Domain Join Failure Error NetpDoDomainJoin Status 0x8bf
Using the CustomSettings. In order to automatically join the computer into the domain, you will need to add in your CustomSettings. To modify your customSettings.
Right-click on it and select properties Click on picture for better resolution In the properties page, click on Rules Append the information needed to join the Workgroup or domain. The screenshot below shows you the parameters to use while joining a domain or a workgroup.
It should be obvious that you cannot use both options at the same time. Comment the options you will not use. Click on picture for better resolution When using this option, you have to understand that these variables will be injected in the Unattend. During the deployment process, the setup process will use the information found in the unattend. This works great if deploy your workstation in a simple environment. However, for large deployment scenario, you might have additional requirements and constraints that will make the join of the domain more difficult.
A good example of complication while deploying an operating system and having the machine joined into the domain is when you have restrictire group policies that would for example display a legal disclaimer and thus breaking the auto logon capabilities. MDT team has taken this situation into consideration and you can delay the join of the domain till the last moment.
To achieve this, you will need to first modify the unattend. Then, you will need to add a step in your task sequence in order to have the JoinDomain. To update your existing task sequence to delay the joining of the domain, you can perform the following : Open the Deployment Workbench console, navigate to the Task Sequence node.
Select the task to be updated. Right-click on it and select properties. In the properties page, select the Task sequence tab In the task sequence tab, click on Add, select Settings and then select Recover Domain Click on picture for better Resolution Accept the default and ensure that the step is set at the correct location in the task sequence tree.
In our example, this is the last step that will be performed in our situation. As you know, the customsettings. If you need to join computers into different domains, you could simply create additional Task sequences to use the appropriate script. You could also use a single task sequence and run the appropriate join domain operation if your script is able to make the distinction between different domains.
The following screenshots shows you a sample Powershell script that can be used to join a domain or a workgroup Code to Join a workgroup Click on picture for better Resolution Code to Join a domain Click on picture for better Resolution You will have to copy the script in your Scripts folder under you deployment share.
When this is done, you can add a additional step in your task sequence. You will need to select the Run a Powershell Script when adding the step in the task Click on Picture for better Resoluion The following screenshot shows the configuration of the step. Note also that again, the task is one of the last one that will be performed.
Click on picture for better Resolution Using Offline Join Domain capabilities The third option will allow you to join a domain even if you have no access to the Active Directory infrastructure.
We had to come up with such solution in some projects for multiple reasons. One of the reasons was that the deployment was performed in a staging area where no network connectivity to the production environment was available. On another situation, network connectivity was there but the network was configured with mac filtering.
Because of this, we had to configure a disconnected deployment infrastructure again and haved used the Offline Join Domain. However, we will not use the same approach.
Since MDT support powershell scripting capabilities, we will simply add at the end of the task sequence an additonal step that will perform the offline join operation. You could use the run command line too. The offline Join domain operation is a two way process. You will first need to provision the computer into your active Directory.
The above command will generate a text file that will be named as the computer name you have just provisioned. In a real life scenario, you will probably want to automate the process. You will need to get or create a input file which will contain the name of the computers to be deployed.
The name should be based on your naming conventions such as prefix-serialNumber. This means that you will need to prepare a little the work by gathering the serial numbers or possibly getting a list of serial numbers from the manufacturer. In one of our projects, we have automated the process by using a really simple powershell script see screenshot below. Click on picture for better resolution Note that this is just a sample script that you can use as starting point.
When the script has run completely, you can go to your folder where you have stored your blobs. You should see something like this. Click on picture for better resolution The second step in the Offline join process is to run the djoin command again but on the client and use the blob file which contains information to join the domain in order to perform the offline join operation. The sample script you can use would look like the following screenshot Click on picture for better resolution You will store this script in the Scripts folders under the MDT Deployment Share.
Click on picture for better resolution When this is done, you can update the task sequence in order to add the offlineJoinDomain step. This will follow the same principle as before. You will add a step at the end of the task sequence tree and select the option Run Powershell Script. The following screenshot shows you the settings we have configured on the page.
Click on picture for better resolution We have added as a last step a restart computer step needed when performing offline join domain Final Notes This ends up this post! As you can see, you have several options in order to automatically join a computer into the domain. We prefer to use task sequences in order to join computers into the domain because we have the feeling that the process provides more flexibilty. However, there is security question while automatically joining the computer into the domain.
