none
MDT 2012 Cannot Join Domain for New Computers on Network RRS feed

  • Question

  • Hi, I have a rather unique issue:

    On deploying brand new computers right out of the box MDT 2012 DomainJoin does not automatically join the computer to the domain. After the domainjoin fails and I log into the computer with a local admin (I usually have this disabled) I can:

    - Ping mydomain.local

    - Ping the primary domain controller via fqdn and IP address

    - even join my domain manually

    Also, after joining the domain manually, I can re-image the computers and domainjoin begins to work 100% of the time.

    I want to note also that I have rebuilt our primary domain controller in our environment. Currently we are running 2:

    - One GC with DHCP, DNS

    - One backup GC with DHCP, DNS that replicates from the first

    I have also verified my customsettings.ini file etc. Obviously, I'm not concerned about any of our existing computers. But as we order new equipment and I have to deploy them this will get very annoying. Any thoughts would be appreciated. Thanks!

    • Moved by arnavsharma Tuesday, November 12, 2013 4:20 AM problem with mdt
    Friday, November 8, 2013 9:23 PM

Answers

All replies

  • Hi,

    For issue about Microsoft Deployment Toolkit, we’d recommend you ask Microsoft Deployment Toolkit forum for professional solution:

    http://social.technet.microsoft.com/Forums/en-US/home?forum=mdt

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.


    Karen Hu
    TechNet Community Support

    Tuesday, November 12, 2013 2:20 AM
  • Whenever you re-image the computers and join the domain, are you using the same account to join the domain? Are you using the same account to perform the manual join? Are the computers always named the same after a re-image, meaning the computer object is likely already in AD (unless you manually removed it)? If the local admin account is disabled, what account does MDT use to log into the machine to continue the task sequence?

    -Nick O.

    Tuesday, November 12, 2013 4:13 PM
  • Thanks for getting back to me! To answer your questions:

    Whenever you re-image the computers and join the domain, are you using the same account to join the domain?

    Yes, I am using the same account to join the domain.

    Are you using the same account to perform the manual join?

    Yes, the same account was used to manually join the domain.

    Are the computers always named the same after a re-image, meaning the computer object is likely already in AD (unless you manually removed it)?

    They are always named the same after the re-image. This only happens for new computers though. So for example if I image the computer and then manually join the domain when the domainjoin fails, even if I remove the computer object from AD to join the domain, it will work every time. It's only brand new computers that do not automatically join the domain in the deployment. When I say brand new, I mean computers that have never joined the domain. Hopefully that makes sense.

    If the local admin account is disabled, what account does MDT use to log into the machine to continue the task sequence?

    The last step of the task sequence is to disable the local administrator account. I simply disabled this step during testing so that I could look at the logs for the deployment.


    • Edited by Eris_IT Tuesday, November 12, 2013 6:13 PM
    Tuesday, November 12, 2013 6:12 PM
  • Thanks for the info.

    If you check BDD.log - usually found in C:\Windows\Temp\DeploymentLogs after a deployment - what does it tell you? Any errors for ZTIDomainJoin?


    -Nick O.

    Tuesday, November 12, 2013 6:19 PM
  • Here is the BDD.log concerning ZTIDomainJoin. There isn't much I could see. 

    <![LOG[Microsoft Deployment Toolkit version: 6.1.2373.0]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="
    " context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Property DomainJoinAttempts is now = 1]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Verifying that the computer is joined to the requested domain.]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Property DomainJoinTimeSync is now = OnlySyncOnce]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[About to run command: net time \\172.17.16.247 /set /y]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Command has been started (process ID 3528)]LOG]!><time="10:07:25.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[  Console > Current time at \\172.17.16.247 is 11/11/2013 10:07:31 AM]LOG]!><time="10:07:31.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[  Console > The command completed successfully.]LOG]!><time="10:07:31.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Return code from command = 0]LOG]!><time="10:07:31.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[DomainErrorRecovery Action: AutoRetry.]LOG]!><time="10:07:31.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Initiating domain join operation using JoinDomainOrWorkgroup.]LOG]!><time="10:07:31.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Initial attempt: JoinDomain(MYDOMAIN,PWD,MYDOMAIN\joindomainaccount,,3), rc = 2699]LOG]!><time="10:07:46.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[JoinDomain Failure: The account *may* already exist in a different OU. Retrying without the specified OU.]LOG]!><time="10:07:46.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Retry attempt: JoinDomain(MYDOMAIN,PWD,MYDOMAIN\joindomainaccount,,3), rc = 2699]LOG]!><time="10:08:01.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Initiating a reboot.]LOG]!><time="10:08:01.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Property LTISuspend is now = ]LOG]!><time="10:08:01.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[ZTIDomainJoin processing completed successfully.]LOG]!><time="10:08:01.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">
    
