Koozali.org: home of the SME Server

Need help(Re-)Join domain gives error -NetJoinLegacyAccountReuse =1 doesn't help

solved: see after point 8

now the third day of finding the solution:
Win10 machine, current win10 build - network with several win10 clients and koozali sme server 10.1.
1. Changed domain of workstation pc to an other Server in same network (i tried Zentyal AD).
2. left new domain and want to go back to the previous koozali-smeserver domain by standard win10 process using my admin account and correct pw.
3. always get error: "An account with this name exists in active directory. Reuse of the account was blocked by a security policy."

4. Tryed adding, removing, adding, re... NetJoinLegacyAccountReuse = 0x1 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
4a: tried latest win10samba.reg

5. changed PC name several times und tryed again: same result
6. restartet pc: several times
7. have read: https://support.microsoft.com/en-gb/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

8: Followed behavior since August 13, 2024 behavior
=> Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.
Added local admin-group and local users group (not admin user) of workstation.
ran: gpupdate /force   , restart pc.

still same error.
does anyone know how to solve the problem?


SOLUTION FOUND:
edit /etc/samba/smb.conf
Delete all rows mit workstation names you ever used for this workstation. The try agamin to connect to domain. Success.



Content of c:\windows\debug\netsetup.log
08/25/2024 10:35:55:402 -----------------------------------------------------------------
08/25/2024 10:35:55:402 NetpValidateName: checking to see if 'PC01' is valid as type 1 name
08/25/2024 10:35:55:402 NetpCheckNetBiosNameNotInUse for 'PC01' [MACHINE] returned 0x0
08/25/2024 10:35:55:402 NetpValidateName: name 'PC01' is valid for type 1
08/25/2024 10:35:55:402 -----------------------------------------------------------------
08/25/2024 10:35:55:402 NetpValidateName: checking to see if 'PC01' is valid as type 5 name
08/25/2024 10:35:55:402 NetpValidateName: name 'PC01' is valid for type 5
08/25/2024 10:35:55:402 -----------------------------------------------------------------
08/25/2024 10:35:55:402 NetpValidateName: checking to see if 'STGSMCM' is valid as type 3 name
08/25/2024 10:35:55:464 NetpCheckDomainNameIsValid [ Exists ] for 'STGSMCM' returned 0x0
08/25/2024 10:35:55:464 NetpValidateName: name 'STGSMCM' is valid for type 3
08/25/2024 10:36:02:433 -----------------------------------------------------------------
08/25/2024 10:36:02:433 NetpDoDomainJoin
08/25/2024 10:36:02:433 NetpDoDomainJoin: using current computer names
08/25/2024 10:36:02:433 NetpDoDomainJoin: NetpGetComputerNameEx(NetBios) returned 0x0
08/25/2024 10:36:02:433 NetpDoDomainJoin: NetpGetComputerNameEx(DnsHostName) returned 0x0
08/25/2024 10:36:02:433 NetpMachineValidToJoin: 'PC01'
08/25/2024 10:36:02:433    OS Version: 10.0
08/25/2024 10:36:02:433    Build number: 19045 (19041.vb_release.191206-1406)
08/25/2024 10:36:02:433    SKU: Windows 10 Pro
08/25/2024 10:36:02:433    Architecture: 64-bit (AMD64)
08/25/2024 10:36:02:433 NetpMachineValidToJoin: status: 0x0
08/25/2024 10:36:02:433 NetpJoinDomain
08/25/2024 10:36:02:433    HostName: PC01
08/25/2024 10:36:02:433    NetbiosName: PC01
08/25/2024 10:36:02:433    Domain: STGSMCM
08/25/2024 10:36:02:433    MachineAccountOU: (NULL)
08/25/2024 10:36:02:433    Account: STGSMCM\admin
08/25/2024 10:36:02:433    Options: 0x25
08/25/2024 10:36:02:433 NetpValidateName: checking to see if 'STGSMCM' is valid as type 3 name
08/25/2024 10:36:02:495 NetpCheckDomainNameIsValid [ Exists ] for 'STGSMCM' returned 0x0
08/25/2024 10:36:02:495 NetpValidateName: name 'STGSMCM' is valid for type 3
08/25/2024 10:36:02:495 NetpDsGetDcName: trying to find DC in domain 'STGSMCM', flags: 0x1020
08/25/2024 10:36:03:215 NetpDsGetDcName: found DC '\\STGSVR01' in the specified domain
08/25/2024 10:36:03:215 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
08/25/2024 10:36:03:215 NetpDisableIDNEncoding: using FQDN STGSMCM from dcinfo
08/25/2024 10:36:03:215 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'STGSMCM' succeeded
08/25/2024 10:36:03:215 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
08/25/2024 10:36:04:246 NetpJoinDomainOnDs: status of connecting to dc '\\STGSVR01': 0x0
08/25/2024 10:36:04:246 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: STGSMCM
08/25/2024 10:36:04:246 NetpProvisionComputerAccount:
08/25/2024 10:36:04:246    lpDomain: STGSMCM
08/25/2024 10:36:04:246    lpHostName: PC01
08/25/2024 10:36:04:246    lpMachineAccountOU: (NULL)
08/25/2024 10:36:04:246    lpDcName: STGSVR01
08/25/2024 10:36:04:246    lpMachinePassword: (null)
08/25/2024 10:36:04:246    lpAccount: STGSMCM\admin
