OSD won't join domain!!! :(

[chriscj21]

Morning/Afternoon all:

Hope someone can help with this as it's driving me insane!!!

Ok - I had a RIS server in place and initially "RipRep'd" an image up to a RIS box. This image was then deployed to a workstation, taken out of the domain and then "image captured" using the OSD image capture utility.

When I deploy this image (from OSD) to a workstation, all is well except the machine will not join the domain using the credentials specified in the OSD package - despite relocating the object out of the "computers" container. This image will join the domain as part of install if I use native RIS....

If I log into the OSD build and try and manually add the box to the domain, I receive an "error 5: Access is denied" message.

This same thing happens if I give the OU and domain parameters as part of a ZTI install....


Any suggestions would be much appreciated


Chris

ChrisCj21
MCSE, A+, N+

 

[mib147]

I am haivng the same problem. I have given the account specified "Create Computer Objects" rights but it doesn't work. If I use the netdom command it works fine. I am not sure what extra rights are needed. It works with a domain admin account but I don't want to use that in production.

What rights does your account have?

 

[mib147]

I finally got mine working. The problem was the password for the username I was using had a ~ in it. For some reason, that part of the password wasn't going through properly. I changed it to a ! and now it is working.

 

[mib147]

Scratch that. Still a problem.

 

[VictorySabre]

When I was initially testing OSD deployment, I also had problems getting OSD to join the domain. When I reviewed my MMS 2006 DVD, Johan had presented in his OSD course that you need to enclose your password with double quotes if your password used the = sign.

The password I used doesn't have an = sign, but it does have other characters in it, like ! and _. So with nothing to lose, in the blank field where the password is to be entered in SMS' OSD, I put my password in surrounded by double quotes. Eg: "P@ss_word!". Once I did that, the PC automatically joined the domain for me.

See if this helps you.

 

[chriscj21]

Thanks guys:

I will try this today and report back...

Let's hope it works!!!

My password does not contain any unusual characters, just upper/lower case and numbers - worth a shot though!!!


Chris

ChrisCj21
MCSE, A+, N+

 

[mib147]

That worked! Thank you very much VictorySabre.

 

[VictorySabre]

You're very welcome.

 

[chriscj21]

Ok guys...To clarify...

Do we mean when we are creating the OSD installation CD - the one I plan on copying to my RIS box?

So when it says a "user account to join domain", i should enter (as an example):

Username: example\john_doe
Password: "MyPassw0rd"


Correct?


Thanks for help


Chris

ChrisCj21
MCSE, A+, N+

 

[VictorySabre]

Hi chriscj21,

I'm not sure about the RIS part, but if I'm using the OSD feature pack in SMS to create a deployable image, an Image Package is created. See if this is applicable to you.

Within that Image Package is Programs. If I bring up the properties of the program for that package, there is a tab called Network. Within that tab is where you specify the domain, the OU that the PC is to join and the account used to update the domain. There is a Set button there where you specify the password for that account. When I type my password in, that is where I would put my double quotes, like in your example.

If the above matches what you are trying to do, then the double quotes should work. If you are using a different method to create/deploy the image, it probably wouldn't hurt for you to try adding the double quotes just to see if that helps.

 

[bdixon1]

I also have had this problem on the lasst 2 projects i have been on. Here is what i know:

First:
check this MS KB out:

http://support.microsoft.com/Default.aspx?kbid=910200

RESOLUTION
To resolve this issue, do not put the "JoinWorkgroup" entry or the "JoinDomain" entry in the "[Identification]" section of the Sysprep.inf file.

If the "[Identification]" section of the Sysprep.inf file does not have these entries, the OSD Feature Pack generates the entry that is specified on the Network tab of the Properties dialog box.


Talks about the SYSPREP.INF entry for the identification tab - if it has JOINDOMAIN or JOINWORKGROUP section, it will overwrite the settings in the Network tab in the OSD!!!!!! some of you may be having this problem. Seems like a bug to me but i talked to MS about it and they say it is not an SMS bug but an OSD "feature".

Second:
There is a "hotfix" for this issue which some of you may be fighting as well. Ask for Hotfix
KB Article Number(s): 899512
Language: English
Platform: i386

I am having a the same problem now at this new client and i made sure the sysprep file is correct. So i will try the password suggestion here since the Dom admin password in our lab is not using complexity and that may be our issue. i will let you know.

 

[bdixon1]

UPDATE:

I tried the password in quotes deal and still no luck. After the OSD pushes the OS to the managed client, it goes into the mini-setup and seems to hang a long time at the join domain screen before continuing on. The process completes but get only the local logon - no domain logon. Machine account is in the same OU as before. for the lab, using Domain Admin credentials for testing.

