staun Posted February 22, 2012 Posted February 22, 2012 I have a weird issue with our unattended install of Windows 7 clients through WDS 2008R2.During the the initial boot setup we are asked for credentials - If I enter a domain admin account the rest of the process works fine. BUT if I use a standard domain user account the computer will not join the domain later during the first startup, even though I have stated that it should use a ImageUnattend.xml file.<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Identification> <JoinDomain>MYDOMAIN.LOC</JoinDomain> <UnsecureJoin>true</UnsecureJoin> </Identification> </component>I even tried to add a domain admin user credentials in the XML-file but it still fails. <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Identification> <Credentials> <Domain>MYDOMAIN</Domain> <Password>AdminUser</Password> <Username>PASSWORD</Username> </Credentials> <JoinDomain>MYDOMAIN.LOC</JoinDomain> <UnsecureJoin>true</UnsecureJoin> </Identification> </component>The XML-file is processed fine if the user is a domain admin. (tried several standard users and admin users.)Any idea how to allow standard users to install their OS through WDS and have the computer join the domain.?
Tripredacus Posted February 22, 2012 Posted February 22, 2012 Is your DC configured to permit an unsecured join?
staun Posted February 23, 2012 Author Posted February 23, 2012 (edited) Is your DC configured to permit an unsecured join?I have modified the default domain policy :Default Domain Controllers Policy-Admin Templates-System-Net LogonTo ENABLED.If that is what your refer to.Update.If I logon to the computer with the local administrator account and try to add the computer to the domain with a domain user I get this error.The join operation was not successful. This could be because an existing computer account having the name “computer name” was previously created using a different set of credentials. Use a different computer name, or contact your administrator to remove any stale conflicting account. The error was:Access is deniedThe computer account does not exist in AD or DNS. If I add the computer to the domain with an admin-user it is succesfully added. Edited February 23, 2012 by staun
Tripredacus Posted February 23, 2012 Posted February 23, 2012 Are you specifying a computer name in the XML?
staun Posted February 23, 2012 Author Posted February 23, 2012 (edited) Are you specifying a computer name in the XML?No, I use <ComputerName>*</ComputerName>I attached the XML-fileUpdate. I tried to specify a hardcode computername (gulerod345) and set machinepassword to the same, saw a similar issue that fixed the issue but that did not help me. If I look at det %windir\debug\netsetup.log file if that can help. -----------------------------------------------------------------02/23/2012 16:02:07:835 NetpDoDomainJoin02/23/2012 16:02:07:835 NetpMachineValidToJoin: 'GULEROD345'02/23/2012 16:02:07:835 OS Version: 6.102/23/2012 16:02:07:835 Build number: 7601 (7601.win7sp1_rtm.101119-1850)02/23/2012 16:02:07:835 ServicePack: Service Pack 102/23/2012 16:02:07:835 SKU: Windows 7 Enterprise02/23/2012 16:02:07:835 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x002/23/2012 16:02:07:835 NetpGetLsaPrimaryDomain: status: 0x002/23/2012 16:02:07:835 NetpMachineValidToJoin: status: 0x002/23/2012 16:02:07:835 NetpJoinDomain02/23/2012 16:02:07:835 Machine: GULEROD34502/23/2012 16:02:07:835 Domain: company.loc\SRV-DC-NSB3.company.loc02/23/2012 16:02:07:835 MachineAccountOU: (NULL)02/23/2012 16:02:07:835 Account: (NULL)02/23/2012 16:02:07:835 Options: 0xe102/23/2012 16:02:07:835 NetpLoadParameters: loading registry parameters...02/23/2012 16:02:07:835 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x202/23/2012 16:02:07:835 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x202/23/2012 16:02:07:835 NetpLoadParameters: status: 0x202/23/2012 16:02:07:835 NetpJoinDomain: Unsecure join requested.02/23/2012 16:02:07:835 NetpJoinDomain: NETSETUP_MACHINE_PWD_PASSED passed, using lpPassword to authenticate as machine02/23/2012 16:02:07:835 NetpValidateName: checking to see if 'company.loc' is valid as type 3 name02/23/2012 16:02:08:272 NetpCheckDomainNameIsValid [ Exists ] for 'company.loc' returned 0x002/23/2012 16:02:08:272 NetpValidateName: name 'company.loc' is valid for type 302/23/2012 16:02:08:272 NetUseAdd to \\SRV-DC-NSB3.company.loc\IPC$ returned 132602/23/2012 16:02:08:272 Trying add to \\SRV-DC-NSB3.company.loc\IPC$ using NULL Session02/23/2012 16:02:08:272 NetpJoinDomain: status of connecting to dc '\\SRV-DC-NSB3.company.loc': 0x002/23/2012 16:02:08:288 NetpJoinDomainOnDs: Passed DC 'SRV-DC-NSB3.company.loc' verified as DNS name '\\SRV-DC-NSB3.company.loc'02/23/2012 16:02:08:288 NetpLoadParameters: loading registry parameters...02/23/2012 16:02:08:288 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x202/23/2012 16:02:08:288 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x202/23/2012 16:02:08:288 NetpLoadParameters: status: 0x202/23/2012 16:02:08:288 NetpDsGetDcName: status of verifying DNS A record name resolution for 'SRV-DC-NSB3.company.loc': 0x002/23/2012 16:02:08:288 NetpProvisionComputerAccount:02/23/2012 16:02:08:288 lpDomain: company.loc02/23/2012 16:02:08:288 lpMachineName: GULEROD34502/23/2012 16:02:08:288 lpMachineAccountOU: (NULL)02/23/2012 16:02:08:288 lpDcName: SRV-DC-NSB3.company.loc02/23/2012 16:02:08:288 lpDnsHostName: (NULL)02/23/2012 16:02:08:288 lpMachinePassword: (non-null)02/23/2012 16:02:08:288 lpAccount: company.loc\GULEROD345$02/23/2012 16:02:08:288 lpPassword: (non-null)02/23/2012 16:02:08:288 dwJoinOptions: 0xe102/23/2012 16:02:08:288 dwOptions: 0xc000000302/23/2012 16:02:08:288 NetpLdapBind: ldap_bind failed on SRV-DC-NSB3.company.loc: 49: Invalid Credentials02/23/2012 16:02:08:288 NetpJoinDomainOnDs: Function exits with status of: 0x52e02/23/2012 16:02:08:288 NetpJoinDomainOnDs: status of disconnecting from '\\SRV-DC-NSB3.company.loc': 0x002/23/2012 16:02:08:288 NetpDoDomainJoin: status: 0x52eimageUnattend.xml Edited February 23, 2012 by staun
IcemanND Posted February 23, 2012 Posted February 23, 2012 Do you pre-create the computer accounts in AD? Otherwise with your answer file it will by default try and create the computer account in the default Computers OU which in most places I have been has been restricted to domain admins only. If you supply the OU or pre-create the computer objects in the correct location with the correct name anyone with rights to join a computer to the domain should be able to.
staun Posted February 24, 2012 Author Posted February 24, 2012 Do you pre-create the computer accounts in AD? Otherwise with your answer file it will by default try and create the computer account in the default Computers OU which in most places I have been has been restricted to domain admins only. If you supply the OU or pre-create the computer objects in the correct location with the correct name anyone with rights to join a computer to the domain should be able to.You were right - it was a permissions issue. I just added a group with full control on the Computers Container at voila!Now I just need to specify lower permission on this folder - Full permissions must be overkill.Thanks a lot!!
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now