This post explains how the Active Directory domain join feature of the MDT (Microsoft Deployment Toolkit) works and if gives tips how to fix it if it is not working.

Excluding the actual Operating System install (and maybe an application task or two), the process of joining your imaging machines to the domain is the most important step in the entire process. But where does this process take place and how can you troubleshoot it when it breaks? The answer isn’t as simple as you would think.

Recover from Domain?

Inside the State Restore phase of any Client Install Task Sequence is a specific task named “Recover From Domain”. By default, this task is set to “Rerun Join Domain” but doesn’t really indicate where the actual Join Domain process occurs.

Recover from Domain

The Recover from Domain Task

Michael Niehaus, one of the creators of MDT, shared this insight over on TechNet:

By default, the domain join happens as part of the OS installation - the unattend.xml specifies to join the domain. If you want that to happen later, e.g. using the "Recover from Domain" step, you would need to remove the join entries from the unattend.xml associated with your task sequence. The Lite Touch wizard will set the same task sequence variables in either case, and the "Recover from domain" step will notice that the unattend.xml didn't do the join.

In essence, the actual join domain process occurs in the Install phase and requires a handful of administratively assigned settings to succeed. If it doesn’t succeed, it will attempt another domain join with the Recover From Domain task.


A blank Unattend.XML opened in Window SIM

MDT domain join settings

The necessary settings needed for a MDT domain join can be configured in your CustomSettings.ini file. Specifically, you will need to set the following:

  • JoinDomain=Your Domain Name – EX: Test.Local
  • DomainAdmin=A User that Can Join Machines to the Domain
  • DomainAdminDomain= Your Domain Name – EX: Test.Local
  • DomainAdminPassword=The DomainAdmin user’s password

Even though the properties above say “DomainAdmin” and “DomainAdminPassword”, please do not actually use your Domain Administrator for this process. The CustomSettings.ini file is stored in clear text and can easily be found.

In our environment, we use a special account that is delegated permissions to create/delete computer accounts. Save your customsettings.ini and open up Active Directory Users and Computer. You do not need to update your DeploymentShare when editing just the CustomSettings.ini. A new copy is retrieved every time a computer is imaged.

Delegating domain join permissions

Create a custom security group named something like: Allowed to Join Computers to the Domain. Then right click on an OU containing your computers and select Delegate Control. If you do not pre-create or stage your computer accounts in Active Directory, you will also need to do this process on the default Computers container.

On the Tasks to Delegate screen, select Create a custom task to delegate. On the next page, choose Only the following objects in the folder and select Computer objects. Finally, check the Create/Delete selected objects in this folder option.

Delegating domain join permissions

Delegating domain join permissions

Skipping the Domain Join Wizard

With the settings that you have above, MDT and Active Directory are completely configured. However, there are a few other things that you can check or setup.

If all of your computers will use the same domain join settings (or if users sometimes change those settings), you can skip the Domain Join Wizard prompts. To do so, enter SkipDomainMembership=YES into your CustomSettings.ini.

If domain join is not working

You might also see certain machines that refuse to join the domain. This is normally caused by the OU the machine is a member of. If your OUs have special characters in them, consider changing the characters to a dash symbol or a space. The MDT domain join task will fail on special characters.

If a certain machine is failing and is pre-staged, you might have improper delegated permissions. Launch Active Directory Users and Computer as your MDT Domain Join user. Navigate to the OU that the computer is a member of. Right click and attempt to create a new computer. If you can’t create a new computer, check the OU permissions and ensure that your account has the Create Computer Objects permission.

Finally, there is one last place that can help you diagnose MDT Domain Join errors. The ZTIDomainJoin error log contains the entire output on the domain join action. This log can be found in C:\Windows\Temp\DeploymentLogs\ZTIDomainJoin.log

  1. Author
    Joseph Moody (Rank 3) 8 years ago

    Quite a script, Alphaeus! Thank you for sharing it!

  2. Mark 8 years ago

    I’m unable to get the bind to domain to work using ztidomainjoin. I have two rules setup in my custom settings. When I place the settings in the default rule this works. But I have another rule which I want it to do the domain binding,
    So we’ll ztidomainjoin only work from settings in the default rule?