    <![LOG[Event 41001 sent: ZTIDomainJoin processing completed successfully.]LOG]!><time="10:08:02.000+000" date="11-11-2013" component="ZTIDomainJoin" context="" type="1" thread="" file="ZTIDomainJoin">


    Tuesday, November 12, 2013 7:34 PM
  • What about the "%SystemRoot%\debug\netsetup.log", does it offer any clues?


    -BrianG (http://supportishere.com)

    Wednesday, November 13, 2013 8:12 AM
  • Hey Brian, thanks for the help. Here is the log. It looks like a DNS name resolution problem, but again what's weird is that I can join the domain manually with no issues. Is there something different in the way the MDT resolves DNS? 

    Note: I changed all the names of my computer and actual domain in the log to generic ones.

    11/11/2013 10:06:20:457 -----------------------------------------------------------------
    
    11/11/2013 10:06:20:457 NetpDoDomainJoin
    
    11/11/2013 10:06:20:457 NetpMachineValidToJoin: 'COMPUTER'
    
    11/11/2013 10:06:20:457 	OS Version: 6.1
    
    11/11/2013 10:06:20:457 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/11/2013 10:06:20:457 	ServicePack: Service Pack 1
    
    11/11/2013 10:06:20:457 	SKU: Windows 7 Ultimate
    
    11/11/2013 10:06:20:457 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/11/2013 10:06:20:457 NetpMachineValidToJoin: status: 0x0
    
    11/11/2013 10:06:20:457 NetpJoinWorkgroup: joining computer 'COMPUTER' to workgroup 'WORKGROUP'
    
    11/11/2013 10:06:20:457 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
    
    11/11/2013 10:06:20:457 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE]  returned 0x0
    
    11/11/2013 10:06:20:457 NetpValidateName: name 'WORKGROUP' is valid for type 2
    
    11/11/2013 10:06:20:457 NetpSetLsaPrimaryDomain: for 'WORKGROUP' status: 0x0
    
    11/11/2013 10:06:20:457 NetpJoinWorkgroup: status:  0x0
    
    11/11/2013 10:06:20:457 NetpDoDomainJoin: status: 0x0
    
    11/11/2013 10:07:31:639 -----------------------------------------------------------------
    
    11/11/2013 10:07:31:639 NetpDoDomainJoin
    
    11/11/2013 10:07:31:639 NetpMachineValidToJoin: 'COMPUTER'
    
    11/11/2013 10:07:31:639 	OS Version: 6.1
    
    11/11/2013 10:07:31:639 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/11/2013 10:07:31:639 	ServicePack: Service Pack 1
    
    11/11/2013 10:07:31:639 	SKU: Windows 7 Ultimate
    
    11/11/2013 10:07:31:639 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
    
    11/11/2013 10:07:31:639 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/11/2013 10:07:31:639 NetpMachineValidToJoin: status: 0x0
    
    11/11/2013 10:07:31:639 NetpJoinDomain
    
    11/11/2013 10:07:31:639 	Machine: COMPUTER
    
    11/11/2013 10:07:31:639 	Domain: MYDOMAIN
    
    11/11/2013 10:07:31:639 	MachineAccountOU: (NULL)
    
    11/11/2013 10:07:31:654 	Account: MYDOMAIN\domainjoinaccount
    
    11/11/2013 10:07:31:654 	Options: 0x3
    
    11/11/2013 10:07:31:654 NetpLoadParameters: loading registry parameters...
    
