MDT 2012 - Domain Join for different domain fails

Ask a question

Friday, July 27, 2012 12:04 PM

0

Hello all,

for domain joins to different domains we use task sequences which are applied via customsettings.ini:

[Settings]
Priority=TaskSequenceID, Default

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=YES
SkipAdminPassword=NO
SkipProductKey=YES
SkipComputerBackup=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipTimeZone=YES
SkipBitLocker=YES
SkipTaskSequence=NO
SkipSummary=YES
_SMSTSOrgName=***********
TimeZone=110

[001]
JoinDomain=domain01.com
DomainAdmin=user01
DomainAdminDomain=domain01.com
DomainAdminPassword=<strong-password>
WSUSServer=http://server01.domain01.com
TimeZone=110
MandatoryApplications001={e951c0a4-0797-47b3-85ef-4eaf6c490967}
MandatoryApplications002={ba5a02f8-f83d-4680-8e51-0277ce75c722}
MandatoryApplications003={851f66b0-86ad-458e-b482-d15929992ce9}

[002]
JoinDomain=domain02.com
DomainAdmin=user02
DomainAdminDomain=domain02.com
DomainAdminPassword=<strong-password>
WSUSServer=http://server01.domain02.com
TimeZone=110
MandatoryApplications001={ac712cf3-bf5f-487d-bc66-5240fa05b201}
MandatoryApplications002={ba5a02f8-f83d-4680-8e51-0277ce75c722}
MandatoryApplications003={851f66b0-86ad-458e-b482-d15929992ce9}

[004]
JoinDomain=domain03.com
DomainAdmin=user03
DomainAdminDomain=domain03.com
DomainAdminPassword=<strong-password>
WSUSServer=http://server03.domain03.com
TimeZone=110
MandatoryApplications002={ba5a02f8-f83d-4680-8e51-0277ce75c722}
MandatoryApplications003={851f66b0-86ad-458e-b482-d15929992ce9}

For security reasons we don't want to customize the bootstrap.ini and don't enable auto logon to MDT-Share.

Domain join only works for domain01 because the MDT-Share is configured on a server in that domain. MDT-Share will be accessed by a group of designated users in domain01 which are allowed to join computers to that domain (and are allowed to access the share by NTFS-Security settings too). For all other domains it seems that MDT logon credentials will be passed to the domain join task - settings within cs.ini won't be used.
BDD.log shows some equivalent entries:

<![LOG[Property DeploymentType is now = NEWCOMPUTER]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property OSDComputerName is now = Client001]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property JoinDomain is now = ]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property MachineObjectOU is now = ]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property DomainAdmin is now = user01]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[<Message containing password has been suppressed>]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property DomainAdminDomain is now = domain01.com]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">
<![LOG[Property JoinWorkgroup is now = WORKGROUP]LOG]!><time="12:28:22.000+000" date="07-27-2012" component="Wizard" context="" type="1" thread="" file="Wizard">

Any help would be appreciated!

Thanks in advance!

Torsten
- Reply
- Quote

All Replies

Friday, July 27, 2012 3:22 PM

0

Hi

By default CS.ini is processed before the TS choice, I don't think your settings are even read. Why don't you apply you variables directly inside the TS with "Set Task Sequence Variable" Task ?
David Sebban | Nelite North America | http://www.nelite.com/community/b/dsebban/default.aspx
- Reply
- Quote
Tuesday, July 31, 2012 9:23 AM

0

Hello,

i put the ts variables: JoinDomain; DomainAdmin;
DomainAdminPassword; DomainAdminDomain in a new Group within the
"Preinstall" Phase. Now the BDD.log tells me this:

