Koozali.org: home of the SME Server

SME 10.1 as DC: issues joining Win 10 pro (22H2) to domain since mid-March 2023

Offline Curtis

  • *
  • 19
  • +0/-0
I hope I'm not the only one experiencing this issue: SME 10.1 domain join of Win 10 pro workstation fails.

Multiple Win 10 workstations that were joined to our domain prior to March 2023 remain joined and work as expected.  Attempts to join the additional workstation fail with the server responding that the account already exists (it did not).  I tried joining the workstation using a different computer name to no avail.  To provide the user of this machine some access to the SME shared files, I simply created a local user account and configured his machine as a member of a workgroup, named identically to our SME domain.  Works, but not ideal.   

Prior to join attempts, I had applied the registry patch below, per https://forums.koozali.org/index.php/topic,54948.msg289206.html

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"NetJoinLegacyAccountReuse"=dword:00000001

It is my understanding that Microsoft intends to disable the NetJoinLegacyAccountReuse key function.  Their guidance regarding the March 14th updates reads:  If you deployed the NetJoinLegacyAccountReuse key on your clients and set it to value 1, you must now remove that key (or set it to 0) to benefit from the latest changes.

Additional changes that will impact netlogon and more are imminent, per https://techcommunity.microsoft.com/t5/windows-it-pro-blog/latest-windows-hardening-guidance-and-key-dates/ba-p/3807832

I'm not seeking a solution, per se, but I am curious as to what SME features might Microsoft break next.  Are there workarounds to allow Win 10 (and 11) domain join on SME 10.1 in the near term?   Looking forward to your replies.

Thanks, Curt


Offline jayraym

  • *
  • 8
  • +0/-0
Hi,
Exact same problem here and I can't figure it out unfortunately.
If I find anything, I'll post it here.

Cheers,
J.

Offline bunkobugsy

  • *
  • 318
  • +4/-0
Reapplying latest win10samba.reg still works for me on rejoining computer with same name or other.

Offline jayraym

  • *
  • 8
  • +0/-0
From my limited testing: I also was able to rejoin an old Windows 10 that was previously on the domain but no luck with new Windows 11 computers

Offline Curtis

  • *
  • 19
  • +0/-0
Thank you, bunkobugsy and jayraym, for your replies.

It's very interesting that it works for one person, but not another.  Now I'm curious to learn if your SME 10.1 domain accounts and such were created from scratch or if they were migrated from SME 9.2 (as mine were)? 

Perhaps I need to do some more digging.  Will follow up if I find anything interesting. 


Offline bunkobugsy

  • *
  • 318
  • +4/-0
Did you migrate with latest https://wiki.koozali.org/Migratehelper ?
Otherwise domain memberships get lost.
See https://bugs.koozali.org/show_bug.cgi?id=11706

You probably need to unjoin, apply win10samba.reg patch, restart and rejoin to domain with every PC.

Offline Curtis

  • *
  • 19
  • +0/-0
Did you migrate with latest https://wiki.koozali.org/Migratehelper ?
Otherwise domain memberships get lost.
See https://bugs.koozali.org/show_bug.cgi?id=11706

You probably need to unjoin, apply win10samba.reg patch, restart and rejoin to domain with every PC.

I did use whatever migratehelper version was available early in March of this year.  At the moment I'm hesitant to unjoin any workstation still joined, due to previous results.  Will have to bite the bullet and fix it properly when time permits. 

Thanks again!

Offline bunkobugsy

  • *
  • 318
  • +4/-0
Fully updated Win10 rejoin still works as expected for me just by using latest win10samba.reg