    11/11/2013 10:07:31:654 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/11/2013 10:07:31:654 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/11/2013 10:07:31:654 NetpLoadParameters: status: 0x2
    
    11/11/2013 10:07:31:654 NetpValidateName: checking to see if 'MYDOMAIN' is valid as type 3 name
    
    11/11/2013 10:07:31:764 NetpCheckDomainNameIsValid [ Exists ] for 'MYDOMAIN' returned 0x0
    
    11/11/2013 10:07:31:764 NetpValidateName: name 'MYDOMAIN' is valid for type 3
    
    11/11/2013 10:07:31:764 NetpDsGetDcName: trying to find DC in domain 'MYDOMAIN', flags: 0x40001010
    
    11/11/2013 10:07:32:403 [0000050c] NetpGetLsaPrimaryDomain: status: 0x0
    
    11/11/2013 10:07:46:771 NetpDsGetDcName: failed to find a DC having account 'COMPUTER$': 0x525, last error is 0x0
    
    11/11/2013 10:07:46:771 NetpLoadParameters: loading registry parameters...
    
    11/11/2013 10:07:46:771 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/11/2013 10:07:46:771 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/11/2013 10:07:46:771 NetpLoadParameters: status: 0x2
    
    11/11/2013 10:07:46:771 NetpDsGetDcName: status of verifying DNS A record name resolution for 'AD-BOX-1.MYDOMAIN.local': 0x232b
    
    11/11/2013 10:07:46:771 NetpDsGetDcName: failed to find a DC in the specified domain: 0xa8b, last error is 0x0
    
    11/11/2013 10:07:46:771 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0xa8b
    
    11/11/2013 10:07:46:771 NetpJoinDomainOnDs: Function exits with status of: 0xa8b
    
    11/11/2013 10:07:46:771 NetpDoDomainJoin: status: 0xa8b
    
    11/11/2013 10:07:46:786 -----------------------------------------------------------------
    
    11/11/2013 10:07:46:786 NetpDoDomainJoin
    
    11/11/2013 10:07:46:786 NetpMachineValidToJoin: 'COMPUTER'
    
    11/11/2013 10:07:46:786 	OS Version: 6.1
    
    11/11/2013 10:07:46:786 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/11/2013 10:07:46:786 	ServicePack: Service Pack 1
    
    11/11/2013 10:07:46:786 	SKU: Windows 7 Ultimate
    
    11/11/2013 10:07:46:786 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
    
    11/11/2013 10:07:46:786 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/11/2013 10:07:46:786 NetpMachineValidToJoin: status: 0x0
    
    11/11/2013 10:07:46:786 NetpJoinDomain
    
    11/11/2013 10:07:46:786 	Machine: COMPUTER
    
    11/11/2013 10:07:46:786 	Domain: MYDOMAIN
    
    11/11/2013 10:07:46:786 	MachineAccountOU: (NULL)
    
    11/11/2013 10:07:46:786 	Account: MYDOMAIN\domainjoinaccount
    
    11/11/2013 10:07:46:786 	Options: 0x1
    
    11/11/2013 10:07:46:786 NetpLoadParameters: loading registry parameters...
    
    11/11/2013 10:07:46:786 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/11/2013 10:07:46:786 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/11/2013 10:07:46:786 NetpLoadParameters: status: 0x2
    
    11/11/2013 10:07:46:786 NetpValidateName: checking to see if 'MYDOMAIN' is valid as type 3 name
    
    11/11/2013 10:07:46:896 NetpCheckDomainNameIsValid [ Exists ] for 'MYDOMAIN' returned 0x0
    
    11/11/2013 10:07:46:896 NetpValidateName: name 'MYDOMAIN' is valid for type 3
    
    11/11/2013 10:07:46:896 NetpDsGetDcName: trying to find DC in domain 'MYDOMAIN', flags: 0x40001010
    
    11/11/2013 10:08:01:903 NetpDsGetDcName: failed to find a DC having account 'COMPUTER$': 0x525, last error is 0x0
    
    11/11/2013 10:08:01:903 NetpLoadParameters: loading registry parameters...
    
    11/11/2013 10:08:01:903 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/11/2013 10:08:01:903 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/11/2013 10:08:01:903 NetpLoadParameters: status: 0x2
    
    11/11/2013 10:08:01:918 NetpDsGetDcName: status of verifying DNS A record name resolution for 'AD-BOX-2.MYDOMAIN.local': 0x232b
    
    11/11/2013 10:08:01:918 NetpDsGetDcName: failed to find a DC in the specified domain: 0xa8b, last error is 0x0
    
    11/11/2013 10:08:01:918 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0xa8b
    
    11/11/2013 10:08:01:918 NetpJoinDomainOnDs: Function exits with status of: 0xa8b
    
    11/11/2013 10:08:01:918 NetpDoDomainJoin: status: 0xa8b


    • Edited by Eris_IT Wednesday, November 13, 2013 8:27 PM
    Wednesday, November 13, 2013 8:26 PM
  • There is a disconnect here.

    You mention in the first post that you can ping the FQDN, but you don't mention the WINS name.

    However in the logs I can see that you are attempting to join the WINS name, but not the FQDN.

          Initial attempt: JoinDomain(MYDOMAIN,PWD,MYDOMAIN\joindomainaccount,,3), rc 
    

    Why are you not pinging the WINS name in debugging, if that's the name you use in the cs.ini?

    Otherwise I would change the CS.ini file to match what you know works: MyDomain.local.

    -k


    Keith Garner - keithga.wordpress.com

    Thursday, November 14, 2013 5:13 AM
    Moderator
  • Thanks for your suggestion.

    I forgot to note that I was able to join the domain with the WINS name and the FQDN.

    Though your proposed answer did not solve my issue, it did through up a different error when re-imaging. 

    11/14/2013 10:58:50:492 -----------------------------------------------------------------
    
    11/14/2013 10:58:50:492 NetpDoDomainJoin
    
    11/14/2013 10:58:50:492 NetpMachineValidToJoin: 'COMPUTER'
    
    11/14/2013 10:58:50:492 	OS Version: 6.1
    
    11/14/2013 10:58:50:492 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/14/2013 10:58:50:492 	ServicePack: Service Pack 1
    
    11/14/2013 10:58:50:507 	SKU: Windows 7 Ultimate
    
    11/14/2013 10:58:50:507 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/14/2013 10:58:50:507 NetpMachineValidToJoin: status: 0x0
    
    11/14/2013 10:58:50:507 NetpJoinWorkgroup: joining computer 'COMPUTER' to workgroup 'WORKGROUP'
    
    11/14/2013 10:58:50:507 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
    
    11/14/2013 10:58:50:507 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE]  returned 0x0
    
    11/14/2013 10:58:50:507 NetpValidateName: name 'WORKGROUP' is valid for type 2
    
    11/14/2013 10:58:50:507 NetpSetLsaPrimaryDomain: for 'WORKGROUP' status: 0x0
    
    11/14/2013 10:58:50:507 NetpJoinWorkgroup: status:  0x0
    
    11/14/2013 10:58:50:507 NetpDoDomainJoin: status: 0x0
    
    11/14/2013 10:58:14:983 -----------------------------------------------------------------
    
    11/14/2013 10:58:14:983 NetpDoDomainJoin
    
    11/14/2013 10:58:14:983 NetpMachineValidToJoin: 'COMPUTER'
    
    11/14/2013 10:58:14:983 	OS Version: 6.1
    
    11/14/2013 10:58:14:983 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/14/2013 10:58:14:983 	ServicePack: Service Pack 1
    
    11/14/2013 10:58:14:983 	SKU: Windows 7 Ultimate
    
    11/14/2013 10:58:14:983 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
    
    11/14/2013 10:58:14:983 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/14/2013 10:58:14:983 NetpMachineValidToJoin: status: 0x0
    
    11/14/2013 10:58:14:983 NetpJoinDomain
    
    11/14/2013 10:58:14:983 	Machine: COMPUTER
    
    11/14/2013 10:58:14:983 	Domain: MYDOMAIN.local
    
    11/14/2013 10:58:14:983 	MachineAccountOU: (NULL)
    
    11/14/2013 10:58:14:983 	Account: MYDOMAIN.local\domainjoinaccount
    
    11/14/2013 10:58:14:983 	Options: 0x3
    
    11/14/2013 10:58:14:983 NetpLoadParameters: loading registry parameters...
    
    11/14/2013 10:58:14:983 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/14/2013 10:58:14:983 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/14/2013 10:58:14:983 NetpLoadParameters: status: 0x2
    
    11/14/2013 10:58:14:983 NetpValidateName: checking to see if 'MYDOMAIN.local' is valid as type 3 name
    
    11/14/2013 10:58:14:983 NetpValidateName: 'MYDOMAIN.local' is not a valid NetBIOS domain name: 0x7b
    
    11/14/2013 10:58:15:108 NetpCheckDomainNameIsValid [ Exists ] for 'MYDOMAIN.local' returned 0x0
    
    11/14/2013 10:58:15:108 NetpValidateName: name 'MYDOMAIN.local' is valid for type 3
    
    11/14/2013 10:58:15:108 NetpDsGetDcName: trying to find DC in domain 'MYDOMAIN.local', flags: 0x40001010
    
    11/14/2013 10:58:16:028 NetpDsGetDcName: failed to find a DC having account 'COMPUTER$': 0x525, last error is 0x0
    
    11/14/2013 10:58:16:028 NetpLoadParameters: loading registry parameters...
    
    11/14/2013 10:58:16:028 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/14/2013 10:58:16:028 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/14/2013 10:58:16:028 NetpLoadParameters: status: 0x2
    
    11/14/2013 10:58:16:028 NetpDsGetDcName: status of verifying DNS A record name resolution for 'AD-BOX-2.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:16:028 NetpDsGetDcName: found DC '\\AD-BOX-2.MYDOMAIN.local' in the specified domain
    
    11/14/2013 10:58:16:028 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
    
    11/14/2013 10:58:16:028 [000005c8] NetpGetLsaPrimaryDomain: status: 0x0
    
    11/14/2013 10:58:16:169 NetpJoinDomain: status of connecting to dc '\\AD-BOX-2.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:16:169 NetpProvisionComputerAccount:
    
    11/14/2013 10:58:16:169 	lpDomain: MYDOMAIN.local
    
    11/14/2013 10:58:16:169 	lpMachineName: COMPUTER
    
    11/14/2013 10:58:16:169 	lpMachineAccountOU: (NULL)
    
    11/14/2013 10:58:16:169 	lpDcName: AD-BOX-2.MYDOMAIN.local
    
    11/14/2013 10:58:16:169 	lpDnsHostName: (NULL)
    
    11/14/2013 10:58:16:169 	lpMachinePassword: (null)
    
    11/14/2013 10:58:16:169 	lpAccount: MYDOMAIN.local\domainjoinaccount
    
    11/14/2013 10:58:16:169 	lpPassword: (non-null)
    
    11/14/2013 10:58:16:169 	dwJoinOptions: 0x3
    
    11/14/2013 10:58:16:169 	dwOptions: 0x40000003
    
    11/14/2013 10:58:16:200 NetpLdapBind: Verified minimum encryption strength on AD-BOX-2.MYDOMAIN.local: 0x0
    
    11/14/2013 10:58:16:200 NetpLdapGetLsaPrimaryDomain: reading domain data
    
    11/14/2013 10:58:16:200 NetpGetNCData: Reading NC data
    
    11/14/2013 10:58:16:200 NetpGetDomainData: Lookup domain data for: DC=MYDOMAIN,DC=local
    
    11/14/2013 10:58:16:200 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=MYDOMAIN,DC=local
    
