Unable to perform an unattended domain join using WDS and an answer file on Windows 8.1
I've already looked through the other questions related to this and none of them were able to help me. I've already spent several days on this damned unattended process and, miraculously, I was able to get it to work ONCE yesterday but, alas, I did a noobish mistake and didn't backup the file before editing it again and now I am unable to get it working again despite working on it for several hours.
Here's some of the debug output I get:
[DJOIN.EXE] Unattended Join: Begin
[DJOIN.EXE] Unattended Join: Loading input parameters...
[DJOIN.EXE] Unattended Join: AccountData = [NULL]
[DJOIN.EXE] Unattended Join: UnsecureJoin = [True]
[DJOIN.EXE] Unattended Join: MachinePassword = [secret not logged]
[DJOIN.EXE] Unattended Join: JoinDomain = [ad.domain.com]
[DJOIN.EXE] Unattended Join: JoinWorkgroup = [NULL]
[DJOIN.EXE] Unattended Join: Domain = [NULL]
[DJOIN.EXE] Unattended Join: Username = [NULL]
[DJOIN.EXE] Unattended Join: Password = [secret not logged]
[DJOIN.EXE] Unattended Join: MachineObjectOU = [NULL]
[DJOIN.EXE] Unattended Join: DebugJoin = [NULL]
[DJOIN.EXE] Unattended Join: DebugJoinOnlyOnThisError = [NULL]
[DJOIN.EXE] Unattended Join: TimeoutPeriodInMinutes = [NULL]
[DJOIN.EXE] Unattended Join: Checking that auto start services have started.
[DJOIN.EXE] Unattended Join: Calling DsGetDcName for ad.domain.com...
[DJOIN.EXE] Unattended Join: Constructed domain parameter [ad.domain.com\PDC.ad.domain.com]
[DJOIN.EXE] Unattended Join: NetJoinDomain attempt failed: 0x52e, will retry in 10 seconds...
This last line repeats several times during the process before quitting.
[DJOIN.EXE] Unattended Join: NetJoinDomain failed error code is [1326]
[DJOIN.EXE] Unattended Join: Unable to join; gdwError = 0x52e
and...
NetUseAdd to \\PDC.ad.domain.com\IPC$ returned 1326
Trying add to \\PDC.ad.domain.com\IPC$ using NULL Session
NetpProvisionComputerAccount:
lpDomain: ad.domain.com
lpHostName: ComputerName
lpMachineAccountOU: (NULL)
lpDcName: PDC.ad.domain.com
lpMachinePassword: (non-null)
lpAccount: ad.domain.com\ComputerName$
lpPassword: (non-null)
dwJoinOptions: 0xe1
dwOptions: 0xc0000003
NetpLdapBind: ldap_bind failed on PDC.ad.domain.com: 49: Informations d'identification non valides
This last line translates to "Identification information is invalid" or "Credentials are invalid".
NetpJoinCreatePackagePart: status:0x52e
NetpAddProvisioningPackagePart: status:0x52e
NetpJoinDomainOnDs: Function exits with status of: 0x52e
NetpDoDomainJoin: status: 0x52e
I get that error 1326 is invalid credentials, however, I'm using the unsecure join method with the %machinepassword% variable so I'm not sure why...
Here is the unattend file in question: Editted out as I reached the 30k character limit, it is now irrelevant anyway
Any help would be very much appreciated. I've already tried dozens of step-by-step guides and technet notes which all contradict each other or suggest using MDT or are simply unclear. If any experts in unattended deployments out there read this, I will be eternally grateful if you manage to point out what is probably a really stupid mistake.
Thank you!
Edit: I failed to mention it as I did not judge the information important but the WDS server and the DC are both running 2012 R2.