  3. Author
    Joseph Moody (Rank 3) 8 years ago

    Mark – i haven’t seen an environment where it is used elsewhere – it may be hard coded to the default rule set. Do you see anything odd in the domain join logs?

  4. Mark 8 years ago

    Only that join domain = workgroup
    I am though booting from a pen drive and not wds, I thinking perhaps I need to redo the pen drive

  5. Mr Mayor 7 years ago

    Hi gang. Hoping this is still an active thread. Relatively new to MDT, or, I use it so infrequently that I forget a lot, your pick.

    Updated our Win7Pro image, and noted how it stopped joining the domain (and renaming) even though I’m entering the same credentials I always do.  The SysprepCapture and Deploy steps were ok. So I decided to test the image.  So it deployed to the laptop, but, it did not rename the machine, nor did it join the domain or OU I assigned.  I’m NOT doing any of these via custom settings but rather LIVE when I connect our mem-stick pointing to our SHARE etc.  I believe what’s happening is: The deployment to the laptop isn’t truly finishing, and just brings me to a log in screen, where I log in, and nothing happens…. so on a whim I decided to try and RE-deploy it and found when I booted up it told me about eh DIRTY ENVIRONMENT/pre-existing deployment.  Perhaps this is when it normally renames and joins? (and then fails?)  A log file somewhere I can verify this?

    Thanks, and sorry if it’s an old thread.


    • jointhedotz 7 years ago

      The dirty environment error just means that there’s an incomplete deployment for that machine, you should be able to re-deploy anyway (it gives the option) but on occasion I’ve had to reformat the drive to clean it.

      As for your issue….at which point is the deployment failing?  What are you seeing on the screen?


  6. Author
    Joseph Moody (Rank 3) 7 years ago

    Can you add your domain-join values to your customsettings.ini file? That would probably be the quickest fix.

  7. Mr Mayor 7 years ago

    Hi Joseph.  Yes I “can”, but then I have no prompt for the Wkstn name, which we do customize. It’s WRKLEN then the last 4 of the serial number…. can that be tweaked to automatically do that prior to joining the domain, obviosuly?  My guess is no….  ?

    Thanks for the response, it appeared deleted at first.


    • jointhedotz 7 years ago

      The 2 things aren’t linked, just leave the computer name screen enabled but add the skip domain join command:

      :Join Domain:











  8. jointhedotz 7 years ago

    The machine name bit can be tweaked obvs 😉

  9. jointhedotz 7 years ago

    this has the answer to fully automating your naming as per your requirements as well:


  10. Simon 6 years ago

    Hi Joseph, i have an issue about join domain service. When i deploy my computer with MDT i can join my domain but if i dont use join domain MDT feature to manually join the domain later i cant reach him. Do you have any lead to help ?

  11. Sid 5 years ago


    in our environment I join computers to domain via a PS script during image deployment in MDT.

    for some reason when I try to refresh a computer from win7 to win10 , it reboots twice when it reaches to recover from domain in TS . Do you know why this is happening.

    and also load scan is not working and there is no log for it either.please help:

    Priority=CApps, MMSettings, MMApps, Default


    TimeZoneName=Eastern Standard Time


    from c:\
    ScanStateArgs=/ui:mydomain\* /v:5 /o /c

    LoadStateArgs=/v:5 /c
    MachineObjectOU=OU=Daily Exemption,OU=SC Rollback,OU=Workstations,OU=Devices,DC=mydomain,DC=com

    _SMSTSOrgName=mydomain OIT, %TaskSequencename%


  12. Alucard 3 years ago

    In my environment I have a service account I created and applied the permissions to it and a dedicated OU for newly imaged machines as described in your post. I've also tried the delegation wizard and specifically making the user domain admin. I don't think it's a big deal, but the only way I can get machines to join the domain with this service account is by using the following properties in the customsettings.ini:




    Any idea why the DomainAdmin,DomainPassword,DomainAdminDomain, properties will not allow the user to join users to the domain through MDT? I can join machines manually after the deployment fails with the account. When I look in the deployment log it shows that it's trying to join the domain, but cannot locate DNS (DHCP has correct DNS settings, and DNS records are correct obviously since I can join machines manually). Also the ZTI log shows it has tried too many time to join the domain count=4. I'd appreciate your thoughts.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account