If you use the CustomSettings. To mitigate the risk, you should create a dedicated user or a group where the user will be a member of and delegate the right to join the computer accounts into the domain. The usage of PowerShell script also store the password in clear text.
With Powershell script, we might have options to either encrypt the password or encrypt the script. I do not know I have not tested this. The blob approach is really the most flexible one but once again the blob file contains some sensitive information you do not wanna spread widely. I think that there should be a trade off between the security risk and the level of automation you want to achieve.
I hope you enjoyed this post Till next Time.
Microsoft Deployment Toolkit Notes
If domain join is not working Excluding the actual Operating System install and maybe an application task or two , the process of joining your imaging machines to the domain is the most important step in the entire process.
But where does this process take place and how can you troubleshoot it when it breaks? Recover from Domain? If you want that to happen later, e. The Lite Touch wizard will set the same task sequence variables in either case, and the "Recover from domain" step will notice that the unattend.
In essence, the actual join domain process occurs in the Install phase and requires a handful of administratively assigned settings to succeed. A blank Unattend. The CustomSettings. Save your customsettings. You do not need to update your DeploymentShare when editing just the CustomSettings. A new copy is retrieved every time a computer is imaged. Then right click on an OU containing your computers and select Delegate Control.
If you do not pre-create or stage your computer accounts in Active Directory, you will also need to do this process on the default Computers container. On the Tasks to Delegate screen, select Create a custom task to delegate.
On the next page, choose Only the following objects in the folder and select Computer objects. However, there are a few other things that you can check or setup. If all of your computers will use the same domain join settings or if users sometimes change those settings , you can skip the Domain Join Wizard prompts. This is normally caused by the OU the machine is a member of. If your OUs have special characters in them, consider changing the characters to a dash symbol or a space.
The MDT domain join task will fail on special characters. If a certain machine is failing and is pre-staged, you might have improper delegated permissions. Navigate to the OU that the computer is a member of. Right click and attempt to create a new computer.
I.T. in Legal
If using Configuration Manager it is also configurable using an Apply Network Settings task sequence step. OSDAdapterxName Assign the specified configuration settings to the network adapter that matches the specified name. The key is used for recovering data encrypted on a BitLocker volume. This key is cryptographically equivalent to a startup key. Protect the target computer using one of the following methods: OSDBitLockerRecoveryPassword Instead of generating a random recovery password, the Enable BitLocker task sequence action uses the specified value as the recovery password.
The value must be a valid numerical BitLocker recovery password. The value must be a valid, Baseencoded BitLocker startup key. The default drive is the drive that contains the operating system. Specifying TRUE could dramatically increase the time required to complete the deployment process.
OSDDiskOffset This property is used to pass a value to the offset parameter of the create partition primary command in the DiskPart command. For more information on the offset parameter, see Create partition primary. Italian mafia symbols property is referenced during OEM deployments. The default is Sysprep. The default value is C:. OSFeatures A comma-delimited list of server feature IDs that will be installed on the target computer.
OSInstall Indicates whether the target computer is authorized to have the target operating system installed. If the OSInstall property is not listed, the default is to allow deployment of operating systems to any target computer.
OSVersion The version of the currently running operating system. This property should only be used to detect if the currently running operating system is Windows PE. Use the OSVersionNumber property to detect other operating systems. OSVersionNumber The operating system major and minor version number. The value specified in this property is used by the ZTILicensing.
The operating system needs to be activated with Microsoft after the MAK is applied. This is used when the target computer is unable to access a server that is running KMS. Packages The list of Configuration Manager packages to be deployed to the target computer. The Packages property has a numeric suffix for example, Packages or Packages Parameters The parameters to be passed to a database query that returns property values from columns in the table specified in the Table property.
The table is located in the database specified in the Database property on the computer specified in the SQLServer property. Password Specifies the password for the user name account credentials to use for promoting the member server to a domain controller. Phase The current phase of the deployment process. The Task Sequencer uses these phases to determine which tasks must be completed. Port The number of the port that should be used when connecting to the SQL Server database instance that is used for querying property values from columns in the table specified in the Table property.
The port used during connection is specified in the Port property. PowerUsers A list of user accounts and domain groups to be added to the local Power Users group on the target computer.