08/25/2024 10:36:04:246    lpPassword: (non-null)
08/25/2024 10:36:04:246    dwJoinOptions: 0x25
08/25/2024 10:36:04:246    dwOptions: 0x40000003
08/25/2024 10:36:05:261 NetpLdapBind: ldap_bind failed on STGSVR01: 49: Ungültige Anmeldeinformationen
08/25/2024 10:36:05:277 NetpCheckForDomainSIDCollision: returning 0x0(0).
08/25/2024 10:36:05:277 NetpCreateComputerObjectInDs: DC passed '\\STGSVR01' doesn't have writable DS 0x101
08/25/2024 10:36:05:277 NetpProvisionComputerAccount: LDAP creation failed: 0x32
08/25/2024 10:36:05:277 NetpJoinCreatePackagePart: status:0x32.
08/25/2024 10:36:05:277 NetpJoinDomainOnDs: Function exits with status of: 0x32
08/25/2024 10:36:05:277 NetpJoinDomainOnDs: status of disconnecting from '\\STGSVR01': 0x0
08/25/2024 10:36:05:277 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'STGSMCM' returned 0x0
08/25/2024 10:36:05:277 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'STGSMCM': 0x0
08/25/2024 10:36:05:277 NetpDoDomainJoin: status: 0x32
08/25/2024 10:36:05:277 -----------------------------------------------------------------
08/25/2024 10:36:05:277 NetpDoDomainJoin
08/25/2024 10:36:05:277 NetpDoDomainJoin: using current computer names
08/25/2024 10:36:05:277 NetpDoDomainJoin: NetpGetComputerNameEx(NetBios) returned 0x0
08/25/2024 10:36:05:277 NetpDoDomainJoin: NetpGetComputerNameEx(DnsHostName) returned 0x0
08/25/2024 10:36:05:277 NetpMachineValidToJoin: 'PC01'
08/25/2024 10:36:05:277    OS Version: 10.0
08/25/2024 10:36:05:277    Build number: 19045 (19041.vb_release.191206-1406)
08/25/2024 10:36:05:277    SKU: Windows 10 Pro
08/25/2024 10:36:05:277    Architecture: 64-bit (AMD64)
08/25/2024 10:36:05:277 NetpMachineValidToJoin: status: 0x0
08/25/2024 10:36:05:277 NetpJoinDomain
08/25/2024 10:36:05:277    HostName: PC01
08/25/2024 10:36:05:277    NetbiosName: PC01
08/25/2024 10:36:05:277    Domain: STGSMCM
08/25/2024 10:36:05:277    MachineAccountOU: (NULL)
08/25/2024 10:36:05:277    Account: STGSMCM\admin
08/25/2024 10:36:05:277    Options: 0x27
08/25/2024 10:36:05:277 NetpValidateName: checking to see if 'STGSMCM' is valid as type 3 name
08/25/2024 10:36:05:339 NetpCheckDomainNameIsValid [ Exists ] for 'STGSMCM' returned 0x0
08/25/2024 10:36:05:339 NetpValidateName: name 'STGSMCM' is valid for type 3
08/25/2024 10:36:05:339 NetpDsGetDcName: trying to find DC in domain 'STGSMCM', flags: 0x1020
08/25/2024 10:36:05:511 NetpDsGetDcName: found DC '\\STGSVR01' in the specified domain
08/25/2024 10:36:05:511 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
08/25/2024 10:36:05:511 NetpDisableIDNEncoding: using FQDN STGSMCM from dcinfo
08/25/2024 10:36:05:511 NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on 'STGSMCM' succeeded
08/25/2024 10:36:05:511 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
08/25/2024 10:36:05:511 NetpJoinDomainOnDs: status of connecting to dc '\\STGSVR01': 0x0
08/25/2024 10:36:05:511 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: STGSMCM
08/25/2024 10:36:05:511 NetpProvisionComputerAccount:
08/25/2024 10:36:05:511    lpDomain: STGSMCM
08/25/2024 10:36:05:511    lpHostName: PC01
08/25/2024 10:36:05:511    lpMachineAccountOU: (NULL)
08/25/2024 10:36:05:511    lpDcName: STGSVR01
08/25/2024 10:36:05:511    lpMachinePassword: (null)
08/25/2024 10:36:05:511    lpAccount: STGSMCM\admin
08/25/2024 10:36:05:511    lpPassword: (non-null)
08/25/2024 10:36:05:511    dwJoinOptions: 0x27
08/25/2024 10:36:05:511    dwOptions: 0x40000003
08/25/2024 10:36:06:511 NetpLdapBind: ldap_bind failed on STGSVR01: 49: Ungültige Anmeldeinformationen
08/25/2024 10:36:06:527 NetpCheckForDomainSIDCollision: returning 0x0(0).
08/25/2024 10:36:06:527 NetpCreateComputerObjectInDs: DC passed '\\STGSVR01' doesn't have writable DS 0x101
08/25/2024 10:36:06:527 NetpProvisionComputerAccount: LDAP creation failed: 0x32
08/25/2024 10:36:06:527 NetpProvisionComputerAccount: Retrying downlevel per options
08/25/2024 10:36:06:527 NetpManageMachineAccountWithSid: NetUserAdd on 'STGSVR01' for 'PC01$' failed: 0x8b0
08/25/2024 10:36:06:527 NetpManageMachineAccountWithSid: The computer account already exists in Active Directory.Re-using the account was blocked by security policy.
08/25/2024 10:36:06:527 NetpProvisionComputerAccount: retry status of creating account: 0xaac
08/25/2024 10:36:06:527 NetpJoinCreatePackagePart: status:0xaac.
08/25/2024 10:36:06:527 NetpJoinDomainOnDs: Function exits with status of: 0xaac
08/25/2024 10:36:06:527 NetpJoinDomainOnDs: status of disconnecting from '\\STGSVR01': 0x0
08/25/2024 10:36:06:527 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'STGSMCM' returned 0x0
08/25/2024 10:36:06:527 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'STGSMCM': 0x0
08/25/2024 10:36:06:527 NetpDoDomainJoin: status: 0xaac
« Last Edit: August 25, 2024, 02:04:35 PM by thomas.krueger »