Edit 2: As mentioned in the comment below, here is the relevant NetSetup.log information after changing UnsecureJoin to False and adding the Credentials information under the UnattendJoin component:
11/11/2014 14:22:54:558 -----------------------------------------------------------------
11/11/2014 14:22:54:558 NetpDoDomainJoin
11/11/2014 14:22:54:558 NetpDoDomainJoin: using new computer names
11/11/2014 14:22:54:558 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/11/2014 14:22:54:558 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/11/2014 14:22:54:558 NetpMachineValidToJoin: 'IMAGE-TEST'
11/11/2014 14:22:54:558 OS Version: 6.3
11/11/2014 14:22:54:558 Build number: 9600 (9600.winblue_r3.140827-1500)
11/11/2014 14:22:54:589 SKU: Windows 8.1 Professionnel
11/11/2014 14:22:54:589 Architecture: 64-bit (AMD64)
11/11/2014 14:22:54:589 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/11/2014 14:22:54:589 NetpGetLsaPrimaryDomain: status: 0x0
11/11/2014 14:22:54:589 NetpMachineValidToJoin: status: 0x0
11/11/2014 14:22:54:589 NetpJoinDomain
11/11/2014 14:22:54:589 HostName: IMAGE-TEST
11/11/2014 14:22:54:589 NetbiosName: IMAGE-TEST
11/11/2014 14:22:54:589 Domain: ad.domain.com\PDC.ad.domain.com
11/11/2014 14:22:54:589 MachineAccountOU: (NULL)
11/11/2014 14:22:54:589 Account: domain\wdsclient
11/11/2014 14:22:54:589 Options: 0x23
11/11/2014 14:22:54:589 NetpLoadParameters: loading registry parameters...
11/11/2014 14:22:54:589 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/11/2014 14:22:54:589 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/11/2014 14:22:54:589 NetpLoadParameters: status: 0x2
11/11/2014 14:22:54:589 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/11/2014 14:22:54:589 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/11/2014 14:22:54:886 NetpJoinDomainOnDs: status of connecting to dc '\\PDC.ad.domain.com': 0x0
11/11/2014 14:22:54:886 NetpJoinDomainOnDs: Passed DC 'PDC.ad.domain.com' verified as DNS name '\\PDC.ad.domain.com'
11/11/2014 14:22:54:886 NetpLoadParameters: loading registry parameters...
11/11/2014 14:22:54:886 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/11/2014 14:22:54:886 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/11/2014 14:22:54:886 NetpLoadParameters: status: 0x2
11/11/2014 14:22:54:886 NetpDsGetDcName: status of verifying DNS A record name resolution for 'PDC.ad.domain.com': 0x0
11/11/2014 14:22:54:886 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/11/2014 14:22:54:902 NetpProvisionComputerAccount:
11/11/2014 14:22:54:902 lpDomain: ad.domain.com
11/11/2014 14:22:54:902 lpHostName: IMAGE-TEST
11/11/2014 14:22:54:902 lpMachineAccountOU: (NULL)
11/11/2014 14:22:54:902 lpDcName: PDC.ad.domain.com
11/11/2014 14:22:54:902 lpMachinePassword: (null)
11/11/2014 14:22:54:902 lpAccount: domain\wdsclient
11/11/2014 14:22:54:902 lpPassword: (non-null)
11/11/2014 14:22:54:902 dwJoinOptions: 0x23
11/11/2014 14:22:54:902 dwOptions: 0x40000003
11/11/2014 14:22:54:917 NetpLdapBind: Verified minimum encryption strength on PDC.ad.domain.com: 0x0
11/11/2014 14:22:54:917 NetpLdapGetLsaPrimaryDomain: reading domain data
11/11/2014 14:22:54:917 NetpGetNCData: Reading NC data
11/11/2014 14:22:54:917 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:917 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:949 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
11/11/2014 14:22:54:949 NetpCheckForDomainSIDCollision: returning 0x0(0).
