- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Excluding the actual Operating System install (and maybe an application task or two), the process of joining your imaging machines to the domain is the most important step in the entire process. But where does this process take place and how can you troubleshoot it when it breaks? The answer isn’t as simple as you would think.
Recover from Domain?
Inside the State Restore phase of any Client Install Task Sequence is a specific task named “Recover From Domain”. By default, this task is set to “Rerun Join Domain” but doesn’t really indicate where the actual Join Domain process occurs.
The Recover from Domain Task
Michael Niehaus, one of the creators of MDT, shared this insight over on TechNet:
By default, the domain join happens as part of the OS installation - the unattend.xml specifies to join the domain. If you want that to happen later, e.g. using the "Recover from Domain" step, you would need to remove the join entries from the unattend.xml associated with your task sequence. The Lite Touch wizard will set the same task sequence variables in either case, and the "Recover from domain" step will notice that the unattend.xml didn't do the join.
In essence, the actual join domain process occurs in the Install phase and requires a handful of administratively assigned settings to succeed. If it doesn’t succeed, it will attempt another domain join with the Recover From Domain task.
A blank Unattend.XML opened in Window SIM
MDT domain join settings
The necessary settings needed for a MDT domain join can be configured in your CustomSettings.ini file. Specifically, you will need to set the following:
- JoinDomain=Your Domain Name – EX: Test.Local
- DomainAdmin=A User that Can Join Machines to the Domain
- DomainAdminDomain= Your Domain Name – EX: Test.Local
- DomainAdminPassword=The DomainAdmin user’s password
Even though the properties above say “DomainAdmin” and “DomainAdminPassword”, please do not actually use your Domain Administrator for this process. The CustomSettings.ini file is stored in clear text and can easily be found.
In our environment, we use a special account that is delegated permissions to create/delete computer accounts. Save your customsettings.ini and open up Active Directory Users and Computer. You do not need to update your DeploymentShare when editing just the CustomSettings.ini. A new copy is retrieved every time a computer is imaged.
Delegating domain join permissions
Create a custom security group named something like: Allowed to Join Computers to the Domain. Then right click on an OU containing your computers and select Delegate Control. If you do not pre-create or stage your computer accounts in Active Directory, you will also need to do this process on the default Computers container.
On the Tasks to Delegate screen, select Create a custom task to delegate. On the next page, choose Only the following objects in the folder and select Computer objects. Finally, check the Create/Delete selected objects in this folder option.
Delegating domain join permissions
Skipping the Domain Join Wizard
With the settings that you have above, MDT and Active Directory are completely configured. However, there are a few other things that you can check or setup.
If all of your computers will use the same domain join settings (or if users sometimes change those settings), you can skip the Domain Join Wizard prompts. To do so, enter SkipDomainMembership=YES into your CustomSettings.ini.
If domain join is not working
You might also see certain machines that refuse to join the domain. This is normally caused by the OU the machine is a member of. If your OUs have special characters in them, consider changing the characters to a dash symbol or a space. The MDT domain join task will fail on special characters.
If a certain machine is failing and is pre-staged, you might have improper delegated permissions. Launch Active Directory Users and Computer as your MDT Domain Join user. Navigate to the OU that the computer is a member of. Right click and attempt to create a new computer. If you can’t create a new computer, check the OU permissions and ensure that your account has the Create Computer Objects permission.
Finally, there is one last place that can help you diagnose MDT Domain Join errors. The ZTIDomainJoin error log contains the entire output on the domain join action. This log can be found in C:\Windows\Temp\DeploymentLogs\ZTIDomainJoin.log
Quite a script, Alphaeus! Thank you for sharing it!
I’m unable to get the bind to domain to work using ztidomainjoin. I have two rules setup in my custom settings. When I place the settings in the default rule this works. But I have another rule which I want it to do the domain binding,
So we’ll ztidomainjoin only work from settings in the default rule?
Mark – i haven’t seen an environment where it is used elsewhere – it may be hard coded to the default rule set. Do you see anything odd in the domain join logs?
Only that join domain = workgroup
I am though booting from a pen drive and not wds, I thinking perhaps I need to redo the pen drive
Hi gang. Hoping this is still an active thread. Relatively new to MDT, or, I use it so infrequently that I forget a lot, your pick.
Updated our Win7Pro image, and noted how it stopped joining the domain (and renaming) even though I’m entering the same credentials I always do. The SysprepCapture and Deploy steps were ok. So I decided to test the image. So it deployed to the laptop, but, it did not rename the machine, nor did it join the domain or OU I assigned. I’m NOT doing any of these via custom settings but rather LIVE when I connect our mem-stick pointing to our SHARE etc. I believe what’s happening is: The deployment to the laptop isn’t truly finishing, and just brings me to a log in screen, where I log in, and nothing happens…. so on a whim I decided to try and RE-deploy it and found when I booted up it told me about eh DIRTY ENVIRONMENT/pre-existing deployment. Perhaps this is when it normally renames and joins? (and then fails?) A log file somewhere I can verify this?
