care about SID's, in the first case you do. Use sysprep for this. I haven't been able to discover from this discussion what you are trying to do.

4) The Ghost Configuration service uses an account, usually called GHOST_<servername>, which has special priviledges to control computer accounts in the domain. This account doesn't need administrative rights and is by default 'only a domain user'. I think this has something to do with my (and probably your) problems, because there a big difference between an administrator account and a 'simple domain user' with the priviledge to manage accounts: accounts managed by an admin can NOT be managed by a 'lesser being' (this is what I think, it hasn't been confirmed).

5) Ghost doesn't need any configuration at the client side, other than installing the Ghost Console Client (it runs as Local System which lets it do its stuff on the local machine). I do not believe this has anything to do with this problem, because on the local machine thins always seem to be ok.

My problem is that it works ok most of the time, but no always. Sometimes the Console just can't seem to get the computer account in the domain, without any obvious reason why. Registering it by hand is never a problem. My guess is this is either a (nasty and unpredictable) flaw in Ghost or my theorie is right (see points 2 and 4) and some other admin (i.e. my co-admin) has managed the computer account between dumping and cloning of the image.

I hope I've given some suggestions to further investigation and testing on your side, and appreciate any comments you can give.

(BTW: of course I've looked around on the net, read FAQs, etc. Heck, I even Read The Fine Manual! But I have not found anything meaningfull about this problem yet.)


----------



## johniefox (Aug 21, 2003)

Hey guys.

Did anyone actually manage to solve the problem? I've just got Ghost 7.5 and am having the same problem. Everything works fine except I keep getting the same error message "failed to join domain xxxx"access is denied", although curiously the computer is added to a workgroup with the same name as the domain. I have a WIndows 2000 domain with W2K clients.

Anyway, I've spent hours trying to solve this problem and I think I've covered all the points mentioned in the messages so far withour success, so doesn anyone else have any ideas? Did you manage to fix it Clansman or Plate?

Just on another point, while using SysPrep I can't manage to get the product code to automatically fill in. I'm using the "ProductID = xxxxx-xxxxx-xxxxx-xxxxx", but it still asks for the code. Any ideas?

Would appreciate any help.
Thanx


----------



## MarcS (Aug 20, 2003)

Just to be sure:
Have you tried doing the WHOLE ghosting process from the console? I mean: dumping, with the console removing the computer from the domain, and then loading it, again with the console registering the computer in the domain?

Did you tell the console what your domain is (Tools, Supported Domain Lists)? My console seemed to 'know' my domain (it was in the list), but only after I had registered it again, it worked ok.

I've used the console for quite a while now, and it seems to work ok. Just once in a while am I experiencing this problem, with just one or two machines at a time. So I'm guessing the problem is not the console not being able to register workstation at all, but only under certain conditions.

About that product ID: I don't think xxxx-xxxx-xxxx-xxxx qualifies as a valid product ID.  Just kiddin'. I've also used this option with sysprep, and it worked. But for some reason one time it didn't, and I haven't been able to discover why. I just assumed I used a wrong ID (I use English and Dutch versions). I filled in ProductID in tghe UserData section, without any spaces. Maybe you can try a different product id?

Tip: when you're installing a machine to be Ghosted, install W2k onto FAT32 first, and convert it to NTFS later (after loading the image on the target machine, can also be done with sysprep). This way you can still edit the files inside the Ghost image.


----------



## johniefox (Aug 21, 2003)

Thanks for the advice MarcS.

I did do the whole Ghostimg process from the console, but had no joy. Not really sure why. But eventually I found a weird work around on the Symantec site. When looking for the "failed to join domain" problem I found one document which commented on the size of the domain name. It highlighted the fact that Gost has problems recognising domain names longer than 15 characters. I didn't read it fully the first time I saw it as my domain name is less than 15, but reading further along the document it curiously stated "If the domain name is less than 15 characters and you continue to receive the error message, download and apply the latest netdom.exe file from Microsoft." Anyway,, following these instructions I managed to add the computer to the domain using the Netdom.exe command.

I think you are right with the ProductID thing. I tried another key and it worked. Finally hours of toil and trouble have paid off. Cheers guys


----------



## clansman (Jul 30, 2003)

hi everyone!!

really sorry for my delay on this topic, which is of extreme importance to me. i stopped getting e-mails about new posts... maybe mozilla thinks they're spam... i'll look into it.

i see new posts from MarcS and johniefox.

i haven't managed to solve anything yet. i tried re-installing ghost but no success... last thing i tried is the "Requiresignorseal" trick in the registry - no luck.

i found the "netdom.exe" thing veeeery interesting. i will indeed try that, but first i have to find out how to update the netdom.exe file.

i will post here very soon.

thanks for the help.

