locked
Autojoin domain in sysprep answer file.... RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello, I'm trying to figure out how to autojoin my domain in my answerfile.

    I join the domain in the specialize phase with:

    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <Identification>
                    <Credentials>
                        <Domain>test.local</Domain>
                        <Password>xxxxx</Password>
                        <Username>administrator</Username>
                    </Credentials>
                    <JoinDomain>test.local</JoinDomain>
                </Identification>
            </component>


    So far so good. When the computer reboots, i end up with the logonscreen but when I try to logon a domain account, i get

    "the security database on the server does not have a computer account for this workstation trust relationship" error.

    The computeraccount is never created and I (ofcourse) can't logon to the domain.

    The setuperr.log file says:

    2009-09-09 13:03:42, Error      [0x0f0043] SYSPRP WinMain:The sysprep dialog box returned FALSE


    Any ideas what I'm doing wrong here?

    thanks,

    Wednesday, September 9, 2009 12:06 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Aww, no replies for me?

    Tried it in various different environments and unattend.xml's, but same result. Everything else in the answerfile seems to work.

    Friday, September 11, 2009 9:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, In all the syspreps for clones. I have been involved with the machines were prep with WORKGROUP. Then during boot set up joined to domain as an administrator, before been given to users to log in. Maybe there is a new way? . Slan go foill, Paul

    Friday, September 11, 2009 9:10 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you try to enter the NetBIOS name for the domain both for <Domain> and <JoinDomain>?

    What OS are you Domain Controllers running?
    Ray
    Monday, September 14, 2009 3:48 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    I have the same issue, and I believe it's an issue with the sysprep process because the sysprepped image is joining the domain before you have entered a computer name manually within the mini-setup process.
    The machine does join the domain, with a WIN- name, but then computer name then gets renamed via sysprep and the security link between the machine and the AD is broken, so giving you the error message.

    There are a number of solutions, including:
    1) Once setup, login and add the machine to a workgroup, restart, then manually re-add to the Domain

    2) Get sysprep to automatically supply a computer name within the <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup"> section, add <ComputerName>*</ComputerName>
    This will automatically create a computer name, probably not what you want if you have a organisation-wide naming convention

    3) After the image is applied to the workstation but before the first reboot, alter the c:\windows\panter\unattend.xml file, adding the correct computer name to this file
    This is the solution we use as we use Altiris to deploy our images, which includes a routine that can replace text within a file, so our Unattend.xml file contains the line:
    <ComputerName>%NAME%</ComputerName>
    We then use a FIRM command that will replace %NAME% with the computer's name before the mini-setup process starts.
    Other deployment solutions might allow a similar process.

    4) Just have your sysprepped images join a Workgroup by default, then manually join the Domain once setup


    Tuesday, September 15, 2009 8:28 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello!

    The DC is a 2003 R2 server.

    It seems like everything else in the unattend.xml script works, EXCEPT joining the domain. I've tried both NETBIOS and the fqdn name.

    I'll try the solutions posted here later today. I haven't tried it with the <computername>*</computername> (asterisk) but that option gives as much work after the image is rolled out as if I don't join the domain. If it doesn't work, I guess I could use NETDOM, perhaps?


    Thanks,
    Wednesday, September 16, 2009 6:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Let me know if you have any luck with this.  I have a similiar problem.  For our Vista rollouts I used MYSYSPREP which is a third party tool that allows you to enter the machine name at a prompt like the old XP Sysprep days.  However, a similiar answer file for our Windows 7 images does not appear to be working.

    Not sure why Microsoft took this funtionality out of Vista and 7, as it is very handy.
    Wednesday, September 23, 2009 6:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm having exactly the same issue, have managed to get my answer file working. Just the actual adding to domain is causing a problem. After the machine has been reimaged I try loggin on and get the "the security database on the server does not have a computer account for this workstation trust relationship" error come up.

    I log in locally and notice it says the it is added to the domain. So under - Computer name, domain and workgroup settings. It says the domain name next to domain also.

    Friday, March 26, 2010 12:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm having the same issue.  Using an autounattend.xml to install windows 7 and joing a domain with 2003 standard DC's.  Everything seems to work well with the autounattend, it even logs in once as administrator after you enter the computer name value (which ideally i'd like to be the only hands on step for image deployment).  On the freshly imaged windows 7 machine I check the system properties and it says it's a member of my domain.  I can even browse to other PC's on the domain with \\computername\c$ and connect to them with no authentication.   A machine that is on our companys network but as a member of a workgroup would normally have to supply domain credentials to browse to other machines C drives, so in this way it acts as if it's truly on the domain.  I then log off and attempt to login with a domain administrative account and the get the same error previously posted "the security database on the server does not have a computer account for this workstation trust relationship".   I also notice that the computer name that i enter never gets entered into AD. 

