Access Denied Joining Domain

I've had a Windows 2003 network running for about 5 months now. I have 50
machines that have been using the domain just fine for that time. I had a
user come to me this morning, complaining that they could not see their map
drives. I sat at the machine for a while and observed the following:
1. The drives map, but you receive an "access denied" when trying to access
the drives
2. If you try to map additional drives, you are prompted for
username/password. Even after correct authentication, you are continuously
prompted

I disjoined the machine from the domain, removed the computer account and
attempted to rejoin the domain. When I attempt to join the domain, I am
prompted for username/password as normal. However, after providing
credentials, I recieve an error box that is titled "Computer name changes".
The error reads "The following error occurred atempting to join the domain
"domain" Access Denied.

Nothing appears the event viewer. The machine is pointing to the 2k3 DC for
DNS. I've run Netdiag and DCDiag on the DC, both show no errors. The event
viewer on the server does not record any errors.

Any help is appreciated. I'm running out of things to try.

Thanks,
Josh

Is the time on the PC within 5 minutes of the time on the Domain Controller ?

"JD" wrote:

> I've had a Windows 2003 network running for about 5 months now. I have 50
> machines that have been using the domain just fine for that time. I had a
> user come to me this morning, complaining that they could not see their map
> drives. I sat at the machine for a while and observed the following:
> 1. The drives map, but you receive an "access denied" when trying to access
> the drives
> 2. If you try to map additional drives, you are prompted for
> username/password. Even after correct authentication, you are continuously
> prompted
>
> I disjoined the machine from the domain, removed the computer account and
> attempted to rejoin the domain. When I attempt to join the domain, I am
> prompted for username/password as normal. However, after providing
> credentials, I recieve an error box that is titled "Computer name changes".
> The error reads "The following error occurred atempting to join the domain
> "domain" Access Denied.
>
> Nothing appears the event viewer. The machine is pointing to the 2k3 DC for
> DNS. I've run Netdiag and DCDiag on the DC, both show no errors. The event
> viewer on the server does not record any errors.
>
> Any help is appreciated. I'm running out of things to try.
>
> Thanks,
> Josh
>
>
>

JD.
I suspect the SMB signing configuration is the problem here.
Check the following registry values on both the workstation and the DC.
HKLM\system\ccs\services\lanmanserver\parameters
HKLM\system\ccs\services\lanmanworkstation\parameters

Requiresecuitysignature
Enablesecuritysignature

With windows networking, the workstation service on the client initiates
communication with the server service on the server. (this is the same
during a domain join). If the workstation service requires SMB signing,
then the server service must have SMB signing enabled.
If the server service requires SMB signing, then the workstation service
must have it enabled.

these are policies set through group policy. So if you edit the registry
manually, it is likely the settinng will revert back when policy applies

Since you indicate the workstation used to work, it is likely either the
workstation service now requires SMB signing, and the server service on the
DC has SMB signing disabled, OR the the workstation service on the
workstation now has SMB signing disabled, and it is required on the DC.

If you are unsure what settings are compatable with what, then post the
enablesecuritysignature and requiresecuritysignature values for both
lanmanserver and lanmanworkstatiob from the workstation and DC to this
thread.

--
Glenn L
CCNA, MCSE 2000/2003 + Security

"PaulM" <PaulM@discussions.microsoft.com> wrote in message
news:1E9C0242-04F5-434F-A28D-DDBAC3097525@microsoft.com...
> Is the time on the PC within 5 minutes of the time on the Domain
> Controller ?
>
> "JD" wrote:
>
>> I've had a Windows 2003 network running for about 5 months now. I have
>> 50
>> machines that have been using the domain just fine for that time. I had
>> a
>> user come to me this morning, complaining that they could not see their
>> map
>> drives. I sat at the machine for a while and observed the following:
>> 1. The drives map, but you receive an "access denied" when trying to
>> access
>> the drives
>> 2. If you try to map additional drives, you are prompted for
>> username/password. Even after correct authentication, you are
>> continuously
>> prompted
>>
>> I disjoined the machine from the domain, removed the computer account and
>> attempted to rejoin the domain. When I attempt to join the domain, I am
>> prompted for username/password as normal. However, after providing
>> credentials, I recieve an error box that is titled "Computer name
>> changes".
>> The error reads "The following error occurred atempting to join the
>> domain
>> "domain" Access Denied.
>>
>> Nothing appears the event viewer. The machine is pointing to the 2k3 DC
>> for
>> DNS. I've run Netdiag and DCDiag on the DC, both show no errors. The
>> event
>> viewer on the server does not record any errors.
>>
>> Any help is appreciated. I'm running out of things to try.
>>
>> Thanks,
>> Josh
>>
>>
>>