I have not had this kind of trouble with OSD before SMS SP2 with imaging.

Any other ideas?

 

[VictorySabre]

bdixon1,

If you were to load the image manually on to a target PC and manually join the domain with the account you've specified, does it work?

I haven't seen your specific problem with OSD (though I'm still in testing phase and haven't experienced much yet), but I've seen some cases in our test domain environment where the LAN Manager Authentication Level was set to Use NTLMv2 Response Only on the domain controllers and that prevented my freshly built test clients from joining the domain.

Once I backed down the LAN Manager Authentication level on the domain controllers, the test PCs were able to join the domain. Could it be possible that you have something similar on your side where the test client fails to join the domain because of that?

 

[bdixon1]

VictorySabre,

thnx for the reply!

Actually it's kinda weird, a conflict of some kind going on. the log file says its joined the domain, then it joins it to the workgroup!

In the sysprep file, the identification section is blank.

In my scenario i setup a reference PC, added the driver path to the registry, copied sysprep folder to root of C:, then run the OSCapture CD, create OS package in SMS, setup target PC and deploy. All goes well except not joined back to Domain when completed. The last time i had this issue the Identification section in sysprep had joinworkgroup, removing it fixed it. So, this isnt my problem now. Log file below.


here is the log file:

08/28 10:07:57 -----------------------------------------------------------------
08/28 10:07:57 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 10:07:57 NetpCheckNetBiosNameNotInUse: for 'WORKGROUP' returned: 0x858
08/28 10:07:57 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x858
08/28 10:07:57 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 10:07:57 -----------------------------------------------------------------
08/28 10:07:57 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 10:07:57 NetpCheckNetBiosNameNotInUse: for 'WORKGROUP' returned: 0x858
08/28 10:07:57 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x858
08/28 10:07:57 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 10:07:58 -----------------------------------------------------------------
08/28 10:07:58 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 10:07:58 NetpCheckNetBiosNameNotInUse: for 'WORKGROUP' returned: 0x858
08/28 10:07:58 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x858
08/28 10:07:58 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 10:07:58 -----------------------------------------------------------------
08/28 10:07:58 NetpDoDomainJoin
08/28 10:07:58 NetpMachineValidToJoin: 'SULLIVAN-02YGOY'
08/28 10:07:58 NetpGetLsaPrimaryDomain: status: 0x0
08/28 10:07:58 NetpMachineValidToJoin: status: 0x0
08/28 10:07:58 NetpJoinWorkgroup: joining computer 'SULLIVAN-02YGOY' to workgroup 'WORKGROUP'
08/28 10:07:58 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 10:07:58 NetpCheckNetBiosNameNotInUse: for 'WORKGROUP' returned: 0x858
08/28 10:07:58 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x858
08/28 10:07:58 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 10:07:58 NetpSetLsaPrimaryDomain: for 'WORKGROUP' status: 0x0
08/28 10:07:58 NetpControlServices: open service 'NETLOGON' failed: 0x424
08/28 10:07:58 NetpJoinWorkgroup: status: 0x0
08/28 10:07:58 NetpDoDomainJoin: status: 0x0
08/28 10:08:15 -----------------------------------------------------------------
08/28 10:08:15 NetpValidateName: checking to see if 'SULLIVAN-02YGOY' is valid as type 1 name
08/28 10:08:15 NetpCheckNetBiosNameNotInUse for 'SULLIVAN-02YGOY' [MACHINE] returned 0x0
08/28 10:08:15 NetpValidateName: name 'SULLIVAN-02YGOY' is valid for type 1
08/28 11:35:21 -----------------------------------------------------------------
08/28 11:35:21 NetpValidateName: checking to see if 'SULLIVAN-02YGOY' is valid as type 1 name
08/28 11:35:21 NetpCheckNetBiosNameNotInUse for 'SULLIVAN-02YGOY' [MACHINE] returned 0x0
08/28 11:35:21 NetpValidateName: name 'SULLIVAN-02YGOY' is valid for type 1