    I can add this computer to the domain manually and it will show up in AD as well as authenticate domain accounts after that.  However to add another step to the imaging process when we need to roll out 400+ machines to end users will just delay the deployment process further.   Please let me know if any other information is needed to assist with this.  Thanks.

     

    Wednesday, April 7, 2010 2:00 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    We are having the same issue.  We really need a solution!  I can't believe there's no solution but to manually join each computer to the domain!  C'mon Microsoft!
    Tuesday, July 20, 2010 2:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Also having this issue - is it confined to Windows 7 Ent x64 or all Windows 7 versions?
    Tuesday, July 27, 2010 11:30 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    This is the information that helped us most from Simonpa:

    "I have the same issue, and I believe it's an issue with the sysprep process because the sysprepped image is joining the domain before you have entered a computer name manually within the mini-setup process.
    The machine does join the domain, with a WIN- name, but then computer name then gets renamed via sysprep and the security link between the machine and the AD is broken, so giving you the error message.

    ..........

    2) Get sysprep to automatically supply a computer name within the <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup"> section, add <ComputerName>*</ComputerName>
    This will automatically create a computer name, probably not what you want if you have a organisation-wide naming convention"

    We figured out that the part of the random name for the computer is being taken from the Registered Owner and Registered Organization names.  It will pull letters from first the registered owner then the registered organization until there are 7 characters, with one exception, then it will add a dash then random characters to make a total of 15.  If the registered owner name has 7 characters, none will be added from the registered organization.  Example:  
    1)  If the reg. owner name is DEPTONE, the machine name will be DEPTONE-xxxxxxx. 
    2)  The registered owner name might be DEPT, and the registered organization might be COMP.  The random machine name will be DEPTCOM-xxxxxxx. 
    3)  If the registered owner name has a space in it, DEPT ONE, then the name will be DEPT-xxxxxxxxxx.

    This information can be added in the same place in the specialize pass as the * for computer name.  The machine successfully joins the domain and we are able to log on as a domain user when we use this configuration for our answer file.  We still have to go in and rename the machine after the fact, but it takes less time than manually joining each machine to the domain, every machine has a unique name, and we have a little control over the naming scheme so we can identify our machines on the domain.

    Hope this is helpful!

    Tuesday, July 27, 2010 1:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If you leave the computer name property blank (<computername></computername>) it should prompt you.

    My solution was more complex, but prevents techs from entering the wrong name or using the wrong format.  Right before I Sysprep I change the BCD to point to a local Windows PE installation for the next boot.  Then I Ghost the sysprepped image.  On the next start up Windows PE loads then launches a VB6 app that allows the tech to select information from drop down boxes.  Once the build button is clicked the sysprep.inf or unattend.xml (depending on OS of course) is updated using sed.exe (a very nice Unix tool that has been ported to Windows, although you could parse the file in the VB6 app), and then the account is prestaged in the correct OU in Active Directory.  The BCD is automatically updated and the system reboots into mini-setup.

    It takes some time to get going, but it is a nice way to pre-stage your computer accounts in AD without constantly going into ADUC and hand creating them.  And because it is automated it leaves little room for human error.

    FYI - I had to use VB6 because WinPE does not currently support the .NET Framework.  If you aren't a programmer or don't have VB6 you can actually use HTA and VBScript to accomplish the same goal.

     

    Regards,
    Scott

    Monday, August 16, 2010 2:34 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I also had the same issue and correct me if I'm wrong, but I understand there is still not a solution in which you can have sysprep automatically join the domain and prompt you for a computer name?  I have my sysprep setup to do this and it seems to work fine, however just like all others, when I go to logon to the domain i get the "the security database on the server does not have a computer account for this workstation trust relationship" error.
    • Proposed as answer by AGerard Tuesday, July 31, 2012 9:46 AM
    • Unproposed as answer by AGerard Tuesday, July 31, 2012 9:46 AM
    Tuesday, October 12, 2010 11:49 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Take a look at this website at the addcomputer.ps1 for auto join to domain. It worked for me:

    http://blog.doah.org/?p=11

    Friday, October 22, 2010 8:17 PM