none
MDT Deploy Windows 7 - Domain Join Failed?

    Question

  • I am using MDT 2010 to deploy Windows 7 and I am trying to let the machine automatically join the domain. To Join domain via the wizard didn't work out because we have a GPO redirect Windows Update site to internal WSUS site and then installs SCCM Client. On top of that I enabled "Windows Update (Post-Application). The join domain part actually worked but then the machine gets the GPO and then in a loop trying to install SCCM client, then fails after few attempts...

     

    So I did some search found this blog

    http://deployment.xtremeconsulting.com/2009/12/08/new-for-mdt-2010-ztidomainjoin-wsf/#comment-289

     

    I "removed" the entries for domain join in unattend.xml;

    I put all the variables in the CS.ini ;

    Added a TS to the "end" of the deployment;

    But the domain join part still fails and here is what's in NetSetup.log -

     

    06/04/2010 11:37:47:109 NetpDoDomainJoin
    06/04/2010 11:37:47:109 NetpMachineValidToJoin: 'MAYFLOWER'
    06/04/2010 11:37:47:109  OS Version: 6.1
    06/04/2010 11:37:47:109  Build number: 7600 (7600.win7_gdr.100226-1909)
    06/04/2010 11:37:47:109  SKU: Windows 7 Enterprise
    06/04/2010 11:37:47:109 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
    06/04/2010 11:37:47:125 NetpGetLsaPrimaryDomain: status: 0x0
    06/04/2010 11:37:47:125 NetpMachineValidToJoin: status: 0x0
    06/04/2010 11:37:47:125 NetpJoinDomain
    06/04/2010 11:37:47:125  Machine: MAYFLOWER
    06/04/2010 11:37:47:125  Domain: xyz.com
    06/04/2010 11:37:47:125  MachineAccountOU: (NULL)
    06/04/2010 11:37:47:125  Account: xyzNT\whatever
    06/04/2010 11:37:47:125  Options: 0x1
    06/04/2010 11:37:47:125 NetpLoadParameters: loading registry parameters...
    06/04/2010 11:37:47:125 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    06/04/2010 11:37:47:125 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    06/04/2010 11:37:47:125 NetpLoadParameters: status: 0x2
    06/04/2010 11:37:47:125 NetpValidateName: checking to see if 'related.com' is valid as type 3 name
    06/04/2010 11:37:47:343 NetpCheckDomainNameIsValid [ Exists ] for 'related.com' returned 0x0
    06/04/2010 11:37:47:343 NetpValidateName: name 'xyz.com' is valid for type 3
    06/04/2010 11:37:47:343 NetpDsGetDcName: trying to find DC in domain 'xyz.com', flags: 0x40001010
    06/04/2010 11:38:03:052 NetpDsGetDcName: failed to find a DC having account 'MAYFLOWER$': 0x525, last error is 0x0
    06/04/2010 11:38:03:052 NetpLoadParameters: loading registry parameters...
    06/04/2010 11:38:03:052 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    06/04/2010 11:38:03:052 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    06/04/2010 11:38:03:052 NetpLoadParameters: status: 0x2
    06/04/2010 11:38:03:052 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc1.xyz.com': 0x0
    06/04/2010 11:38:03:052 NetpDsGetDcName: found DC '\\dc1.xyz.com' in the specified domain
    06/04/2010 11:38:03:052 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
    06/04/2010 11:38:03:052 NetpJoinDomain: status of connecting to dc '\\dc1.xyz.com': 0x0
    06/04/2010 11:38:03:052 NetpProvisionComputerAccount:
    06/04/2010 11:38:03:052  lpDomain: xyz.com
    06/04/2010 11:38:03:052  lpMachineName: MAYFLOWER
    06/04/2010 11:38:03:052  lpMachineAccountOU: (NULL)
    06/04/2010 11:38:03:052  lpDcName: dc1.xyz.com
    06/04/2010 11:38:03:052  lpDnsHostName: (NULL)
    06/04/2010 11:38:03:052  lpMachinePassword: (null)
    06/04/2010 11:38:03:052  lpAccount: xyznt\whatever
    06/04/2010 11:38:03:052  lpPassword: (non-null)
    06/04/2010 11:38:03:052  dwJoinOptions: 0x1
    06/04/2010 11:38:03:052  dwOptions: 0x40000003
    06/04/2010 11:38:03:068 NetpLdapBind: Verified minimum encryption strength on dc1.xyz.com: 0x0
    06/04/2010 11:38:03:068 NetpLdapGetLsaPrimaryDomain: reading domain data
    06/04/2010 11:38:03:068 NetpGetNCData: Reading NC data
    06/04/2010 11:38:03:068 NetpGetDomainData: Lookup domain data for: DC=xyz,DC=com
    06/04/2010 11:38:03:068 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=xyz,DC=com
    06/04/2010 11:38:03:068 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
    06/04/2010 11:38:03:068 NetpGetComputerObjectDn: Cracking DNS domain name xyz.com/ into Netbios on \\dc1.xyz.com
    06/04/2010 11:38:03:068 NetpGetComputerObjectDn: Crack results:  name = xyznt\
    06/04/2010 11:38:03:068 NetpGetComputerObjectDn: Cracking account name xyznt\MAYFLOWER$ on \\dc1.xyz.com
    06/04/2010 11:38:03:068 NetpGetComputerObjectDn: Crack results:  Account does not exist
    06/04/2010 11:38:03:068 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
    06/04/2010 11:38:03:083 NetpProvisionComputerAccount: LDAP creation failed: 0x534
    06/04/2010 11:38:03:083 ldap_unbind status: 0x0
    06/04/2010 11:38:03:083 NetpJoinDomainOnDs: Function exits with status of: 0x534
    06/04/2010 11:38:03:083 NetpJoinDomainOnDs: status of disconnecting from '\\dc1.xyz.com': 0x0
    06/04/2010 11:38:03:083 NetpDoDomainJoin: status: 0x534