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Cracking DNS domain name ad.domain.com/ into Netbios on \\PDC.ad.domain.com
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Crack results: name = domain\
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Cracking account name domain\IMAGE-TEST$ on \\PDC.ad.domain.com
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=IMAGE-TEST,CN=Computers,DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Initial attribute values:
11/11/2014 14:22:54:964 objectClass = Computer
11/11/2014 14:22:54:964 SamAccountName = IMAGE-TEST$
11/11/2014 14:22:54:964 userAccountControl = 0x1000
11/11/2014 14:22:54:964 DnsHostName = IMAGE-TEST.ad.domain.com
11/11/2014 14:22:54:964 ServicePrincipalName = HOST/IMAGE-TEST.ad.domain.com RestrictedKrbHost/IMAGE-TEST.ad.domain.com HOST/IMAGE-TEST RestrictedKrbHost/IMAGE-TEST
11/11/2014 14:22:54:964 unicodePwd = <SomePassword>
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
11/11/2014 14:22:54:964 objectClass = top person organizationalPerson user computer
11/11/2014 14:22:54:964 SamAccountName = IMAGE-TEST$
11/11/2014 14:22:54:964 userAccountControl = 0x1000
11/11/2014 14:22:54:964 DnsHostName =
11/11/2014 14:22:54:964 ServicePrincipalName =
11/11/2014 14:22:54:964 unicodePwd = Account exists, resetting password: <SomePassword>
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Attribute values to set:
11/11/2014 14:22:54:964 DnsHostName = IMAGE-TEST.ad.domain.com
11/11/2014 14:22:54:964 ServicePrincipalName = HOST/IMAGE-TEST.ad.domain.com RestrictedKrbHost/IMAGE-TEST.ad.domain.com HOST/IMAGE-TEST RestrictedKrbHost/IMAGE-TEST
11/11/2014 14:22:54:964 unicodePwd = <SomePassword>
11/11/2014 14:22:54:980 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
11/11/2014 14:22:54:980 NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5
11/11/2014 14:22:54:980 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
11/11/2014 14:22:54:980 NetpProvisionComputerAccount: LDAP creation failed: 0x5
11/11/2014 14:22:54:980 NetpProvisionComputerAccount: Retrying downlevel per options
11/11/2014 14:22:54:995 NetpManageMachineAccountWithSid: NetUserAdd on 'PDC.ad.domain.com' for 'IMAGE-TEST$' failed: 0x8b0
11/11/2014 14:22:54:995 SamOpenUser on 1639 failed with 0xc0000022
11/11/2014 14:22:54:995 NetpManageMachineAccountWithSid: status of attempting to set password on 'PDC.ad.domain.com' for 'IMAGE-TEST$': 0x5
11/11/2014 14:22:54:995 NetpProvisionComputerAccount: retry status of creating account: 0x5
11/11/2014 14:22:54:995 ldap_unbind status: 0x0
11/11/2014 14:22:54:995 NetpJoinCreatePackagePart: status:0x5.
11/11/2014 14:22:54:995 NetpAddProvisioningPackagePart: status:0x5.
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: Function exits with status of: 0x5
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: status of disconnecting from '\\PDC.ad.domain.com': 0x0
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/11/2014 14:22:54:995 NetpDoDomainJoin: status: 0x5
11/11/2014 14:23:05:027 -----------------------------------------------------------------
I did notice the "INSUFF_ACCESS_RIGHTS" tag but the account used is a Domain Admin account so I'm not sure what else could be at cause here. Thoughts?
Edit 3: Also, the client computer I'm testing this with is an Hyper-V VM which has a checkpoint prior to being imaged. I revert the machine, delete the object from AD, purge the WDS server of approved devices and then I restart the whole process whenever the unattended installation doesn't work. Again, I don't think this is relevant but it's all the info I can give.
Edit 4: I think I'm starting to see what's happening. After the unattend operation, I tried adding the workstation to the domain using the same account information I have specified in my unattend file only to be greeted with the following error message:
"The join operation was not successful. This could be because an existing computer
account having name “IMAGE” was previously created using a different set of
credentials. Use a different computer name, or contact your administrator to remove
any stale conflicting account. The error was:
Access is denied."
I tried with another domain admin account and I get the same error. My guess is that somehow, something is not deleted properly in AD and its messing up because the station has already been domain-joined before. I'm going to try again by re-creating a brand new VM and will post back the results.
Edit 5: Creating a brand new VM with a blank hard-drive gave me the same result and log errors using the Credentials setting. I also tried adding the checkmark for the WDS server that says "Do not join the client to a domain after an installation." thinking that there may be a conflict there and with the answer file but to no avail... I've tried setting the UnsecureJoin to True again and removing the Credentials setting with a brand new VM as well just to see but I get the previous error again... Help?
Edit 6: Another thing that I doubt is relevant is the fact that the computer is UEFI and not BIOS.