The PowerUsers property is a list of text values that can be any non-blank value. ProcessorSpeed The speed of the processor installed on the target computer in MHz. For example, the value indicates the processor on the target computer is running at 1, MHz or 2 gigahertz. Product The product name of the target computer. With some computer vendors, the make and model might not be sufficiently unique to identify the characteristics of a particular configuration for example, hyperthreaded or non-hyperthreaded chipsets.
The Product property can help to differentiate. ProductKey The product key string to be configured for the target computer. Before the target operating system is deployed, the product key specified is automatically inserted into the appropriate location in Unattend. Properties A reserved property that defines any custom, user-defined properties.
Deploying Windows 7 - Part 21: Securing MDT (Part 2)
These user-defined properties are located by the ZTIGather. These properties are additions to the predefined properties in MDT. ReplicaOrNewDomain Specifies whether to install a new domain controller as the first domain controller in a new directory service domain or to install it as a replica directory service domain controller. Role The purpose of a computer based on the tasks performed by the user on the target computer.
The Role property lists text values that can be any non-blank value. The Role property value has a numeric suffix for example, Role1 or Role2. When defined, a role is associated with a computer.
A computer can perform more than one role. SafeModeAdminPassword Supplies the password for the administrator account when starting the computer in Safe mode or a variant of Safe mode, such as Directory Services Restore mode. SerialNumber The serial number of the target computer. The format for serial numbers is undefined. SLShare The network shared folder in which the deployment logs are stored at the end of the deployment process.
This is used for advanced real-time debugging only. SQLServer The identity of the computer running SQL Server that performs a database query that returns property values from columns in the table specified in the Table property.
The query is based on parameters specified in the Parameters and ParameterCondition properties. StoredProcedure The name of the stored procedure used when performing a database query that returns property values from columns in the table or view. The stored procedure is located in the database specified in the Database property. The name of the stored procedure is specified in the StoredProcedure property. The NX technology is used in processors to segregate areas of memory for use by either storage of processor instructions code or for storage of data.
VT is used to support current virtualized environments, such as Hyper-V. Supports64Bit Specifies whether the processor resources on the target computer support Windows bit operating systems.
Most modern virtualization environments require bit processor architecture. Table The name of the table or view to be used in performing a database query that returns property values from columns in the table or view. The table or view is located in the database specified in the Database property. TimeZoneName The time zone in which the target computer is located. The password can be saved to a file or stored in AD DS.
UILanguage The default language to be used with the target operating system. If not specified, the Deployment Wizard uses the language configured in the image being deployed. In this part, we will create task sequences to build and capture the reference images and update them as needed. We start with our source Windows media.
Copy the contents of the Windows. Repeat this for as many Operating System versions and architectures as you need to support. If you are supporting many operating systems, I would highly recommend creating a folder structure to aid locating the images.
In the Task Sequence Wizard, select the Build and capture a reference operating system option. Next, we need to give our Task Sequence a name and specify the boot image to use. You should always use the bit x86 boot image because with this one image we can support both bit and bit operating system images however if you use the bit boot image, that is only able to support bit operating system images. Next, we need to specify our source operating system.
In this demonstration, I am using Windows 8. The install. If you are using a Windows image that provides multiple Images such as Home Basic, Home Premium and Professional then you need to make sure you specify the correct image from the list.
Next, we need to specify our machine to join a workgroup and not a domain. On the step shown above, we need to configure the Configuration Manager Client Package that will be used to install the Configuration Manager Client. Configuration Manager will automatically select the package from the site however we need to customise the parameters that get used for the installation. We need to add to this the SMSP parameter.
However, for security reasons in your production environment you will probably want to use separate accounts for each of these purposes, and preferably ordinary Domain Users accounts instead of Domain Admins accounts. After doing this we updated our deployment share because our Bootstrap. This present article shows you how to resolve this SQL issue, and it also describes how to ensure your domain-joins are reasonably secure.
Once this is done, the account will be displayed in the Login Name field of this page. In addition, change the Default Database setting at the bottom of the page from master to MDT since MDT was the name we gave to our database when we created it back in article 15 of this series.
The General page of the Login — New dialog should now look like Figure Figure General page after settings have been configured Do not make any changes to the Server Roles page.
Do not make any changes to the remaining two pages Securables and Status of the Login — New dialog. If we leave this account as an ordinary Domain User, then MDT will be able to join the first few computers it installs into the domain but then will fail to join any others.