08/28 11:35:59 -----------------------------------------------------------------
08/28 11:35:59 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 11:35:59 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x0
08/28 11:35:59 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 11:35:59 -----------------------------------------------------------------
08/28 11:35:59 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 11:35:59 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x0
08/28 11:35:59 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 11:35:59 -----------------------------------------------------------------
08/28 11:35:59 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 11:35:59 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x0
08/28 11:35:59 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 11:35:59 -----------------------------------------------------------------
08/28 11:35:59 NetpDoDomainJoin
08/28 11:35:59 NetpMachineValidToJoin: 'SULLIVAN-02YGOY'
08/28 11:35:59 NetpGetLsaPrimaryDomain: status: 0x0
08/28 11:35:59 NetpMachineValidToJoin: status: 0x0
08/28 11:35:59 NetpJoinWorkgroup: joining computer 'SULLIVAN-02YGOY' to workgroup 'WORKGROUP'
08/28 11:35:59 NetpValidateName: checking to see if 'WORKGROUP' is valid as type 2 name
08/28 11:35:59 NetpCheckNetBiosNameNotInUse for 'WORKGROUP' [ Workgroup as MACHINE] returned 0x0
08/28 11:35:59 NetpValidateName: name 'WORKGROUP' is valid for type 2
08/28 11:35:59 NetpSetLsaPrimaryDomain: for 'WORKGROUP' status: 0x0
08/28 11:35:59 NetpJoinWorkgroup: status: 0x0
08/28 11:35:59 NetpDoDomainJoin: status: 0x0
09/06 11:12:38 -----------------------------------------------------------------
09/06 11:12:38 NetpValidateName: checking to see if 'smstest' is valid as type 3 name
09/06 11:12:38 NetpCheckDomainNameIsValid [ Exists ] for 'smstest' returned 0x0
09/06 11:12:38 NetpValidateName: name 'smstest' is valid for type 3
09/06 11:12:48 -----------------------------------------------------------------
09/06 11:12:48 NetpDoDomainJoin
09/06 11:12:48 NetpMachineValidToJoin: 'SULLIVAN-02YGOY'
09/06 11:12:48 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:12:48 NetpMachineValidToJoin: status: 0x0
09/06 11:12:48 NetpJoinDomain
09/06 11:12:48 Machine: SULLIVAN-02YGOY
09/06 11:12:48 Domain: smstest
09/06 11:12:48 MachineAccountOU: (NULL)
09/06 11:12:48 Account: smstest\administrator
09/06 11:12:48 Options: 0x25
09/06 11:12:48 OS Version: 5.1
09/06 11:12:48 Build number: 2600
09/06 11:12:48 ServicePack: Service Pack 2
09/06 11:12:48 NetpValidateName: checking to see if 'smstest' is valid as type 3 name
09/06 11:12:48 NetpCheckDomainNameIsValid [ Exists ] for 'smstest' returned 0x0
09/06 11:12:48 NetpValidateName: name 'smstest' is valid for type 3
09/06 11:12:48 NetpDsGetDcName: trying to find DC in domain 'smstest', flags: 0x1020
09/06 11:12:48 NetpDsGetDcName: found DC '\\SMSDC' in the specified domain
09/06 11:12:48 NetpJoinDomain: status of connecting to dc '\\SMSDC': 0x0
09/06 11:12:48 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:12:48 NetpGetDnsHostName: Read NV Hostname: sullivan-02ygoy
09/06 11:12:48 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: smstest.com
09/06 11:12:48 NetpLsaOpenSecret: status: 0xc0000034
09/06 11:12:48 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:12:48 NetpLsaOpenSecret: status: 0xc0000034
09/06 11:12:49 NetpJoinDomain: status of setting machine password: 0x0
09/06 11:12:49 NetpGetComputerObjectDn: Cracking account name SMSTEST\SULLIVAN-02YGOY$ on \\SMSDC
09/06 11:12:49 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=SULLIVAN-02YGOY,OU=Test PCs,DC=smstest,DC=com
09/06 11:12:49 NetpModifyComputerObjectInDs: Initial attribute values:
09/06 11:12:49 DnsHostName = sullivan-02ygoy.smstest.com
09/06 11:12:49 ServicePrincipalName = HOST/sullivan-02ygoy.smstest.com HOST/SULLIVAN-02YGOY
09/06 11:12:49 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
09/06 11:12:49 DnsHostName = sullivan-02ygoy.smstest.com
09/06 11:12:49 ServicePrincipalName = HOST/SULLIVAN-02YGOY HOST/sullivan-02ygoy.smstest.com
09/06 11:12:49 NetpModifyComputerObjectInDs: There are _NO_ modifications to do
09/06 11:12:49 ldap_unbind status: 0x0
