Domain join during an unattended setup fails with an unexpected error message in computers that are running Windows 2000, Windows XP, or Windows Server 2003 (920599)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows XP Professional
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Web Edition
SYMPTOMSYou configure an unattended setup to install and join
computers to a domain. These computers are running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows
Server 2003. When you do this, you receive an error message that
resembles the following: An unexpected error has occurred
while changing your computer's network identification. Would you like to
proceed for now and try joining a domain later? CAUSEThis problem occurs when the Kerberos version 5 protocol
token for
a user account that is listed
in the unattended answer file
is
too large.
Consider the following scenario. A user who
performs the domain join as specified in the unattended answer file is a member
of a security group either directly or by membership in another security group.
In this scenario, the security identifier (SID) for each
security group is added to the user's token. The
Kerberos token is used to communicate that a
SID must
be
added to the user's token.
However, the Kerberos token has a fixed size. If the required SID information exceeds the size of the Kerberos
token,
authentication is unsuccessful. The number of security groups varies, but the minimum
number
is approximately 70 to 80 security groups.
For many operations, NTLM
authentication succeeds. Also, the Kerberos authentication problem may not be
easy to find without analysis. However, operations that include Group Policy settings do
not work at all. WORKAROUNDTo
work around this issue, modify the Hivesys.inf file in i386 folder of the
Windows distribution share. Note Editing .inf files incorrectly can cause fatal errors to occur
during the Setup process. We recommend that you create a backup copy of the
Hivesys.inf file before you modify the file.
- Use any text editor, such as Notepad,
to open the Hivesys.inf file. This file is located in the i386 folder of the
distribution share.
- Locate the following
line:
HKLM,"SYSTEM\CurrentControlSet\Control\MediaProperties",,0x00000012 - Above the line that you located in step 2, add a new line as follows:
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters","MaxTokenSize",0x00010003,0xffff - Save and then close the file.
STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.REFERENCES For
more information about how to perform an unattended installation of Windows
2000 from a CD-ROM, click the following article number to view the article in
the Microsoft Knowledge Base: 216258
How
to perform an unattended installation of Windows from a CD-ROM
For
more information about how to perform an unattended installation of Windows XP
from a CD-ROM, click the following article number to view the article in the
Microsoft Knowledge Base: 314459
How
to perform an unattended installation of Windows from a CD-ROM
For more information about how to use Setup Manager to create
an answer file in Windows Server 2003, click the following article number to
view the article in the Microsoft Knowledge Base: 323438
How
to use Setup Manager to create an answer file in Windows Server
2003
For more information about unattended setup parameters for the Unattend.txt file, click the following article number to view the article in the Microsoft Knowledge Base:
155197
Unattended setup parameters for
Unattend.txt file
| Modification Type: | Major | Last Reviewed: | 7/7/2006 |
|---|
| Keywords: | kbtshoot kbprb KB920599 kbAudDeveloper |
|---|
|