Offline Jean-Philippe Pialasse

  • *
  • 2,844
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
we miss a way to remove a workstation from db

happy to see that it worked to only remove it from smb.conf but it is indeed also stored in
- account db
- ldap
- samba account files

you could open a bug for that against SME 11 with a link to this forum thread

Offline gaetan30

  • *
  • 24
  • +0/-0
Hi,

Could you explain how you solved this issue? Same here w/o any solution...

Offline bunkobugsy

  • *
  • 290
  • +4/-0
After running   pdbedit -x pc$    domain joining works again.

This removes pc machine account from /etc/samba/smbpasswd
https://wiki.koozali.org/Windows_10_Support#Windows_10_and_Windows_11_issues_joining_domains

There is no signaling from windows side upon leaving a domain so no other way to fix this in SME.
https://samba.samba.narkive.com/bn5LLja6/feature-request-delete-machine-script
« Last Edit: September 25, 2024, 07:58:46 AM by bunkobugsy »

Offline nicolatiana

  • *
  • 724
  • +0/-0
I'll give you some more details later but I fear we're going to face this:

https://answers.microsoft.com/en-us/windowserver/forum/all/window-11-24h2-cant-join-domain/0e418272-f9e8-4cdf-b195-22fe75f2a967

Quote
I think they removed the ability to connect to a single label domain in 24H2

The post is related to a WIN<->WIN join but i'm facing it trying to join a W11 24H2 brand-ne Dell to a SME10 DC.

Unfortunately the machine has been packaged by Dell in august and so removing all updates leaves you at 24H2 level.
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline bunkobugsy

  • *
  • 290
  • +4/-0
https://www.wincert.net/networking/cant-join-pc-to-a-domain-single-label-dns/

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowSingleLabelDnsDomain obsoleted?

Offline nicolatiana

  • *
  • 724
  • +0/-0
https://www.wincert.net/networking/cant-join-pc-to-a-domain-single-label-dns/

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowSingleLabelDnsDomain obsoleted?


Unfortunately yes .....  :(
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline axessit

  • ****
  • 213
  • +0/-0
So after struggling with this on a new build for a day, I can confirm I managed to get my Win10 22H2 to join. Not sure completely what worked, but I did it in this sequence.

Normal Domain join errored.
ran secpol.msc, went to Security Settings->Local Policies->Security Options->Domain controller: Allow computer account re-use during domain join and added Everyone as a group (yeah, I know, but it kept reverting the settings, so all good).
You should get something like
Quote
O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;WD)
ending up in there.

Ran regedit and checked/edited HKLM\System\CCC\Services\Netlogon\Parameters and entered the Dword NetJoinLegacyAccountReuse and set to 1

Ran domain join and it failed.

SSH into SME and just ran
Quote
pdbedit -x pcname$
. Did not remove using any other commands (important) such as /usr/bin/smbpasswd etc (there are 4 commands to manually remove machine accounts completely - as I said, do not do this)

Then ran powershell as admin on machine and ran
Quote
add-computer -Domainname "homenet" -restart
(swap out homenet for your actual domain of course) and the computer restarted - voila! I've now joined my domain.

If it helps anyone else, if not, it helps me find it again. :shock:

Offline zadoch

  • 1
  • +0/-0
when triying to join W11 to sme domain controller you must leave the error message to happen then in your sme server run:
pdbedit -m -x (computer name)

thats works for me

Offline ReetP

  • *
  • 3,871
  • +5/-0
Someone please open a bug.

I'm writing some basic test code to look for errors and ways to manage this and other user/group sync errors.

Any idea what pdbedit command will show machine accounts?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation