[SOLVED] Domain Join Assistance: Account Already Exists
-
Friday, March 19, 2010 11:07 AM
We're doing an image refresh this year and part of that includes joining a machine to the domain. In the XP days, we could just pop in a CD, reimage, and the machine would join the domain and all was fine. Because of some specific OU and Computer Name requirements we can't rely on the UnattendedJoin sequence in unattend.xml. We've overcome that by relying on a few powershell scripts to do what we need to do and therein lies the problem.
Currently the script joins the domain using
Add-Computer -DomainName fqdn -Credential $cred -OUPath $OUHowever I always run into the following problem (below is actual output using -PassThru -Verbose)
VERBOSE: Performing operation "Add-Computer" on Target "This command will change computer localhost to domain or workgroup. Do you wish to continue?".
HasSucceeded ComputerName
------------ ------------
False FQ-ABC-XXXX1234
Add-Computer : This command cannot be executed on target computer('FQ-ABC-XXXX1234') due to following error: The account already exists.
At line:1 char:13
+ Add-Computer <<<< -DomainName fqdn -Credential $cred -OUPath $OU -PassThru -Verbose
+ CategoryInfo : InvalidOperation: (FQ-ABC-XXXX1234:String) [Add-Computer], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.AddComputerCommandWe're not disjoining machines or otherwise removing the AD object before we image them - we never had to do this in the past - so why is this a problem? From the same machine where the Add-Computer command failed, I can go to System Properties and manually join the domain without a problem. What gives? Much to my chagrin, it appears the Remove-Computer cmdlet don't allow you to specify a computer name and since the machine isn't a member of the domain yet it shouldn't work, right? Note, these are all stock Windows 7 Enterprise machines without RSAT and many other PowerShell modules available. So, this means by default Get-ADComputer (or Get-ADAnything) and dsrm aren't availble. (The latter can be overcome, I imagine, by copying dsrm from another Win 7 machine that has it, but I'm having trouble formatting the command to get it to delete computer objects.)
So, why does Add-Computer fail where joining it via System Properties succeeds?
What can I do to remove the object before joining?
All Replies
-
Wednesday, March 31, 2010 4:20 PM
Add-Computer Cmdlet creates a computer account in AD and joins the machine to domain. In your case the computer accounts are already created, thats why you are getting errors.
You have to remove the computer accounts from AD, if you want to proceed with this cmdlet, else try using "Netdom Join" command to join the machine to domain.
Regards
Jas
Jaswinder Singh- Proposed As Answer by Mohamed Garrana Wednesday, March 31, 2010 5:27 PM
-
Friday, May 28, 2010 11:37 AM
Thanks for the response.
I understood that the cmdlet was trying to create an account. What I didn't understand was why there were no options for Add-Computer or a simple one-liner to either remove the existing AD object, replace the existing AD object, or skip the creation of an AD object and just join.
We couldn't use netdom because that's part of RSAT or another suite of tools and we can't get netdom onto the machine without installing those tools. (Our users don't need them so why bundle it in the image?) If I'm remembering things correctly, I tried copying the netdom executable to a machine but that didn't work; from a post I believe I recall reading, we had to copy the netdom executable, the netdom.exe.mui and perhaps another file and place them in specific locations. I didn't [want to] bother with all that.
We found two solutions
- Search for and remove the old object as part of the domain join process
- Use VBScript.
The problem with the former solution was that although we could successfully remove the object from the domain controller in the Seattle office, we can't control which domain controller the machine will use to join the domain which meant that sometimes, it would join using a domain controller in another office. Yes, I could try to be slick and create an array of site domain controllers
Function Get-SiteDC ($office) { $site_lookup = @{ "S1" = "Site1"; "S2" = "Site2"; "S3" = "Site3"; } $site = $site_lookup.$office $siteDCArray = @(nslookup -type=srv _kerberos._tcp.$site._sites.fqdn.domain.tld | where {$_ -like "*hostname*"}) $siteDCArray[0].substring(20) }Then search for that object in each of the domain controllers, but I (a) hadn't considered that at the time until we fully understood why it was failing and (b) wanted something that would work without the need to wait for replication.
The problem with the latter was that I had already created a bunch of other powershell scripts and our domain join script was PowerShell. I just wanted to be uniform. Besides, 'anything VB can do PowerShell can do better!'
So I used the JoinDomainOrWorkGroup method of Win32_ComputerSystem and incorporated that into our PoSH script.
Function JoinDOMAIN ($OU) { $domain = “fqdn.domain.tld” $domainAcc = “domain\user” $domainPw = “password” $DomainJoin = 1 $CreateAccount = 2 $AllowJoinIfAlreadyJoined = 32 $computer = get-wmiobject Win32_ComputerSystem $ret = $computer.JoinDomainOrWorkGroup($domain,$domainPw,$domainAcc,$OU,$DomainJoin+$CreateAccount+$AllowJoinIfAlreadyJoined) $ret = $ret.ReturnValue Switch ($ret) { 2224 { $ret = $computer.JoinDomainOrWorkGroup($domain,$domainPw,$domainAcc,$OU,33) $ret = $ret.ReturnValue } } return $ret }There were some issues with this as well. For instance it worked for a handful of machines but fails when the account is already in AD. So, we were back to square one almost. However, unlike the Add-Computer cmdlet, this method allows us to choose/control what we'll be doing in AD when we attempt to join. That's why I use Switch(). (FYI - If you don't know what that error code is run `net helpmsg 2224` or whatever the error code is)- Marked As Answer by JuliusPIV Friday, May 28, 2010 11:52 AM
.png)
