- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Excluding the actual Operating System install (and maybe an application task or two), the process of joining your imaging machines to the domain is the most important step in the entire process. But where does this process take place and how can you troubleshoot it when it breaks? The answer isn’t as simple as you would think.
Recover from Domain? ^
Inside the State Restore phase of any Client Install Task Sequence is a specific task named “Recover From Domain”. By default, this task is set to “Rerun Join Domain” but doesn’t really indicate where the actual Join Domain process occurs.
The Recover from Domain Task
Michael Niehaus, one of the creators of MDT, shared this insight over on TechNet:
By default, the domain join happens as part of the OS installation - the unattend.xml specifies to join the domain. If you want that to happen later, e.g. using the "Recover from Domain" step, you would need to remove the join entries from the unattend.xml associated with your task sequence. The Lite Touch wizard will set the same task sequence variables in either case, and the "Recover from domain" step will notice that the unattend.xml didn't do the join.
In essence, the actual join domain process occurs in the Install phase and requires a handful of administratively assigned settings to succeed. If it doesn’t succeed, it will attempt another domain join with the Recover From Domain task.
A blank Unattend.XML opened in Window SIM
MDT domain join settings ^
The necessary settings needed for a MDT domain join can be configured in your CustomSettings.ini file. Specifically, you will need to set the following:
- JoinDomain=Your Domain Name – EX: Test.Local
- DomainAdmin=A User that Can Join Machines to the Domain
- DomainAdminDomain= Your Domain Name – EX: Test.Local
- DomainAdminPassword=The DomainAdmin user’s password
Even though the properties above say “DomainAdmin” and “DomainAdminPassword”, please do not actually use your Domain Administrator for this process. The CustomSettings.ini file is stored in clear text and can easily be found.
In our environment, we use a special account that is delegated permissions to create/delete computer accounts. Save your customsettings.ini and open up Active Directory Users and Computer. You do not need to update your DeploymentShare when editing just the CustomSettings.ini. A new copy is retrieved every time a computer is imaged.
Delegating domain join permissions ^
Create a custom security group named something like: Allowed to Join Computers to the Domain. Then right click on an OU containing your computers and select Delegate Control. If you do not pre-create or stage your computer accounts in Active Directory, you will also need to do this process on the default Computers container.
On the Tasks to Delegate screen, select Create a custom task to delegate. On the next page, choose Only the following objects in the folder and select Computer objects. Finally, check the Create/Delete selected objects in this folder option.
Delegating domain join permissions
Skipping the Domain Join Wizard ^
With the settings that you have above, MDT and Active Directory are completely configured. However, there are a few other things that you can check or setup.
If all of your computers will use the same domain join settings (or if users sometimes change those settings), you can skip the Domain Join Wizard prompts. To do so, enter SkipDomainMembership=YES into your CustomSettings.ini.
If domain join is not working ^
You might also see certain machines that refuse to join the domain. This is normally caused by the OU the machine is a member of. If your OUs have special characters in them, consider changing the characters to a dash symbol or a space. The MDT domain join task will fail on special characters.
If a certain machine is failing and is pre-staged, you might have improper delegated permissions. Launch Active Directory Users and Computer as your MDT Domain Join user. Navigate to the OU that the computer is a member of. Right click and attempt to create a new computer. If you can’t create a new computer, check the OU permissions and ensure that your account has the Create Computer Objects permission.
Finally, there is one last place that can help you diagnose MDT Domain Join errors. The ZTIDomainJoin error log contains the entire output on the domain join action. This log can be found in C:\Windows\Temp\DeploymentLogs\ZTIDomainJoin.log