MDT Imaging - AD Credentials Question RRS feed

  • Question

  • I am hoping someone can point me in the right direction. I have a situation here:

    I start to create a reference image. I am using my AD Domain Credentials.

    The process is paused since I chose to use LTISuspend to modify the reference image further.

    Question is if I started my process with my AD credentials and now my AD password has changed as it was expired, how can I continue with build and capture. 

    This happened a while ago and after i tried to resume task sequence it couldn't connect to the deployment share. I have since set my AD password to never expire but I am still curious how to overcome this issue. If anyone has pointers, please advise.


    Monday, October 20, 2014 8:32 PM

All replies

  • Why are you using your AD credentials for reference image? Keep it clean and install windows under local administrator account in workgroup NOT part of Domain.
    Monday, October 20, 2014 8:45 PM
  • Sorry, perhaps I phrased it wrong. 

    The reference image is being built using the local administrator account but to access the deployment share I am using my AD credentials. MDT / WDS are running on Win Server 2K12 R2 and that server is part of the domain.

    Monday, October 20, 2014 8:50 PM
  • Do you have the username, password, and domain info in your customsettings.ini?

    If your password has changed it will need to reflect it in your ini file....

    Also take a look at your bootstrap.ini file as well!

    Monday, October 20, 2014 8:53 PM
  • No I do not have that disclosed in any of the .ini files as they are my AD credentials. I manually input those credentials in the starting, either when building reference images or deploying them.

    I suggested to my Domain Admin about creating build accounts etc in AD but he didn't want to do that, so since i am the person in charge of imaging I am using my AD credentials.

    The only thing specified in customsettings.ini is the LOCAL Administrator passsword.

    Monday, October 20, 2014 9:04 PM
  • So your AD password expired WHILE the task sequence was executing? This seems like a quite an unlikely scenario, actually.  

    If your account is not expired anymore, what is the problem?

    Monday, October 20, 2014 11:05 PM
  • No not while the TS is executing. Say for eg.

    I started creating a reference VM. I use LTI Suspend, the TS is suspended...I customize my reference image. I take a snapshot of it. I take an image of the reference build by hitting "Resume TaskSequence" shortcut on the desktop.

    2 months down the road I want to update the image, I revert back to the snapshot. I make changes, but when I choose to "Resume TaskSequence" the capture fails, possibly due to the change in credentials (as you see that when i created the reference VM the credentials used were my old AD credentials to connect to the MDTBuild deployment share). This actually happened to me once and I had to do re build few of the images from scratch.

    I actually unmapped the Z: that it maps and re mapped it with new credentials thinking that it may do the trick, but it did not. I am now hoping to find an answer to this whole scenario.

    Tuesday, October 21, 2014 12:13 AM
  • Ok, I understand your question now.  That is a tough one. I've never considered taking a snapshot of the VM during a deployment, but I suppose it makes sense.

    What kinds of things are you doing to the image manually? My only suggestion is to automate those things and then just recreate your image from scratch each time. I know it's not an answer to your question, but something to think about.

    That's how we do our images every month. They are 100% automated with Hyper-V and Powershell, so even though it takes 6 hours to build an image, we just fire off a PS script and get an email when it's done.

    Tuesday, October 21, 2014 12:52 AM
  • Hi David,

    Yes the mistake I made was that for MDTBuild Share I should have just set it up so for creating / capturing images I connect to build share using a "local" account on the server rather than my own domain account.

    I pretty much followed the Deployment Fundamentals 4 book (fairly new to the whole MDT imaging) and one of the things that lots of folks out there do is after the TS is stopped using LTISuspend you customize the OS with your apps / branding, take a snapshot and then go on with image capture. By doing so, in the future you can just revert back to the most current snapshot add anything else that need be and re do a capture again.

    So to be clear I am not technically taking snapshot WHILE the image is being captured, I take a snapshot when the reference VM is in suspended mode and I have customized the OS to my liking.

    Tuesday, October 21, 2014 12:59 AM
  • Yes, that is what I do. Use a local account on the MDT server that never expires. Just make sure it is locked down and only has access to the MDT share.
    • Edited by David Bloomer Thursday, October 23, 2014 12:20 AM
    • Proposed as answer by David Bloomer Thursday, October 23, 2014 12:20 AM
    Wednesday, October 22, 2014 5:10 PM
  • When you call any MDT script from the command line, you can pass in parameters and those parameters will get imported into the MDT KEy Value pair database.

    My solution:

    when you resume the task sequence, *DON'T* run the link from the desktop, instead find the LTISuspend.wsf script and run the following command:

    cscript LTISuspend.wsf /UserPassword:MyNewPassword

    That will inject the password into the variable space, and allow you to continue.

    Keith Garner - Principal Consultant [owner] -

    Friday, October 24, 2014 5:14 AM