[]


----------



## clansman (Jul 30, 2003)

> _Originally posted by johniefox:_
> 
> Did anyone actually manage to solve the problem? I've just got Ghost 7.5 and am having the same problem. Everything works fine except I keep getting the same error message "failed to join domain xxxx"access is denied", although curiously the computer is added to a workgroup with the same name as the domain. I have a WIndows 2000 domain with W2K clients.
> 
> Anyway, I've spent hours trying to solve this problem and I think I've covered all the points mentioned in the messages so far withour success, so doesn anyone else have any ideas? Did you manage to fix it Clansman or Plate?


unfortunately, no.

i also did try all the mentioned issues with no luck.



> Just on another point, while using SysPrep I can't manage to get the product code to automatically fill in. I'm using the "ProductID = xxxxx-xxxxx-xxxxx-xxxxx", but it still asks for the code. Any ideas?


i tried to use sysprep, but i dropped the idea because you cannot join machines to a domain, in a fixed and ordered way. i have to join machines to a domain with names matching their physical locations. for that i need to associate the machine name to something that uniquely identifies the machine. that is exactly what ghost does and sysprep doesn't. sysprep joins machines to the domain allright, but it chooses the name with a very long hash... horrible. another problem with sysprep is that the so called "automatic functioning" is not automatic. it gives a weird error and requires a mouse click.



> Would appreciate any help.
> Thanx


me 2. thanx.


----------



## clansman (Jul 30, 2003)

> _Originally posted by MarcS:_
> *Just to be sure:
> Have you tried doing the WHOLE ghosting process from the console? I mean: dumping, with the console removing the computer from the domain, and then loading it, again with the console registering the computer in the domain?*


yes.



> *Did you tell the console what your domain is (Tools, Supported Domain Lists)? My console seemed to 'know' my domain (it was in the list), but only after I had registered it again, it worked ok.*


yes.



> *I've used the console for quite a while now, and it seems to work ok. Just once in a while am I experiencing this problem, with just one or two machines at a time. So I'm guessing the problem is not the console not being able to register workstation at all, but only under certain conditions.*


that can be your case, but not mine. the process fails under all tested conditions. windows 2k clients or windows xp clients and windows 2003 server domain controller. but it succeeds with the windows 2k domain controllers, so i guess my problem lies in the domain controller.



> *About that product ID: I don't think xxxx-xxxx-xxxx-xxxx qualifies as a valid product ID.  Just kiddin'. I've also used this option with sysprep, and it worked. But for some reason one time it didn't, and I haven't been able to discover why. I just assumed I used a wrong ID (I use English and Dutch versions). I filled in ProductID in tghe UserData section, without any spaces. Maybe you can try a different product id?*


maybe the x's mean that sysprep should not change the product ID... maybe...

thanks for the help.

[]


----------



## clansman (Jul 30, 2003)

> _Originally posted by johniefox:_
> *Thanks for the advice MarcS.
> 
> I did do the whole Ghostimg process from the console, but had no joy. Not really sure why. But eventually I found a weird work around on the Symantec site. When looking for the "failed to join domain" problem I found one document which commented on the size of the domain name. It highlighted the fact that Gost has problems recognising domain names longer than 15 characters. I didn't read it fully the first time I saw it as my domain name is less than 15, but reading further along the document it curiously stated "If the domain name is less than 15 characters and you continue to receive the error message, download and apply the latest netdom.exe file from Microsoft." Anyway,, following these instructions I managed to add the computer to the domain using the Netdom.exe command.*


indeed the workaround works. the problem is that the workaround gives you almost as much work as you would have if you install the so and software into each machine, one at a time... the advantage of the ghost configurations are completely lost!

i may use the workaround in a different way... i was thinking about a batch file or something to join the necessary machines to the domain from the domain controller... that also works. i tried.

thanks

[]


----------



## clansman (Jul 30, 2003)

> _Originally posted by plate:_
> *Same here.
> 
> We've upgraded our server from win2k to win2k3. Ghost 7.5 worked prior to the upgrade. Now we see the same error. Failed to join domain ... access is denied. Nothing in the event logs.
> ...


deja vu ;-)

no luck yet.

[]


----------



## johniefox (Aug 21, 2003)

I finally sorted out my problem, but not sure if it will help anyone else. Anyway, my problem seems to have stemmed from the WINS server. In my W2K server WINS was installed. Taking a look at it i found some weird entries such as listing my domain name as a WORKGROUP. I don't actually need WINS so I uninstalled it and hey presto...Ghost works fine now. Again, I'm not sure what the problem is, but if you have WINS installed and you don't need it, uninstall it and see if that solves your problems. Good luck!