Thanks, and sorry if it’s an old thread.
MM
The dirty environment error just means that there’s an incomplete deployment for that machine, you should be able to re-deploy anyway (it gives the option) but on occasion I’ve had to reformat the drive to clean it.
As for your issue….at which point is the deployment failing? What are you seeing on the screen?
Can you add your domain-join values to your customsettings.ini file? That would probably be the quickest fix.
Hi Joseph. Yes I “can”, but then I have no prompt for the Wkstn name, which we do customize. It’s WRKLEN then the last 4 of the serial number…. can that be tweaked to automatically do that prior to joining the domain, obviosuly? My guess is no…. ?
Thanks for the response, it appeared deleted at first.
MM
The 2 things aren’t linked, just leave the computer name screen enabled but add the skip domain join command:
:Join Domain:
SkipDomainMembership=YES
MachineAccountOU=OU=Computers,DC=xxx,DC=xxx
NetworkLocation=Work
Computername=MDT%SerialNumber%
JoinDomain=xxxxx.xxxxxxx
DomainAdmin=xxxxxxxxxxxx
DomainAdminPassword=xxxxxxxxxx
DomainAdminDomain=xxxxxx
The machine name bit can be tweaked obvs 😉
this has the answer to fully automating your naming as per your requirements as well:
https://deploymentbunny.com/2012/04/21/back-to-basic-customsettings-ini-explained/
Hi Joseph, i have an issue about join domain service. When i deploy my computer with MDT i can join my domain but if i dont use join domain MDT feature to manually join the domain later i cant reach him. Do you have any lead to help ?
Hello
in our environment I join computers to domain via a PS script during image deployment in MDT.
for some reason when I try to refresh a computer from win7 to win10 , it reboots twice when it reaches to recover from domain in TS . Do you know why this is happening.
and also load scan is not working and there is no log for it either.please help:
[Settings]
Priority=CApps, MMSettings, MMApps, Default
Properties=MyCustomProperty
[Default]
OSInstall=Yes
SkipCapture=No
SkipAdminPassword=YES
SkipComputername=NO
SkipProductKey=YES
SkipComputerBackup=No
SkipBitLocker=Yes
SkipBDDWelcome=yes
SkipLocaleSelection=yes
SkipTimezone=yes
SkipLocalTime=yes
SkipAdminAccounts=yes
skipFinishAction=NO
TimeZoneName=Eastern Standard Time
TimeZone=035
SkipDomainMembership=Yes
UserDataLocation=Network
SkipUserData=Yes
USMTMigFiles001=MigApp.XML
USMTMigFiles002=Miguser.XML
from c:\
ScanStateArgs=/ui:mydomain\* /v:5 /o /c
LoadStateArgs=/v:5 /c
UDSHARE=\\192.168.203.14\Data\MDT-USERS-DATABackup\DataBackup
UDDir=%OSDComputerName%
SkipRoles=YES
SkipFinalSummary=YES
DomainAdminDomain=mydomain.com
MachineObjectOU=OU=Daily Exemption,OU=SC Rollback,OU=Workstations,OU=Devices,DC=mydomain,DC=com
SLShare=\\Gss-mdt.mydomain.com\MDtWinDep$\logs
ComputerBackupLocation=\\gss-mdt.mydomain.com\MDTWinDep$\CapturRefImage
SkipSummary=Yes
Finishaction=reboot
_SMSTSOrgName=mydomain OIT, %TaskSequencename%
In my environment I have a service account I created and applied the permissions to it and a dedicated OU for newly imaged machines as described in your post. I've also tried the delegation wizard and specifically making the user domain admin. I don't think it's a big deal, but the only way I can get machines to join the domain with this service account is by using the following properties in the customsettings.ini:
JoinDomain=contoso.com
UserDomain=contoso.com
UserID=service_ba
UserPassword=C0mplexP@ssw0rd
Any idea why the DomainAdmin,DomainPassword,DomainAdminDomain, properties will not allow the user to join users to the domain through MDT? I can join machines manually after the deployment fails with the account. When I look in the deployment log it shows that it's trying to join the domain, but cannot locate DNS (DHCP has correct DNS settings, and DNS records are correct obviously since I can join machines manually). Also the ZTI log shows it has tried too many time to join the domain count=4. I'd appreciate your thoughts.