09/06 11:12:49 NetpJoinDomain: status of setting DnsHostName and SPN: 0x0
09/06 11:12:49 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:12:49 NetpSetLsaPrimaryDomain: for 'SMSTEST' status: 0x0
09/06 11:12:49 NetpJoinDomain: status of setting LSA pri. domain: 0x0
09/06 11:12:50 NetpJoinDomain: status of managing local groups: 0x0
09/06 11:12:50 NetpJoinDomain: status of setting netlogon cache: 0x0
09/06 11:12:50 NetpJoinDomain: status of setting ComputerNamePhysicalDnsDomain to 'smstest.com': 0x0
09/06 11:12:50 NetpUpdateW32timeConfig: 0x0
09/06 11:12:50 NetpJoinDomain: status of disconnecting from '\\SMSDC': 0x0
09/06 11:12:50 NetpDoDomainJoin: status: 0x0
09/06 11:23:08 -----------------------------------------------------------------
09/06 11:23:08 NetpValidateName: checking to see if 'SMS' is valid as type 2 name
09/06 11:23:11 NetpCheckNetBiosNameNotInUse for 'SMS' [ Workgroup as MACHINE] returned 0x0
09/06 11:23:11 NetpValidateName: name 'SMS' is valid for type 2
09/06 11:23:21 -----------------------------------------------------------------
09/06 11:23:21 NetpUnJoinDomain: unjoin from 'SMSTEST' using 'smstest\administrator' creds, options: 0x4
09/06 11:23:21 OS Version: 5.1
09/06 11:23:21 Build number: 2600
09/06 11:23:21 ServicePack: Service Pack 2
09/06 11:23:21 NetpUnJoinDomain: status of getting computer name: 0x0
09/06 11:23:21 NetpApplyJoinState: actions: 0x2b805a
09/06 11:23:21 NetpDsGetDcName: trying to find DC in domain 'SMSTEST', flags: 0x1020
09/06 11:23:21 NetpDsGetDcName: found DC '\\SMSDC' in the specified domain
09/06 11:23:21 NetpApplyJoinState: status of connecting to dc '\\SMSDC': 0x0
09/06 11:23:22 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
09/06 11:23:22 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:23:22 NetpLsaOpenSecret: status: 0x0
09/06 11:23:22 NetpLsaOpenSecret: status: 0x0
09/06 11:23:22 NetpManageMachineAccountWithSid: status of disabling account 'SULLIVAN-02YGOY$' on '\\SMSDC': 0x0
09/06 11:23:22 NetpApplyJoinState: status of disabling account: 0x0
09/06 11:23:22 NetpSetLsaPrimaryDomain: for 'SMSTEST' status: 0x0
09/06 11:23:22 NetpApplyJoinState: status of setting LSA pri. domain: 0x0
09/06 11:23:22 NetpApplyJoinState: status of clearing ComputerNamePhysicalDnsDomain: 0x0
09/06 11:23:22 NetpApplyJoinState: status of removing from local groups: 0x0
09/06 11:23:22 NetpUpdateW32timeConfig: 0x0
09/06 11:23:23 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
09/06 11:23:23 NetpApplyJoinState: status of disconnecting from '\\SMSDC': 0x0
09/06 11:23:23 NetpUnJoinDomain: status: 0x0
09/06 11:23:23 -----------------------------------------------------------------
09/06 11:23:23 NetpDoDomainJoin
09/06 11:23:23 NetpMachineValidToJoin: 'SULLIVAN-02YGOY'
09/06 11:23:23 NetpGetLsaPrimaryDomain: status: 0x0
09/06 11:23:23 NetpMachineValidToJoin: status: 0x0
09/06 11:23:23 NetpJoinWorkgroup: joining computer 'SULLIVAN-02YGOY' to workgroup 'SMS'
09/06 11:23:23 NetpValidateName: checking to see if 'SMS' is valid as type 2 name
09/06 11:23:26 NetpCheckNetBiosNameNotInUse for 'SMS' [ Workgroup as MACHINE] returned 0x0
09/06 11:23:26 NetpValidateName: name 'SMS' is valid for type 2
09/06 11:23:26 NetpSetLsaPrimaryDomain: for 'SMS' status: 0x0
09/06 11:23:26 NetpJoinWorkgroup: status: 0x0
09/06 11:23:26 NetpDoDomainJoin: status: 0x0
09/07 12:27:50 -----------------------------------------------------------------
09/07 12:27:50 NetpValidateName: checking to see if 'SULLIVAN-02YGOY' is valid as type 1 name
09/07 12:27:50 NetpCheckNetBiosNameNotInUse for 'SULLIVAN-02YGOY' [MACHINE] returned 0x0
09/07 12:27:50 NetpValidateName: name 'SULLIVAN-02YGOY' is valid for type 1

 

[bdixon1]

Oh, and yes, i can join PC manually to domain using the credentials.

 

[VictorySabre]

bdixon1,

Your problem is definitely beyond the scope of my abilities.

Hopefully if you do find a solution, please do post it here so that others can learn from it as well.

 

[bdixon1]

UPDATE:

I think we had a build problem, i let the client build the image from my build guide, but when i tried to sysprep manually, it comes back with the same machine name! i think its a bad sysprep causing all this hearburn, imaging a rebuild now, will see very soon.