locked
Windows 10 domain autojoin RRS feed

  • Question

  • Good day.



    I'm trying to make windows 10 domain autojoin using sysprep and unattend file.

    Here is my unattend file:

    <?xml version="1.0" encoding="utf-8"?> 
    <unattend xmlns="urn:schemas-microsoft-com:unattend"> 
    <settings pass="oobeSystem"> 
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
    <OOBE> 
    <NetworkLocation>Work</NetworkLocation> 
    <HideEULAPage>true</HideEULAPage> 
    <ProtectYourPC>1</ProtectYourPC> 
    <SkipMachineOOBE>true</SkipMachineOOBE> 
    <SkipUserOOBE>true</SkipUserOOBE> 
    </OOBE> 
    <TimeZone>Russian Standard Time</TimeZone> 
    <RegisteredOwner>company</RegisteredOwner> 
    <RegisteredOrganization>company</RegisteredOrganization> 
    </component> 
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
    <InputLocale>ru-RU</InputLocale> 
    <SystemLocale>ru-RU</SystemLocale> 
    <UILanguage>ru-RU</UILanguage> 
    <UserLocale>ru-RU</UserLocale> 
    </component> 
    </settings> 
    <settings pass="specialize"> 
    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
    <Identification> 
    <Credentials> 
    <Domain>domain.loc</Domain> 
    <Password>P@ssw0rd</Password> 
    <Username>admin</Username> 
    </Credentials> 
    <JoinDomain>domain.loc</JoinDomain> 
    </Identification> 
    </component> 
    </settings> 
    <settings pass="generalize"> 
    <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 
    <PersistAllDeviceInstalls>true</PersistAllDeviceInstalls> 
    </component> 
    </settings> 
    <cpi:offlineImage cpi:source="catalog:e:/sources/install_windows 7 professional.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> 
    </unattend> 



    Domain Controller is on windows 2012 R2.

    I run sysprep preparation with command:

    SYSPREP /GENERALIZE /OOBE /SHUTDOWN /UNATTEND:C:\Windows\System32\sysprep\unattend.xml 



    So, when I power on prepared windows 10, I see that it is in domain, but when I try to login I get an error:

    The security database on the server does not have a computer account for this workstation trust relationship.



    I can remove it from domain and join back manually, and it helps. But it will be not autojoin )

    In the same time if I do all this with windows 7, then it works good.

     

    Thursday, July 27, 2017 8:41 AM

All replies

  • Hi S_Kamil,  

    Microsoft has released an article about domain joined issue which same with you.

    It says the issue might be caused by  Windows logon is to achieve higher security in logons. It also could be caused by the following issues.

    1.The trust was created a long time ago, and the NETBIOS name was used to create it resulting in the name resolution used on the trust being NETBIOS, and not DNS.

    2. The firewall rules don't allow the Kerberos protocol to pass the firewall, and also not the domain controller locator to find a domain controller (UDP/389).

    3.You have already passed the problems above and logon errors are still happening. In this case, the syntax contoso\user works, but a UPN like user@contoso.com does not work.

    For a resolution you can remove the external trust and replace it with a forest trust created between the forest root domains of either forest. You may use selective authentication so still only the users can logon to your system that had the ability to do so before.

    For more information, please refer to:

    Error: The security database on the server does not have a computer account for this workstation trust relationship

    If you prefer a direct help on change setting in Domain Controller, I recommend you ask for help from Microsoft Server support, they are more professional on the issue.

    Server forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?category=windowsserver

    I Hope my reply would be helpful to you.

    Bests,

    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Joy-Qiao Friday, July 28, 2017 9:19 AM
    Friday, July 28, 2017 9:18 AM