February 6, 2023              Login  
Free Networking Monitoring Software For Network Management
SupportAdding Windows 7 PC to a Windows Domain     

Solution: Unsecure your Vista/Windows 7 PC, because after all, there's no way of pinpointing which of the millions of restrictions are preventing you from getting on with your life.

I admit that I have muddied the waters somewhat as another error I was receiving told me that the SRV record for my DC was not available in DNS*, but essentially I did the following:

  • Ensured that the problem was due to local rights by entering an intentionally incorrect domain administrator username and password - this gave a different error message
  • Opened MMC (mmc.exe) and added the Local Computer Policy snap-in (File menu).
  • Navigated to Computer Configuration\Windows Settings\Security Settings\Local Policies
  • Opened User Rights Assignments
  • Added the Administrators group to the right: Add workstations to domain
  • Opened Security Options
  • Disabled the option: Domain member: Digitally encrypt or sign secure channel data (always)
  • Disabled the option: Domain member: Disable machine account password changes
  • Disabled the option: User Account Control: Admin approval mode for the Built-in Administrator account
  • Set "Elevate without prompting" on: User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
  • Disabled the option: User Account Control: Run all administrators in Admin Approval Mode
  • Opened Windows Firewall with Advanced Security
  • Switched off Windows Firewall for all three profiles
  • Ensured that my time settings and time zone were the same as the server's
  • Disable IPv6 if you don't have IPv6 DNS enabled in your network.

Note that once you've joined the domain, the local policy will become obsolete anyway.

Now Reboot. Although apparently happening live (Vista doesn't hesitate in putting up a red shield in the system tray as soon as you tweak the settings), the solution needs a restart. I only did this after reading that with UAC switched on, your administrative account actually runs Explorer with two security tokens, and most activities are performed using the plebian user token (so you're never really an admin) - this led me to think that the add to domain wizard was actually running in pleb mode. The restart worked and I was able to get myself on my domain. The end.

I must admit that it is a shame that Windows cannot tell you what settings are effecting a security block. The solution becomes one of all or nothing; my new-build apartment has a legally required smoke-detector just above the door to the kitchen - you know, that place where you make heat and smoke - consequently I've had to crippled it with a rubber item usually associated with birth control. So I am unprotected from fire in the living room and I am unprotected by Microsoft's new security features.

*the Access Denied and the DNS errors were appearing randomly on each try. The DNS one was caused by having my secondary DNS server set to my broadband router and my primary to the AD DC. Despite having the right entries in the local DNS cache (ipconfig /displaydns) the Windows add to domain wizard seems to have its own way of resolving names and doesn't seem to have any morals about using your secondary server first.

  Copyright 2013 by IT Support 4U - CompuSpace   Terms Of Use  Privacy Statement