    The key line is failed to find a DC having account 'MAYFLOWER$': 0x525, last error is 0x0

     

    This is a new computer and why MDT trys to find the computer account in any DC?

     

    I make sure the deploymenttype is for "Newcomputer" and I disabled "recover from Domain" in TS - still the same error?

     

    Any help would be appreicated.

     

    Thanks,

    Friday, June 04, 2010 4:25 PM

Answers

  • Yes I use nested OUs but I don't enclose it in speech marks. I suggest you try: MachineObjectOU=OU=desktops,OU=Windows 7,OU=Workstations,DC=xyz,DC=COM I use an OU called Managed Computers and I don't hve to put " in. What you have done may work, but I suggest you try as I mention just to check. Good luck :)
    • Proposed as answer by Andrew Manning Tuesday, June 08, 2010 5:39 AM
    • Marked as answer by Ying Li8 Sunday, June 13, 2010 4:06 PM
    Saturday, June 05, 2010 3:37 PM

All replies

  • This is what's in my CS.ini file

    [Settings]

    Priority=ByType,Default
    Properties=MyCustomProperty

    [Default]
    OSInstall=Y
    SkipDeploymentType=YES
    DeploymentType=NEWCOMPUTER
    SkipAppsOnUpgrade=YES
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipLocaleSelection=YES
    KeyboardLocale=en-US
    UserLocale=en-US
    UILanguage=enUS
    SkipCapture=YES
    SkipBitLocker=YES
    SkipDomainMembership=YES
    JoinDomain=xyz.com
    DomainAdmin=whatever 
    DomainAdminDomain=XYZNT
    DomainAdminPassword=Password

    MachineObjectOU = "OU = Workstations,OU = Windows 7,DC = xyz,DC = com"

    [ByType]
    Subsection=Laptop-%IsLaptop%
    Subsection=Desktop-%IsDesktop%

    [Laptop-True]
    MachineObjectOU="OU=Workstations,OU=Windows 7,OU=Laptops, DC=xyz,DC=COM"

    [Desktop-True]
    MachineObjectOU="OU=Workstations,OU=Windows 7,OU=Desktops,DC=xyz,DC=COM"

    If I remove everything below "DomainAdminPassword=Password"

    The domain join will work, so it's really the syntax here?

    Thanks,

    • Edited by Ying Li8 Saturday, June 05, 2010 1:17 PM missing "
    Friday, June 04, 2010 10:07 PM
  • Why are you using MDT 2010 Lite Touch to deploy the image when you have SCCM?   Creating the reference image with MDT 2010 Lite Touch I can understand...

    If it's the sccm client causing the issue, install it after windows update.

    / Johan

    Saturday, June 05, 2010 2:28 AM
    Moderator
  • The only difference from yours to mine is the MachineObjectOU line. Why have you got a " at the start but not at the end. You shouldn't need any " at all. Try removing your Laptop and Desktop subsections and see if the MachineObjectOU works then. Again take out the " and any spaces. Also the OU must exist so check you have the OU path correct
    Saturday, June 05, 2010 8:54 AM
  • That's a great question and the simple answer is we are not ready to use SCCM to deploy OS yet (infrastructure, helpdesk etc.), Maybe I should shoot for that!