Edit 7: Using the following answer file, I'm able to join the domain successfully everytime when the "request admin approval" checkbox in WDS is unchecked. As soon as it is checked, it fails and greets me with the error:
"NetpLdapBind: ldap_bind failed on PDC.ad.domain.com: 49: Informations d'identification non valides".
This last part translates to "Identification information is invalid".
Important part of the answer file, let me know if you need anything else:
<settings pass="specialize">
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<UnsecureJoin>true</UnsecureJoin>
</Identification>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>%MACHINENAME%</ComputerName>
<RegisteredOrganization>Organization</RegisteredOrganization>
<RegisteredOwner>Utilisateur</RegisteredOwner>
</component>
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>0c0c:00001009</InputLocale>
<SystemLocale>0c0c:00001009</SystemLocale>
<UILanguage>fr-CA</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
Edit 8
Specialize section now looks like:
<settings pass="specialize">
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<UnsecureJoin>true</UnsecureJoin>
<JoinDomain>%MACHINEDOMAIN%</JoinDomain>
</Identification>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RegisteredOrganization>Organization</RegisteredOrganization>
<RegisteredOwner>Utilisateur</RegisteredOwner>
</component>
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>1009:00001009</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>fr-FR</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
And NetSetup log gives me this repeatedly:
11/20/2014 14:22:53:596 NetpDoDomainJoin
11/20/2014 14:22:53:612 NetpDoDomainJoin: using new computer names
11/20/2014 14:22:53:612 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/20/2014 14:22:53:612 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/20/2014 14:22:53:612 NetpMachineValidToJoin: 'WIN-6PMPRQ5FVI5'
11/20/2014 14:22:53:612 OS Version: 6.3
11/20/2014 14:22:53:612 Build number: 9600 (9600.winblue_r3.140827-1500)
11/20/2014 14:22:53:659 SKU: Windows 8.1 Professionnel
11/20/2014 14:22:53:659 Architecture: 64-bit (AMD64)
11/20/2014 14:22:53:659 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/20/2014 14:22:53:659 NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 14:22:53:659 NetpMachineValidToJoin: status: 0x0
11/20/2014 14:22:53:659 NetpJoinDomain
11/20/2014 14:22:53:659 HostName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:659 NetbiosName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:659 Domain: ad.domain.com\PDC.ad.domain.com
11/20/2014 14:22:53:659 MachineAccountOU: (NULL)
11/20/2014 14:22:53:659 Account: (NULL)
11/20/2014 14:22:53:659 Options: 0x61
11/20/2014 14:22:53:659 NetpLoadParameters: loading registry parameters...
11/20/2014 14:22:53:659 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 14:22:53:659 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 14:22:53:659 NetpLoadParameters: status: 0x2
11/20/2014 14:22:53:659 NetpJoinDomainOnDs: Unsecure join requested.
11/20/2014 14:22:53:659 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/20/2014 14:22:53:659 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/20/2014 14:22:53:799 [000004e4] NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 14:22:53:846 NetpJoinDomainOnDs: status of connecting to dc '\\PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:846 NetpJoinDomainOnDs: Passed DC 'PDC.ad.domain.com' verified as DNS name '\\PDC.ad.domain.com'
11/20/2014 14:22:53:846 NetpLoadParameters: loading registry parameters...
11/20/2014 14:22:53:846 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 14:22:53:846 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 14:22:53:846 NetpLoadParameters: status: 0x2
11/20/2014 14:22:53:846 NetpDsGetDcName: status of verifying DNS A record name resolution for 'PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:846 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/20/2014 14:22:53:862 NetpProvisionComputerAccount:
11/20/2014 14:22:53:862 lpDomain: ad.domain.com
11/20/2014 14:22:53:862 lpHostName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:862 lpMachineAccountOU: (NULL)
11/20/2014 14:22:53:862 lpDcName: PDC.ad.domain.com
11/20/2014 14:22:53:862 lpMachinePassword: (null)
11/20/2014 14:22:53:862 lpAccount: ad.domain.com\WIN-6PMPRQ5FVI5$
11/20/2014 14:22:53:862 lpPassword: (null)
11/20/2014 14:22:53:862 dwJoinOptions: 0x61
11/20/2014 14:22:53:862 dwOptions: 0xc0000007
11/20/2014 14:22:53:877 NetpLdapBind: Verified minimum encryption strength on PDC.ad.domain.com: 0x0
11/20/2014 14:22:53:877 NetpLdapGetLsaPrimaryDomain: reading domain data
11/20/2014 14:22:53:877 NetpGetNCData: Reading NC data
11/20/2014 14:22:53:877 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/20/2014 14:22:53:877 NetpGetDomainData: Failed to find the domain data: 0x6e
11/20/2014 14:22:53:877 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x6e
11/20/2014 14:22:53:893 ldap_unbind status: 0x0
11/20/2014 14:22:53:893 NetpJoinCreatePackagePart: status:0x6e.