    11/14/2013 10:58:16:216 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Cracking DNS domain name MYDOMAIN.local/ into Netbios on \\AD-BOX-2.MYDOMAIN.local
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Crack results: 	name = MYDOMAIN\
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Cracking account name MYDOMAIN\COMPUTER$ on \\AD-BOX-2.MYDOMAIN.local
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Crack results: 	Account does not exist
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Cracking Netbios domain name MYDOMAIN\ into root DN on \\AD-BOX-2.MYDOMAIN.local
    
    11/14/2013 10:58:16:231 NetpGetComputerObjectDn: Crack results: 	name = DC=MYDOMAIN,DC=local
    
    11/14/2013 10:58:16:247 NetpGetComputerObjectDn: Got DN CN=COMPUTER,CN=Computers,DC=MYDOMAIN,DC=local from the default computer container
    
    11/14/2013 10:58:16:247 NetpModifyComputerObjectInDs: Initial attribute values:
    
    11/14/2013 10:58:16:247 		objectClass  =  Computer
    
    11/14/2013 10:58:16:247 		SamAccountName  =  COMPUTER$
    
    11/14/2013 10:58:16:247 		userAccountControl  =  0x1000
    
    11/14/2013 10:58:16:247 		DnsHostName  =  COMPUTER.MYDOMAIN.local
    
    11/14/2013 10:58:16:247 		ServicePrincipalName  =  HOST/COMPUTER.MYDOMAIN.local  RestrictedKrbHost/COMPUTER.MYDOMAIN.local  HOST/COMPUTER  RestrictedKrbHost/COMPUTER
    
    11/14/2013 10:58:16:247 		unicodePwd  =  <SomePassword>
    
    11/14/2013 10:58:16:247 NetpModifyComputerObjectInDs: Computer Object does not exist in OU
    
    11/14/2013 10:58:16:247 NetpModifyComputerObjectInDs: Attribute values to set:
    
    11/14/2013 10:58:16:247 		objectClass  =  Computer
    
    11/14/2013 10:58:16:247 		SamAccountName  =  COMPUTER$
    
    11/14/2013 10:58:16:247 		userAccountControl  =  0x1000
    
    11/14/2013 10:58:16:247 		DnsHostName  =  COMPUTER.MYDOMAIN.local
    
    11/14/2013 10:58:16:247 		ServicePrincipalName  =  HOST/COMPUTER.MYDOMAIN.local  RestrictedKrbHost/COMPUTER.MYDOMAIN.local  HOST/COMPUTER  RestrictedKrbHost/COMPUTER
    
    11/14/2013 10:58:16:247 		unicodePwd  =  <SomePassword>
    
    11/14/2013 10:58:16:278 NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
    
    11/14/2013 10:58:16:278 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
    
    11/14/2013 10:58:16:278 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
    
    11/14/2013 10:58:16:278 NetpProvisionComputerAccount: LDAP creation failed: 0x216d
    
    11/14/2013 10:58:16:278 NetpProvisionComputerAccount: Retrying downlevel per options
    
    11/14/2013 10:58:16:294 NetpManageMachineAccountWithSid: NetUserAdd on 'AD-BOX-2.MYDOMAIN.local' for 'COMPUTER$' failed: 0x216d
    
    11/14/2013 10:58:16:294 NetpProvisionComputerAccount: retry status of creating account: 0x216d
    
    11/14/2013 10:58:16:294 ldap_unbind status: 0x0
    
    11/14/2013 10:58:16:294 NetpJoinDomainOnDs: Function exits with status of: 0x216d
    
    11/14/2013 10:58:16:309 NetpJoinDomainOnDs: status of disconnecting from '\\AD-BOX-2.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:16:309 NetpDoDomainJoin: status: 0x216d
    
    11/14/2013 10:58:16:309 -----------------------------------------------------------------
    
    11/14/2013 10:58:16:309 NetpDoDomainJoin
    
    11/14/2013 10:58:16:309 NetpMachineValidToJoin: 'COMPUTER'
    
    11/14/2013 10:58:16:309 	OS Version: 6.1
    
    11/14/2013 10:58:16:309 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    
    11/14/2013 10:58:16:309 	ServicePack: Service Pack 1
    