----------



## clansman (Jul 30, 2003)

i had the same problem without wins, so i guess that will not help me.

i ask everyone that has a clue about this problem to share it because i can't seem to find any help anywhere else.

[]


----------



## dtremblay (May 19, 2004)

Hi to everybody who read this tread.

I work around arround with the same problem.

At first, my Ghost server was running on a network without domain. It was working fine.

I introduced a new Windows 2k3 server on the the network as a domin controler. My domain's FQDN : emoicq.ca

So, My Symantec Norton Ghost 7.5 server is running on a computer registered on my domain. The computer's FQDN : A0101_GHOST_SRV.emoicq.ca

I tried to ghost one of my classroom but the message "Failed to join domain emoicq.ca access is denied. hmmm....what was the problem.

I tried to look arround your solutions. I made every thig possible. Create a user GHOST_A0101_GH on my AD without succes. the same message came back.

I tried everything. until...this

First be sure that no GHOST_BLABLA user apppear in your AD.

In the Ghost Console. You can add the take in charge Domains. S'cuse me if this is not the good term, got the french version.

Just delete the domain in question. And clic the Add button.

In the domain name box, Write the FQDN of your domain. In my case, emoicq.ca

Next you must give a user able to create the GHOST_BLABLA user in the AD. write it this way.

DOMAIN\Administrator
password

In my case

EMOICQ\Administrateur
MyPassword

Right. Now go see if a user GHOST_BLABLA (BLABLA is suppose to be the first 8 caracter of your ghost server computer. This name was given during the installation of the ghost console)

If yes, Bingo, it worked for me.

If you do not see the user in your AD. Maybe that during the installation, you gave the administrator username. Not a problem. Do it this way.

-Stop the ngserver service in the task manager or by the services manager (Control Panel\Admin Tools\Services).
-COPY the C:\program files\Symantec\Ghost folder somewhere as a backup.
-Uninstall Ghost Console.
-Reinstall Ghost Console.
-Choose a NEW user name that will be used exclusively by the Ghost Console (Maybe the default user name is a good choice).
-Stop the ngserver service in the task manager or by the services manager (Control Panel\Admin Tools\Services).
-Replace your C:\program files\Symantec\Ghost folder with your backup.
-Start the ngserver service in the task manager or by the services manager (Control Panel\Admin Tools\Services).
-Start Ghost Console.

(Your serial number will be copy with your backup)

It worked for me.

In conclusion, don't ask me why my local administrator was not allow to join computers on my AD, I looked in the group policies, but every thing was looking good.

The important that it worked...  

please reply if you want support. I will reply if you have questions.


----------



## dtremblay (May 19, 2004)

Just want to add this point.

Do not disable file sharing or Netbios on the workstation that will be ghosted.
Do not diasable Netbios on the Ghost console server.


----------



## scarneol (May 21, 2004)

During the install, Ghost creates a Ghost_<computername> Service Account in your Active Directory, makes it a member of the Domain Users group and sets the rights to perform certain functions such as Join Workstations to the Domain. Unfortunately, I found that Symantec designers  didn't give this service account enough rights on the Computer Container to allow it to join workstations to the Domain. After I explicitly added this Account to the Computer Container and elevated the rights, I was able to Join Workstations to the Domain using Ghost.


----------



## dtremblay (May 19, 2004)

Your right. It is mentionned in the symantec knowledge base. The Ghost user got a limit on the number account that it can create.


----------



## gibb6512 (Aug 27, 2004)

Your solution worked great! Thanks much. I had the same problem as everyone else on this thread and the re-creating of the Ghost account and re-adding the domain using the FQDN was the solution.


----------



## Eastwood (Jan 5, 2006)

Post configuration warning: Failed to join domain, access denied resolution.
When I started researching what others were doing to resolve this issue, I quickly ran across this site. I wanted to post our resolution here. I am posting this here because I see a lot of folks on the web trying to find information about this. It ended up being a very simple but not intuitive solution.

*Our environment:*
Windows 2003 Server, Active Directory. DHCP, DNS and WINS.
Ghost Enterprise 8.0. Ghost Sever name = Casper  
Multi-homed Ghost Server with 4 NICs for 4 subnets. (We're still trying to get the Cisco router to pass multicast packets so this is a perfect workaround). 
Windows XP SP2 Workstations.
Sysprep and Ghost using the default configuration in our task.

Our solution revolved around using sysprep and a ghost task that included the default configuration.

Our goal was to begin imaging and end at the login screen without having to visit the workstations. We wanted the computer to use its previous computer name, and then join the domain automatically.

*Critical sysprep aspects.*
We used sysprep to join the computer to the domain. We had to use sysprep!
In the sysprep.inf file we used the computername=* variable. This allows the automatic naming of the computer and eliminates the need to click on ok or hit enter to accept the name during the Windows mini setup. Let Ghost provide the Computer Name for the workstation by including the default configuration in the Ghost Console Task.