11/20/2014 14:22:53:893 NetpAddProvisioningPackagePart: status:0x6e.
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: Function exits with status of: 0x6e
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: status of disconnecting from '\\PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/20/2014 14:22:53:893 NetpDoDomainJoin: status: 0x6e
As you can see, the name above "WIN-6PMPRQ5FVI5" was automatically generated and the name I provided is nowhere to be seen... The worse part is this worked fine prior to 2012 WDS so I'm not sure what they changed exactly outside of the interface shown. Thanks for your help though!
Edit 9: I tried again putting both the %MACHINEDOMAIN% and the %MACHINENAME% values. This didn't work either but I end up with the following info from NetSetup.log instead:
11/20/2014 16:23:32:232 NetpDoDomainJoin
11/20/2014 16:23:32:232 NetpDoDomainJoin: using new computer names
11/20/2014 16:23:32:232 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/20/2014 16:23:32:232 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/20/2014 16:23:32:232 NetpMachineValidToJoin: 'IMAGE-TEST'
11/20/2014 16:23:32:232 OS Version: 6.3
11/20/2014 16:23:32:232 Build number: 9600 (9600.winblue_r3.140827-1500)
11/20/2014 16:23:32:295 SKU: Windows 8.1 Professionnel
11/20/2014 16:23:32:295 Architecture: 64-bit (AMD64)
11/20/2014 16:23:32:295 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/20/2014 16:23:32:295 NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 16:23:32:295 NetpMachineValidToJoin: status: 0x0
11/20/2014 16:23:32:295 NetpJoinDomain
11/20/2014 16:23:32:295 HostName: IMAGE-TEST
11/20/2014 16:23:32:295 NetbiosName: IMAGE-TEST
11/20/2014 16:23:32:295 Domain: ad.domain.com\dc.ad.domain.com
11/20/2014 16:23:32:295 MachineAccountOU: (NULL)
11/20/2014 16:23:32:295 Account: (NULL)
11/20/2014 16:23:32:295 Options: 0x61
11/20/2014 16:23:32:295 NetpLoadParameters: loading registry parameters...
11/20/2014 16:23:32:295 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 16:23:32:295 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 16:23:32:295 NetpLoadParameters: status: 0x2
11/20/2014 16:23:32:295 NetpJoinDomainOnDs: Unsecure join requested.
11/20/2014 16:23:32:295 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/20/2014 16:23:32:295 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/20/2014 16:23:32:482 [0000051c] NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 16:23:32:498 NetpJoinDomainOnDs: status of connecting to dc '\\dc.ad.domain.com': 0x0
11/20/2014 16:23:32:513 NetpJoinDomainOnDs: Passed DC 'dc.ad.domain.com' verified as DNS name '\\dc.ad.domain.com'
11/20/2014 16:23:32:513 NetpLoadParameters: loading registry parameters...