    The sccm client is pushed via a GPO which redirect client to the internal WSUS to download the client. After join the domain, the machine gets the GPO but I guess since no "authenticated" user logon during the deployment process, so the sccm client install loop then fails.

    I need to enable the Windows Update (post-application) because I want the deployed machine has the latest patches whenever the deployment happens.

    That's some of the background and that's why I want to do the domain join part last. Below is our OU structure

    Workstations

         Windows 7

            Desktops

            Laptops

    I think I prob get the order wrong in my syntax

    I will try

    MachineObjectOU="OU=Desktops, OU=Windows 7, OU=Workstations,DC=xyz,DC=COM"

    Thanks,

    Ying

     

    Saturday, June 05, 2010 1:13 PM
  • Andrew,

    I have the " because they are nested OUs and I do have the " at the end which I missed when I post.

    See my reply above and I think I get the OU syntax/path wrong.

    Thanks,

    Ying

    Saturday, June 05, 2010 1:16 PM
  • Yes I use nested OUs but I don't enclose it in speech marks. I suggest you try: MachineObjectOU=OU=desktops,OU=Windows 7,OU=Workstations,DC=xyz,DC=COM I use an OU called Managed Computers and I don't hve to put " in. What you have done may work, but I suggest you try as I mention just to check. Good luck :)
    • Proposed as answer by Andrew Manning Tuesday, June 08, 2010 5:39 AM
    • Marked as answer by Ying Li8 Sunday, June 13, 2010 4:06 PM
    Saturday, June 05, 2010 3:37 PM
  • After change my OU path as I mentioned previously and I tried the no " " option - it worked for the default!

    MachineObjectOU=OU=desktops,OU=Windows 7,OU=Workstations,DC=xyz,DC=COM

    I have yet to verify the laptop (byType) part.

    Cheers!

    Tuesday, June 08, 2010 1:27 AM
  • Now the laptops part works as well -

    MachineObjectOU=OU=Desktops,OU=Windows 7,OU=Workstations,DC=xyz,DC=com
    [ByType]
    Subsection=Laptop-%IsLaptop%
    [Laptop-True]
    MachineObjectOU=OU=Laptops,OU=Windows 7,OU=Workstations,DC=xyz,DC=com

    So no "" needed for the path and I just need to copy my OU Path from ADSIEdit.

    Cheers!

    • Edited by Ying Li8 Sunday, June 13, 2010 4:13 PM edit out
    Sunday, June 13, 2010 4:05 PM
  • Can some tell me what I am doing wrong. We have been having probles with our XP computers getting on the domain Win7 works fine. from my reading this method my address our porblem. I have changed my cs.ini file to the following. The XP computer gets on the domain but it goes our default OU: domain.com/Computers/hostname. Can anyone help me fix this?

    SkipDomainMembership=YES
    JoinDomain=domain.com
    DomainAdmin=admin
    DomainAdminDomain=domain.com
    DomainAdminPassword=mypassword


    [ByType]
    Subsection=Laptop-%IsLaptop%
    Subsection=Desktop-%IsDesktop%

    [ByLaptopType]
    Subsection=Laptop-%IsLaptop%
    [Laptop-True]
    MachineObjectOU=OU=LAPTOPS,OU=dir,OU=location OFC,OU=my.domain.COM,OU=STAGING,DC=domain,DC=com

    [ByDesktopType]
    Subsection=Desktop-%IsDesktop%
    [Desktop-Ture]
    MachineObjectOU=OU=Workstations,OU=location OFC,OU=my.domain.COM,OU=STAGING,DC=domain,DC=com

    Saturday, June 19, 2010 6:46 PM
  • Can some tell me what I am doing wrong. We have been having probles with our XP computers getting on the domain Win7 works fine. from my reading this method my address our porblem. I have changed my cs.ini file to the following. The XP computer gets on the domain but it goes our default OU: domain.com/Computers/hostname. Can anyone help me fix this?

    SkipDomainMembership=YES
    JoinDomain=domain.com
    DomainAdmin=admin
    DomainAdminDomain=domain.com
    DomainAdminPassword=mypassword


    [ByType]
    Subsection=Laptop-%IsLaptop%
    Subsection=Desktop-%IsDesktop%

    [ByLaptopType]
    Subsection=Laptop-%IsLaptop%
    [Laptop-True]
    MachineObjectOU=OU=LAPTOPS,OU=dir,OU=location OFC,OU=my.domain.COM,OU=STAGING,DC=domain,DC=com

    [ByDesktopType]
    Subsection=Desktop-%IsDesktop%
    [Desktop-Ture]
    MachineObjectOU=OU=Workstations,OU=location OFC,OU=my.domain.COM,OU=STAGING,DC=domain,DC=com


    Your OU values look weird, you are saying:

    domain\staging\my.domain.com\location ofc\workstations\

    is that correct? what is the my.domain.com in the middle?