    11/14/2013 10:58:16:309 	SKU: Windows 7 Ultimate
    
    11/14/2013 10:58:16:309 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
    
    11/14/2013 10:58:16:309 NetpGetLsaPrimaryDomain: status: 0x0
    
    11/14/2013 10:58:16:309 NetpMachineValidToJoin: status: 0x0
    
    11/14/2013 10:58:16:309 NetpJoinDomain
    
    11/14/2013 10:58:16:309 	Machine: COMPUTER
    
    11/14/2013 10:58:16:309 	Domain: MYDOMAIN.local
    
    11/14/2013 10:58:16:309 	MachineAccountOU: (NULL)
    
    11/14/2013 10:58:16:309 	Account: MYDOMAIN.local\domainjoinaccount
    
    11/14/2013 10:58:16:309 	Options: 0x1
    
    11/14/2013 10:58:16:309 NetpLoadParameters: loading registry parameters...
    
    11/14/2013 10:58:16:309 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/14/2013 10:58:16:309 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/14/2013 10:58:16:309 NetpLoadParameters: status: 0x2
    
    11/14/2013 10:58:16:309 NetpValidateName: checking to see if 'MYDOMAIN.local' is valid as type 3 name
    
    11/14/2013 10:58:16:309 NetpValidateName: 'MYDOMAIN.local' is not a valid NetBIOS domain name: 0x7b
    
    11/14/2013 10:58:16:418 NetpCheckDomainNameIsValid [ Exists ] for 'MYDOMAIN.local' returned 0x0
    
    11/14/2013 10:58:16:418 NetpValidateName: name 'MYDOMAIN.local' is valid for type 3
    
    11/14/2013 10:58:16:418 NetpDsGetDcName: trying to find DC in domain 'MYDOMAIN.local', flags: 0x40001010
    
    11/14/2013 10:58:17:339 NetpDsGetDcName: failed to find a DC having account 'COMPUTER$': 0x525, last error is 0x0
    
    11/14/2013 10:58:17:339 NetpLoadParameters: loading registry parameters...
    
    11/14/2013 10:58:17:339 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
    
    11/14/2013 10:58:17:339 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
    
    11/14/2013 10:58:17:339 NetpLoadParameters: status: 0x2
    
    11/14/2013 10:58:17:339 NetpDsGetDcName: status of verifying DNS A record name resolution for 'AD-BOX-1.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:17:339 NetpDsGetDcName: found DC '\\AD-BOX-1.MYDOMAIN.local' in the specified domain
    
    11/14/2013 10:58:17:339 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
    
    11/14/2013 10:58:17:354 NetpJoinDomain: status of connecting to dc '\\AD-BOX-1.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:17:354 NetpProvisionComputerAccount:
    
    11/14/2013 10:58:17:354 	lpDomain: MYDOMAIN.local
    
    11/14/2013 10:58:17:354 	lpMachineName: COMPUTER
    
    11/14/2013 10:58:17:354 	lpMachineAccountOU: (NULL)
    
    11/14/2013 10:58:17:354 	lpDcName: AD-BOX-1.MYDOMAIN.local
    
    11/14/2013 10:58:17:354 	lpDnsHostName: (NULL)
    
    11/14/2013 10:58:17:354 	lpMachinePassword: (null)
    
    11/14/2013 10:58:17:354 	lpAccount: MYDOMAIN.local\domainjoinaccount
    
    11/14/2013 10:58:17:354 	lpPassword: (non-null)
    
    11/14/2013 10:58:17:354 	dwJoinOptions: 0x1
    
    11/14/2013 10:58:17:354 	dwOptions: 0x40000003
    
    11/14/2013 10:58:17:370 NetpLdapBind: Verified minimum encryption strength on AD-BOX-1.MYDOMAIN.local: 0x0
    
    11/14/2013 10:58:17:370 NetpLdapGetLsaPrimaryDomain: reading domain data
    
    11/14/2013 10:58:17:370 NetpGetNCData: Reading NC data
    
    11/14/2013 10:58:17:370 NetpGetDomainData: Lookup domain data for: DC=MYDOMAIN,DC=local
    