...
<![LOG[Setting
variable JoinDomain to value
domain02.com]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[Property JoinDomain is now =
domain02.com]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[ZTISetVariable processing
completed successfully.]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
...
<![LOG[Setting variable
DomainAdmin to value user02]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
<![LOG[Property DomainAdmin is
now = user02]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[ZTISetVariable processing
completed successfully.]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
...
<![LOG[<Message
containing password has been
suppressed>]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[<Message containing password
has been suppressed>]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
<![LOG[ZTISetVariable
processing completed successfully.]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
...
<![LOG[Setting variable
DomainAdminDomain to value
domain02]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[Property DomainAdminDomain is now
= domain02]LOG]!><time="17:41:52.000+000" date="07-27-2012"
component="ZTISetVariable" context="" type="1" thread=""
file="ZTISetVariable">
<![LOG[ZTISetVariable processing
completed successfully.]LOG]!><time="17:41:52.000+000"
date="07-27-2012" component="ZTISetVariable" context="" type="1"
thread="" file="ZTISetVariable">
...
<![LOG[Property
TaskSequenceID is now = 002]LOG]!><time="17:58:46.000+000"
date="07-27-2012" component="ZTIGather" context="" type="1" thread=""
file="ZTIGather">
<![LOG[Property DeploymentType is now =
NEWCOMPUTER]LOG]!><time="17:58:46.000+000" date="07-27-2012"
component="ZTIGather" context="" type="1" thread="" file="ZTIGather">
<![LOG[Property
OSDNetworkJoinType is now = 0]LOG]!><time="17:58:46.000+000"
date="07-27-2012" component="ZTIGather" context="" type="1" thread=""
file="ZTIGather">
<![LOG[Property OSDDomainName is now =
domain02.com]LOG]!><time="17:58:46.000+000" date="07-27-2012"
component="ZTIGather" context="" type="1" thread="" file="ZTIGather">
<![LOG[Property
OSDJoinAccount is now =
domain02\user02]LOG]!><time="17:58:46.000+000" date="07-27-2012"
component="ZTIGather" context="" type="1" thread="" file="ZTIGather">
<![LOG[<Message
containing password has been
suppressed>]LOG]!><time="17:58:46.000+000" date="07-27-2012"
component="ZTIGather" context="" type="1" thread="" file="ZTIGather">
<![LOG[Property
OSDNetworkJoinType is now = 1]LOG]!><time="17:58:46.000+000"
date="07-27-2012" component="ZTIGather" context="" type="1" thread=""
file="ZTIGather">
<![LOG[Property OSDWorkGroupName is now =
WORKGROUP]LOG]!><time="17:58:46.000+000" date="07-27-2012"
component="ZTIGather" context="" type="1" thread="" file="ZTIGather">
...
<![LOG[Property
DomainJoinAttempts is now = 1]LOG]!><time="17:58:47.000+000"
date="07-27-2012" component="ZTIDomainJoin" context="" type="1"
thread="" file="ZTIDomainJoin">
<![LOG[Not attempting to join a
domain because JoinWorkgroup =
WORKGROUP.]LOG]!><time="17:58:47.000+000" date="07-27-2012"
component="ZTIDomainJoin" context="" type="1" thread=""
file="ZTIDomainJoin">
<![LOG[ZTIDomainJoin processing completed
successfully.]LOG]!><time="17:58:47.000+000" date="07-27-2012"
component="ZTIDomainJoin" context="" type="1" thread=""
file="ZTIDomainJoin">
...

I checked the password of the designated account and gave him domain admin rights within that domain temporarily but it fails.

Why does the variable OSDNetworkJoinType changes to "1"?
- Reply
- Quote
Tuesday, July 31, 2012 1:52 PM

0

It must be defined somewhere, is it an SCCM task sequence ? If so what have you configured in the apply network settings task ?
David Sebban | Nelite North America | http://www.nelite.com/community/b/dsebban/default.aspx
- Reply
- Quote
Tuesday, August 28, 2012 2:10 PM

0
Hello,

after some investigation (debug-logs; recreation and configuration of MDT; update to MDT 2012 Update 1) I've found a solution for me:

I've created a new folder (for instance "DomainJoin") at top of the desired tasksequence and created the following task sequence
variables in there:

The variable "JoinWorkgroup" has to be set and must be empty. The variable "MachineObjectOU" does not have to point to the builtin container "Computers" - you have to create anotherone anywhere within Active Directory
- Edited by Torsten Koehler Tuesday, August 28, 2012 2:13 PM
- Proposed As Answer by David SebbanMVP Tuesday, August 28, 2012 5:48 PM
- Marked As Answer by Torsten Koehler Wednesday, August 29, 2012 5:12 AM
- Reply
- Quote

MDT 2012 - Domain Join for different domain fails

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?