none
Creating a new computer name in AD during Deployment. RRS feed

  • Question

  • After a really long while of using MDT, I have one main concept missed:

    Having MDT create a computer name in Active Directory (and in a specific OU).

    What we currently do is create a computer name in AD in our policy-free OU. Then, MDT drops an image and joins that computer to the domain with a name already existing (we just added it). What I'm wondering is how to avoid having to pre-create a name in AD ahead of time. During the Wizard, we're present with a prompt for computer name, OU, etc. But, the pc will ONLY join the domain if the pc name already exists.

    How is a TS set up to join to our domain if the name doesn't exist yet? What extra steps are needed for MDT to add the name to AD, then join the pc to the OU specific in the CS file? Is this how everyone does it? As I said, I have everyone create a pc name first, then type that name into the Wizard.

    The second half of my question is....if I populate the OU in my CS.INI but the pre-created name exists in a different OU, then the CS info is useless, I'm guessing. I added the OU path in my CS but that means nothing...MDT doesn't move the pc to that OU and so far nothing is creating that pc name except for us ahead of time, so what is the purpose of pre-populating that info in the Wizard by adding it to the CS?


    Thursday, August 8, 2019 6:14 PM

All replies

  • If the account being used has the correct permissions for the target OU, MDT will handle the created of the Computer object and drop it in the correct OU with no additional work, just specify the credentials and target OU ether in CustomSettings.ini or on the Wizard screen during deployment. 

    In the task sequence, the join happens around the "Recover from Domain" step in State Restore.  I believe it is partly done via the Unattended.xml application, then this step just gets everything connected, but I have not dug into the code to really see what happens.  

    One thing to note, the OU variable by default is first setting only, so once it is set it cannot be changed.  This does not matter in most situations bit is worth noting.  We have a very specific situation where we need to change it later, so you have to edit the variable definition (ZTIGather.xml)

    For the second part, if the object already exists in AD it will just connect the new imaged computer to that object.  This can result in 2 computers using the same object, breaking both PC's trust to the domain. 

    Friday, August 9, 2019 12:24 PM
  • If I do not create a computer name in AD prior to imaging a pc, it does the whole fail-four-times deal and tells me that it failed to join to the domain. If the pc is already created in AD, then it joins my pc to the domain.

    So at this point, adding an OU path in my CS.INI is redundant because it doesn't matter what you code in there...the pc will join to the domain only to the OU where the name sits in AD. So I never fully get the whole process. I cannot 'create' a new pc name into AD using MDT; I have to manually create one, then let MDT join a pc to the domain with the pre-created name, in the OU where I initially put it when I created it. So, I don't use the service in the best way.

    Friday, August 9, 2019 12:42 PM
  • If the "domainadmin" account you specified in MDT is failing to join the machine to a specific OU, then it's a permissions issue. You can test it by not setting an OU, I bet it would not have an issue just joining the domain.

    CustomSettings.ini example:

    JoinDomain=DOMAINNAME.ORG
    DomainAdmin=SERVICEACCOUNTNAME
    DomainAdminDomain=DOMAINNAME
    DomainAdminPassword=SERVICEACCOUNTPASSWORD
    MachineObjectOU=OU=SUBGROUP,OU=GROUP,DC=DOMAIN,DC=NAME,DC=ORG

    There's a handy PowerShell script to set the proper permissions for your "service" account.
    https://deploymentresearch.com/Research/Post/353/PowerShell-Script-to-set-permissions-in-Active-Directory-for-OSD

    As you can see by what the script does, the service account needs to have permissions to the specific OU that you want your machines to join. 


    Daniel Vega

    Friday, August 9, 2019 1:16 PM
  • Copying/pasting part of the CS here.....

    JoinDomain=one.two.three.four
    DomainAdmin=serviceaccount
    DomainAdminDomain=one.two.three.four
    DomainAdminPassword=supersecretpassword
    MachineObjectOU=OU=Install Computers,DC=etc.....

    I do see that it joins (I was forgetting DC=…). One more thing to ask, which is likely more difficult than just joining, is there a way to add a Security Group to the computer? In AD, when we manually create a pc name, we have to click 'Change...' and add USS as a User or Group. This allows anyone in that group to be able to move or modify the pc. If we have to still do that part manually, they will just decide to create the pc by hand and add the group at that same time.

    Friday, August 9, 2019 2:19 PM
  • Sorry, I don't follow. The service account is the one with the rights to move the computer into the specific OU. It doesn't matter if you used a different account to authenticate to the deployment share for imaging. 

    Daniel Vega

    Friday, August 9, 2019 2:39 PM
  • Our SOP is that when we manually create a new computer name in AD, we click on Change... and add our USS support group to the Security group on that pc. Technically every pc now on our domain has this added (because we've done this by hand each time). If you look at any pc in AD, and click the Security tab, USS is there.

    I'm hoping to find a GPO that applies this group automatically to every new pc that comes onto AD. For me, if MDT creates a new pc name - and we still have to go into AD and add that group manually - then I'm not accomplishing much.

    Friday, August 9, 2019 2:45 PM
  • My AD group gave me something to test.....when adding the OU to MDT, the order is the furthest-in container backwards out to the outermost OU folder, correct?
    Friday, August 9, 2019 3:56 PM
  • Yes.  Ours look like the following:

    <DomainOU>OU=Specific_OU,OU=Workstations,OU=HighestOULevel,DC=DC,DC=DC1,DC=DC2,DC=com</DomainOU>


    Friday, August 9, 2019 7:10 PM
  • I finally did get it to join. What I'm left with is adding a security group (USS) to the pc with a GPO.

    My AD team does not know how to apply that security group. It should go from the very top, down.

    Friday, August 9, 2019 7:26 PM