11/20/2014 16:23:32:513 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 16:23:32:513 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 16:23:32:513 NetpLoadParameters: status: 0x2
11/20/2014 16:23:32:513 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.ad.domain.com': 0x0
11/20/2014 16:23:32:513 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/20/2014 16:23:32:529 NetpProvisionComputerAccount:
11/20/2014 16:23:32:529 lpDomain: ad.domain.com
11/20/2014 16:23:32:529 lpHostName: IMAGE-TEST
11/20/2014 16:23:32:529 lpMachineAccountOU: (NULL)
11/20/2014 16:23:32:529 lpDcName: dc.ad.domain.com
11/20/2014 16:23:32:529 lpMachinePassword: (null)
11/20/2014 16:23:32:529 lpAccount: ad.domain.com\IMAGE-TEST$
11/20/2014 16:23:32:529 lpPassword: (null)
11/20/2014 16:23:32:529 dwJoinOptions: 0x61
11/20/2014 16:23:32:529 dwOptions: 0xc0000007
11/20/2014 16:23:32:545 NetpLdapBind: Verified minimum encryption strength on dc.ad.domain.com: 0x0
11/20/2014 16:23:32:545 NetpLdapGetLsaPrimaryDomain: reading domain data
11/20/2014 16:23:32:545 NetpGetNCData: Reading NC data
11/20/2014 16:23:32:545 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/20/2014 16:23:32:545 NetpGetDomainData: Failed to find the domain data: 0x6e
11/20/2014 16:23:32:545 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x6e
11/20/2014 16:23:32:545 ldap_unbind status: 0x0
11/20/2014 16:23:32:545 NetpJoinCreatePackagePart: status:0x6e.
11/20/2014 16:23:32:545 NetpAddProvisioningPackagePart: status:0x6e.
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: Function exits with status of: 0x6e
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: status of disconnecting from '\\dc.ad.domain.com': 0x0
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/20/2014 16:23:32:545 NetpDoDomainJoin: status: 0x6e
At least now the name given in WDS is used but now the error that sticks out is: NetpGetDomainData: Failed to find the domain data: 0x6e and I'm not sure why. I'll try hardcoding the domain instead of putting %MACHINEDOMAIN% and will post back the results.
Edit 10: Currently got a ticket for this with MS. Will get back with the solution once they find it. So far, seems like a bug in WS2012 WDS. Will post more info once available.
Solution 1:
Added info, this also occurs with 2008 Std R2 with W7 Pro machines.
To all whom it may concern, since this issue is applicable only at the Domain Admin group level, I thought to try with an account give all rights through Delegation control at the domain root level, which works as well, so there is no need to go and change the security settings on each and every UEFI computer object :).
How-to:
- I created a user WDSinstall, whose only group membership is Domain User.
- Then I simply ran through the Delegate Control wizard (in this case, right-click your root Domain node and select Delegate Control).
- Add your newly created account and click Next.
- Select Create custom tasks to delegate and click next.
- Keep "This folder, existing objects in this....." selected, click Next.
- Make sure that all 3 options under "Show these permissions" are ticked, meaning: General, Property-Specific and Creation/Deletion of specific child-objects.
- In the Permissions box, simply tick Full Control, this will select all other permissions as well. Click Next.
- Click Finish.
Now you have an account which is in essence a Domain Admin account, and as such, you can use it for all your WDS and deployment needs.
I hope this helps someone as much as this original post helped me (a lot).
Solution 2:
It is a bug in WDS. When you approve a UEFI device it gives the wrong permissions. If you look under the security permissions on the computer object you will see it has set deny for Domain Admins against the 'Change password' and 'Reset password'. Remove the deny for both of these and you are good to go.
You will need to do this for each UEFI computer you approve through WDS but it is better than nothing.
Solution 3:
We ended up contacting Microsoft regarding this and after several weeks of useless tests, turns out there is a bug in WDS name and approve and PXE booting when using UEFI over BIOS and unattended domain joining is simply non-functional over UEFI when pxe booting with WDS name and approve.
Long story short, keep using BIOS if you want automated joins with WDS. If you are forced to use UEFI, the only other alternative would be to use a logon script after deployment but this assumes the account that will be logged in is an administrator. Either that or manually join the domain post-deployment!
Hope this helps somebody else with this same problem. I know it caused me some major headaches.
Cheers!
Solution 4:
You are still missing either the Credentials setting or the Provisioning setting. See AccountData for how to use UnattendedJoin without entering credentials through Provisioning.
Solution 5:
Ok, looking at your edit #7, you have two errors:
Firs, you're missing <JoinDomain>somedomain.com</JoinDomain>
with your domain name filled in.
Second, you need to remove the <ComputerName>%MACHINENAME%</ComputerName>
line.
That should get you working.