Thanks Glenn, enabling the SMB signing on the workstation seems to have
worked. I checked, and for some reason there was a GPO disabling it.
Apparently, it was disabled, and when this machine was disjoined from the
domain, the setting stuck with it.

After I followed your suggestions, I searched the knowledgebase and found
this document regarding SMB signing.
http://support.microsoft.com/default...b;en-us;199714
Maybe they should update it to include the errors I was receiving:)

Thanks again,

Josh


"Glenn L" <the.only(delete)@gmail dot com> wrote in message
news:OY7gsw95EHA.796@TK2MSFTNGP09.phx.gbl...
> JD.
> I suspect the SMB signing configuration is the problem here.
> Check the following registry values on both the workstation and the DC.
> HKLM\system\ccs\services\lanmanserver\parameters
> HKLM\system\ccs\services\lanmanworkstation\parameters
>
> Requiresecuitysignature
> Enablesecuritysignature
>
> With windows networking, the workstation service on the client initiates
> communication with the server service on the server. (this is the same
> during a domain join). If the workstation service requires SMB signing,
> then the server service must have SMB signing enabled.
> If the server service requires SMB signing, then the workstation service
> must have it enabled.
>
> these are policies set through group policy. So if you edit the registry
> manually, it is likely the settinng will revert back when policy applies
>
> Since you indicate the workstation used to work, it is likely either the
> workstation service now requires SMB signing, and the server service on
> the DC has SMB signing disabled, OR the the workstation service on the
> workstation now has SMB signing disabled, and it is required on the DC.
>
> If you are unsure what settings are compatable with what, then post the
> enablesecuritysignature and requiresecuritysignature values for both
> lanmanserver and lanmanworkstatiob from the workstation and DC to this
> thread.
>
> --
> Glenn L
> CCNA, MCSE 2000/2003 + Security
>
> "PaulM" <PaulM@discussions.microsoft.com> wrote in message
> news:1E9C0242-04F5-434F-A28D-DDBAC3097525@microsoft.com...
>> Is the time on the PC within 5 minutes of the time on the Domain
>> Controller ?
>>
>> "JD" wrote:
>>
>>> I've had a Windows 2003 network running for about 5 months now. I have
>>> 50
>>> machines that have been using the domain just fine for that time. I had
>>> a
>>> user come to me this morning, complaining that they could not see their
>>> map
>>> drives. I sat at the machine for a while and observed the following:
>>> 1. The drives map, but you receive an "access denied" when trying to
>>> access
>>> the drives
>>> 2. If you try to map additional drives, you are prompted for
>>> username/password. Even after correct authentication, you are
>>> continuously
>>> prompted
>>>
>>> I disjoined the machine from the domain, removed the computer account
>>> and
>>> attempted to rejoin the domain. When I attempt to join the domain, I am
>>> prompted for username/password as normal. However, after providing
>>> credentials, I recieve an error box that is titled "Computer name
>>> changes".
>>> The error reads "The following error occurred atempting to join the
>>> domain
>>> "domain" Access Denied.
>>>
>>> Nothing appears the event viewer. The machine is pointing to the 2k3 DC
>>> for
>>> DNS. I've run Netdiag and DCDiag on the DC, both show no errors. The
>>> event
>>> viewer on the server does not record any errors.
>>>
>>> Any help is appreciated. I'm running out of things to try.
>>>
>>> Thanks,
>>> Josh
>>>
>>>
>>>
>
>

[mackenzielino]

Oh
Mah
Gawd....

thank you, this just wrapped up 4 hours of turmoil.

This worked. I only changed the settings on the workstation, to match those of the domain controller, rebooted, and tried again.