In the sysprep.inf file we used the AdminPassword=* variable. Since this was a master image, our Admin account already existed and there was no requirement to enter a password during the Windows mini setup. The asterisk tells setup to continue, eliminating the need to visit the workstation to click OK or hit enter. Setup just continues on its own.

For the longest we just could not get this simple process to work. Getting the workstation to join the domain always failed with access denied.

We had used the default configuration, a customized configuration and a new configuration to no avail. We did not realize that each computer has its own default configuration within the machine group where it resided. Our solution was to edit each individual computers default configuration. We did this by locating the computer in whatever machine group it was in. Right click and chose properties then clicked on the edit button. It was here where we found that the machines were configured by ghost to join the domain also no matter what our customized configurations were set to do. When ghost and sysprep are configured to both join the domain we would always get: failed to join the domain and access denied. It will never work that way. So we unchecked the top box and every thing grayed out for joining a workgroup or domain. The critical step was to do this on each machine within their individual machine groups. Configuring this in a custom or new configuration would not override what was set individually at each computer. That is what we did not understand.
The important thing here was to ensure that the computer name or computername section did contain the correct computer name for each target computer. This again is at each computer within its machine group.

After getting each individual computers configuration the way we wanted it, we learned not to include in our task the refresh configuration check box. Once we had each individual workstation configured like we wanted it, we did not want Ghost to refresh or change our settings. This was our solution it works perfectly now. It works all the time just as we hoped it would.

*Summary of key points.*
Use sysprep to join the computer to the domain. Use the computername=* and AdminPassword=* variables together in sysprep.inf. This allows the Windows mini setup to continue with out user intervention.

Ensure that each target computers default configuration is configured to not join a workgroup or domain (remember, let only sysprep do this). This must be verified by editing each machines configuration individually within its machine group. Dont depend on a new or custom configuration that youve created and applied to a task to override what is configured at the machine level.

Ensure that the computer name that you want the target computer to have is in the default configuration for that machine within its machine group. We really did not have to touch this because for the most part is ready to go. You may also choose the user name and computer description if you desire. Again this probably doesnt need to be changed.

Do not check refresh configuration when creating the Ghost Console Task.

On the Configuration Tab of the Ghost Console Task, select the default configuration radio button.

Execute the task and it works every time for us now. Now we start the task, walk away and when we come back the computer has its previous name, it is joined to the domain and ready to logon. What a relief!

If this helps you, please let me know.

Dave.


----------



## rvanmoorsel (Aug 25, 2006)

Hi,

Because a customer of mine also had the "failed to join domain" problem, I ended up in this forum. In my carreer I installed dozens of Ghost 7.5 servers so I knew where to look. But I couldn't resolve this issue. The hints in this forum helped me though. 
My problem was that someone made a policy where the local administrator account is renamed to something different. After I removed this option from the policy, everything worked like a charm!!! 
So yet another thing to check.....


----------



## cammj (Jan 12, 2007)

Seems like this problem hasnt been completely resolved.

Some questions to ask yourself..


Have you delegated permissions for the ghost user account (by default its GHOST_SERVER), to the appropriate OU in which the computers are contained?
Have you attempted to remove the computer from the domain via Active Directory Users and Computers BEFORE attempting to rejoin it?

To delegate permissions

Load active directory users and computers
Select the OU, and right click
Right click the OU in which the computers are to be contained. Select Delegate
Click next to the wizard
Select the ghost server user
Create custom delegation
Click next, and grant FULL CONTROL

Hope this helps.


----------



## kbnargel (Feb 20, 2007)

Very informative forum you guys got going here. 

We have just implemented the Ghost Console 8.3. We were able to fully automate the process via the console and ghostwalker (regenerating SIDs, renaming the machines, creating the accounts on the DC, joining the domain, and placing the machines in proper containers.) Even got it to execute some reg commands after the domain join to add an auto logon feature to some of our classrooms. Man what an improvement from bootable CD's and sysprep.

Our problem is our departmental communication. We do not have access to the AD to move machines around or take the machines off the DC (Windows 2003). When we want to run a task we have to get our server people to delete the machine accounts. Well, they are very busy, and are hard to get a hold of. We also like to image (Windows XP) our labs after hours and getting someone with the power to be around after hours is not going to happen. Blah Blah Blah

Is there any way to use the console to take the machines off the domian, or a server work around that will allow the ghost account to join the machines without deleting them off the DC first?

Any help on this would be greatly appreciated.


----------



## cammj (Jan 12, 2007)

you shouldnt need to. once a -managed- computer account has been created in active directory, you should be able to join that computer to the domain without requiring administrative privlidges.


----------