     


    MCTS: ConfigMgr, MDT http://myitforum.com/cs2/blogs/cnackers/default.aspx
    Saturday, June 19, 2010 10:15 PM
    Moderator
  • Sorry about that typo here are the correct entries. I am new to MDT is the script I need to add to make this work? I have included my cs.ini file for help.

    MachineObjectOU=OU=LAPTOPS,OU=HOMEDIRECTORIES,OU=OFC,OU=LOCATION,OU=ZSTAGING,DC=DOMAIN,DC=COM

    MachineObjectOU=OU=WORKSTATIONS,OU=OFC,OU=LOCATION,OU=ZSTAGING,DC=DOMAIN,DC=COM

    [Settings]
    Priority=ByType,Default
    Properties=MyCustomProperty

    [Default]
    OSInstall=Y
    SkipAdminPassword=YES
    SkipApplications=YES
    SkipAppsOnUpgrade=YES
    SkipBDDWelcome=YES
    SkipBitLocker=YES
    SkipCapture=NO
    SkipComputerName=NO
    SkipComputerBackup=YES
    SkipDeploymentType=YES
    DeploymentType=NEWCOMPUTER
    SkipFinalSummary=YES
    SkipLocaleSelection=YES
    KeyboardLocale=en-US
    UserLocale=en-US
    UILanguage=en-US
    SkipPackageDisplay=YES
    SkipProductKey=YES
    SkipSummary=YES
    SkipTaskSequence=NO
    SkipTimeZone=YES
    TimeZoneName=Pacific Standard Time
    SkipUserData=Yes
    SkipDomainMembership=YES
    JoinDomain=domain.com
    DomainAdmin=admin
    DomainAdminDomain=domain.com
    DomainAdminPassword=mypassword


    [ByType]
    Subsection=Laptop-%IsLaptop%
    Subsection=Desktop-%IsDesktop%

    [ByLaptopType]
    Subsection=Laptop-%IsLaptop%
    [Laptop-True]
    MachineObjectOU=OU=LAPTOPS,OU=HOMEDIRECTORIES,OU=OFC,OU=LOCATION,OU=ZSTAGING,DC=DOMAIN,DC=COM

    [ByDesktopType]
    Subsection=Desktop-%IsDesktop%
    [Desktop-Ture]
    MachineObjectOU=OU=WORKSTATIONS,OU=OFC,OU=LOCATION,OU=ZSTAGING,DC=DOMAIN,DC=COM

    Saturday, June 19, 2010 11:41 PM
  • Well for a start if that is a copy/paste of your cs.ini then you have spelt TRUE wrong under the desktop subsection
    Wednesday, June 23, 2010 7:47 AM
  • In my environment, I have 5 different OU. When I specify the OU to add the machine too I get an error "ZTIDomainJoin has attempted to join to the domain(my domain) too many times. count=4 No user state to restore exiting" and it does not join to domain. If I just enter the domain and leave the OU field blank then it join with no problem. Any Ideas Please 

     

    thanks 

    Saturday, July 17, 2010 5:31 PM
  • Did you disable "Recover from Domain" TS?
    Saturday, July 17, 2010 11:49 PM
  • Done but it's not going to the correct OU. when send a computer to a different OU then do I have to type it in a format like domain/machines/OU name.
    Monday, July 19, 2010 4:51 PM
  • No, the format should be like this -

    MachineObjectOU=OU=Laptops,OU=Windows 7,OU=Workstations,DC=xyz,DC=com

    Monday, July 19, 2010 6:18 PM
  • I forgot to mention that I am trying to add it on the database. I have computers added in the database then I go to details then under Domain and workgroup. I am not allowed to enter the MachineObjectOU=OU=Laptops,OU=Windows 7,OU=Workstations,DC=xyz,DC=com on the customsetting.ini for security reason when we make cd.
    Monday, July 19, 2010 6:52 PM
  • Has anyone thought about looking at the log file?

    ZTIDomainJoin.log

    The answer will be there.  Confirm that the FULL OU path is correct.  If you are not comfortable then check using ADSIEDIT or some other similar GUI tool.

    You only need quotes if there is a space in one of the OU names - i.e. between 'Windows' and '7' above.  Also make sure that the OU and DC are both correct.

    Wednesday, November 23, 2011 12:56 PM