    11/14/2013 10:58:17:370 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=MYDOMAIN,DC=local
    
    11/14/2013 10:58:17:386 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
    
    11/14/2013 10:58:17:386 NetpGetComputerObjectDn: Cracking DNS domain name MYDOMAIN.local/ into Netbios on \\AD-BOX-1.MYDOMAIN.local
    
    11/14/2013 10:58:17:401 NetpGetComputerObjectDn: Crack results: 	name = MYDOMAIN\
    
    11/14/2013 10:58:17:401 NetpGetComputerObjectDn: Cracking account name MYDOMAIN\COMPUTER$ on \\AD-BOX-1.MYDOMAIN.local
    
    11/14/2013 10:58:17:401 NetpGetComputerObjectDn: Crack results: 	Account does not exist
    
    11/14/2013 10:58:17:401 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
    
    11/14/2013 10:58:17:401 NetpProvisionComputerAccount: LDAP creation failed: 0x534
    
    11/14/2013 10:58:17:401 ldap_unbind status: 0x0
    
    11/14/2013 10:58:17:401 NetpJoinDomainOnDs: Function exits with status of: 0x534
    
    11/14/2013 10:58:17:401 NetpJoinDomainOnDs: status of disconnecting from '\\AD-BOX-1.MYDOMAIN.local': 0x0
    
    11/14/2013 10:58:17:401 NetpDoDomainJoin: status: 0x534

    Thursday, November 14, 2013 5:11 PM
  • C:\>err 0x534
    # for hex 0x534 / decimal 1332 :
      ERROR_NONE_MAPPED                                             winerror.h
    # No mapping between account names and security IDs was done.
    # 1 matches found for "0x534"

    Is your local computer name actually named "Computer"?!?!? Seriously? I would change to something else.

    Also.

    http://blogs.technet.com/b/smsandmom/archive/2008/11/18/configmgr-2007-pc-does-not-join-the-domain-if-the-computers-container-is-specified-as-the-domain-ou.aspx?Redirected=true


    Keith Garner - keithga.wordpress.com

    Thursday, November 14, 2013 5:56 PM
    Moderator
  • Again, thanks for your suggestions.

    You should probably know that I replaced the names of my ad box, domain, and computer to generic names as indicated above in the first log I posted.

    I will look at the link at let you know my results. Thanks again.

    Thursday, November 14, 2013 6:02 PM
  • No avail. I get the same error even when not specifying an OU as the link you provided suggested.
    Thursday, November 14, 2013 10:15 PM
  • Are you providing the domain join information in CS.ini or are you specifying it in the Wizard? Have you tried using a different user/password combination for troubleshooting purposes?

    -Nick O.

    Thursday, November 14, 2013 10:39 PM
  • I specify it in the CS.ini. I've tried both my domain admin account and the one specifically set aside for that purpose. Here are my custom settings. Note the change in account names, passwords, etc.

    SkipDomainMembership=YES
    JoinDomain=mydomain.local
    DomainAdmin=domainjoinaccount
    DomainAdminDomain=mydomain.local
    DomainAdminPassword=SecretPassword
    DomainErrorRecovery=Auto

    Friday, November 15, 2013 3:01 PM
  • Just want to update the issue since I haven't heard back from anyone in a while.

    I've found the solution here on this thread:

    http://social.technet.microsoft.com/Forums/systemcenter/en-US/9496a7e9-2d52-4227-9b6c-88cc59687439/osd-server-2008-sp2-domain-join-failure-0x3eb?forum=configmgrosd

    I gave the domain join account "Create Computer Object" permissions in the domain.

    Re-imaged and it worked! Weird, as I didn't need this before. Though I got to this point with all of your help!

    P.S.

    @Keith Garner Your responses were helpful. Just something to note though, you come off slightly presumptuous in your answers.  

    • Marked as answer by Eris_IT Tuesday, December 3, 2013 7:53 PM
    Tuesday, December 3, 2013 7:53 PM