Problems with existing AD UCS domain in combination with Windows 11

Knappe · March 17, 2022, 9:23am

I installed an ARM Win11 under Parallels 17.1.1 on a new Apple computer and included this device in the domain that has existed for years. Even that only worked after a few attempts, although it was initially unclear what the cause was.
At the end of this join process, the following error message appeared on Windows:
Computer NameDomain Changes

However, the computer was registered in the domain but no domain user or administrator can log on. There is always an error message in the GUI “Incorrect login name or password” or “System Error 5” in the terminal.

There is no DNS forward and reverse zone stored in the AD for this computer.
If I want to add this manual via the GUI, an IP address is always required to be entered. This makes no sense for a workstation that can get its IP addresses randomly over and over again via DHCP.
If I compare this entry with entries from other workstations, it is noticeable that only the DNS true zone is set for them. That makes sense. Possibly. So maybe a GUI error? How can this be avoided ?
ONS Forward und Reverse Loskup Zone

But the main questions are:
what can be the reason that the AD controller obviously blocks / prevents the entries for the DNS forward and reverse during the join process ?
How can the problem be solved and can the domain users then log on to the AD controller?

By the way; it is possible to dicsonnect the computer from the domain. In this case, login name/password will work.

update: yes, the appe device itself is joined to the same domain without any trouble.

Knappe · March 31, 2022, 11:43am

I joined a Windows 10 client today to the domain without any problems.
But the join of a windows 11 client (ARM) does not work (although: the join does, but after the access is no longer possible).
Both joins were done with the same username and password.

So I checked the UCS envrinoment according "Samba Troubleshooting (here) or Kerberos (here) adn IPV6 (here) and much more forum entries here.

As a result, I could not find any fault in the infrastructure from the UCS view.

So I dig a little bit deeper and checked with some win tools our UCS domain infrastructure.

Overview existing Domain controller:
1St DC = ucs-6600 – 192.168.1.20
2nd DC = ucs-3208 – 192.168.1.22
Backup DC = ucs-6601 – 192.168.1.29

Problem: join existing domain from a Windows 11 Professional ARM client (fresh installation)
Error: accessing domain (e.g. users login etc): invalid credentials (Benutzername oder das Kennwort ist falsch.)
Example error messages:

LDAP bind errors— >
[ucs-6600.OWNDOM.contoso.de] LDAP-Bindungsfehler 1326, Der Benutzername oder das Kennwort ist falsch.
Der Benutzername oder das Kennwort ist falsch.

OR

LDAP-Fehler 49(0x31): Ungültige Anmeldeinformationen
Server-Win32-Fehler 2148074252(0x8009030c): Der Anmeldeversuch ist fehlgeschlagen.
Erweiterte Informationen: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1

Tests:

C:\Users\Administrator>ipconfig /all

Windows-IP-Konfiguration

Hostname . . . . . . . . . . . . : Win11pro
Primäres DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : OWNDOM.contoso.de
Ethernet-Adapter Ethernet:

Verbindungsspezifisches DNS-Suffix: OWNDOM.contoso.de
Beschreibung. . . . . . . . . . . : Parallels VirtIO Ethernet Adapter
Physische Adresse . . . . . . . . : 00-1C-XX-XX-XX-XX
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
IPv4-Adresse . . . . . . . . . . : 192.168.1.xxx (Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Donnerstag, 31. März 2022 08:39:24
Lease läuft ab. . . . . . . . . . : Donnerstag, 31. März 2022 20:39:23
Standardgateway . . . . . . . . . : 192.168.1.x
DHCP-Server . . . . . . . . . . . : 192.168.1.20
DNS-Server . . . . . . . . . . . : 192.168.1.20
192.168.1.22
Primärer WINS-Server. . . . . . . : 192.168.1.20
NetBIOS über TCP/IP . . . . . . . : Aktiviert

Ethernet-Adapter Bluetooth Network Connection:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physische Adresse . . . . . . . . : BC-XX-XX-XX-XX-XX
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja

C:\Users\Administrator>nslookup OWNDOM

Server: ucs-6600.OWNDOM.contoso.de
Address: 192.168.1.20

Name: OWNDOM.contoso.de
Addresses: fd00::250:56ff:fead:c5c4
fd00::250:56ff:fead:ad0a
192.168.1.29
192.168.1.22
192.168.1.20

C:\Users\Administrator>nltest /dsgetdc:OWNDOM /force /gc

       Domänencontroller: \\UCS-6601
  Adresse: \\192.168.1.29
 Domänen-GUID: c35xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 Domänenname: OWNDOM
Gesamtstrukturname: OWNDOM.contoso.de
DC-Standortname: Default-First-Site-Name
Unserer Standortname: Default-First-Site-Name
Kennzeichen: GC DS LDAP KDC TIMESERV GTIMESERV BESCHREIBBAR DNS_FOREST CLOSE_SITE FULL_SECRET
Der Befehl wurde ausgeführt.dcdiag.txt (34.6 KB)

AFTER join win client to domain: dcdiag /v /c /e /s:ucs-6600.OWNDOM.contoso.de /u:OWNDOM\joiner

Verzeichnisserverdiagnose

Anfangssetup wird ausgeführt:
* Die Verbindung mit dem Verzeichnisdienst auf Server ucs-6600.OWNDOM.contoso.de wird hergestellt.
[ucs-6600.OWNDOM.contoso.de] LDAP-Bindungsfehler 1326,
Der Benutzername oder das Kennwort ist falsch…

BEFORE join win client to domain: see attached log
dcdiag.txt (34.2 KB)

It is noticeable that after the join with the win10 client, the “DNS Forward and Reverse Zone” was correctly set("OWNDOM.contoso.de "), while this remained empty with the win11 client.

Any help is appreciated !

Knappe · April 1, 2022, 10:43am

Solved !

Found an new Win11 ARM ISO-file (here) which I could join the existing domain without any problems and the users could then log in.

It therefore seems to be a bug in the Win11 image file supported by Parallels at the beginning of March.