6

I've already looked through the other questions related to this and none of them were able to help me. I've already spent several days on this damned unattended process and, miraculously, I was able to get it to work ONCE yesterday but, alas, I did a noobish mistake and didn't backup the file before editing it again and now I am unable to get it working again despite working on it for several hours.

Here's some of the debug output I get:

[DJOIN.EXE] Unattended Join: Begin
[DJOIN.EXE] Unattended Join: Loading input parameters...
[DJOIN.EXE] Unattended Join: AccountData = [NULL]
[DJOIN.EXE] Unattended Join: UnsecureJoin = [True]
[DJOIN.EXE] Unattended Join: MachinePassword = [secret not logged]
[DJOIN.EXE] Unattended Join: JoinDomain = [ad.domain.com]
[DJOIN.EXE] Unattended Join: JoinWorkgroup = [NULL]
[DJOIN.EXE] Unattended Join: Domain = [NULL]
[DJOIN.EXE] Unattended Join: Username = [NULL]
[DJOIN.EXE] Unattended Join: Password = [secret not logged]
[DJOIN.EXE] Unattended Join: MachineObjectOU = [NULL]
[DJOIN.EXE] Unattended Join: DebugJoin = [NULL]
[DJOIN.EXE] Unattended Join: DebugJoinOnlyOnThisError = [NULL]
[DJOIN.EXE] Unattended Join: TimeoutPeriodInMinutes = [NULL]
[DJOIN.EXE] Unattended Join: Checking that auto start services have started.
[DJOIN.EXE] Unattended Join: Calling DsGetDcName for ad.domain.com...
[DJOIN.EXE] Unattended Join: Constructed domain parameter [ad.domain.com\PDC.ad.domain.com]
[DJOIN.EXE] Unattended Join: NetJoinDomain attempt failed: 0x52e, will retry in 10 seconds...

This last line repeats several times during the process before quitting.

[DJOIN.EXE] Unattended Join: NetJoinDomain failed error code is [1326]
[DJOIN.EXE] Unattended Join: Unable to join; gdwError = 0x52e

and...

NetUseAdd to \\PDC.ad.domain.com\IPC$ returned 1326
Trying add to \\PDC.ad.domain.com\IPC$ using NULL Session
NetpProvisionComputerAccount:
lpDomain: ad.domain.com
lpHostName: ComputerName
lpMachineAccountOU: (NULL)
lpDcName: PDC.ad.domain.com
lpMachinePassword: (non-null)
lpAccount: ad.domain.com\ComputerName$
lpPassword: (non-null)
dwJoinOptions: 0xe1
dwOptions: 0xc0000003
NetpLdapBind: ldap_bind failed on PDC.ad.domain.com: 49: Informations d'identification non valides

This last line translates to "Identification information is invalid" or "Credentials are invalid".

NetpJoinCreatePackagePart: status:0x52e
NetpAddProvisioningPackagePart: status:0x52e
NetpJoinDomainOnDs: Function exits with status of: 0x52e
NetpDoDomainJoin: status: 0x52e

I get that error 1326 is invalid credentials, however, I'm using the unsecure join method with the %machinepassword% variable so I'm not sure why...

Here is the unattend file in question: Editted out as I reached the 30k character limit, it is now irrelevant anyway

Any help would be very much appreciated. I've already tried dozens of step-by-step guides and technet notes which all contradict each other or suggest using MDT or are simply unclear. If any experts in unattended deployments out there read this, I will be eternally grateful if you manage to point out what is probably a really stupid mistake.

Thank you!

Edit: I failed to mention it as I did not judge the information important but the WDS server and the DC are both running 2012 R2.

Edit 2: As mentioned in the comment below, here is the relevant NetSetup.log information after changing UnsecureJoin to False and adding the Credentials information under the UnattendJoin component:

11/11/2014 14:22:54:558 -----------------------------------------------------------------
11/11/2014 14:22:54:558 NetpDoDomainJoin
11/11/2014 14:22:54:558 NetpDoDomainJoin: using new computer names
11/11/2014 14:22:54:558 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/11/2014 14:22:54:558 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/11/2014 14:22:54:558 NetpMachineValidToJoin: 'IMAGE-TEST'
11/11/2014 14:22:54:558     OS Version: 6.3
11/11/2014 14:22:54:558     Build number: 9600 (9600.winblue_r3.140827-1500)
11/11/2014 14:22:54:589     SKU: Windows 8.1 Professionnel
11/11/2014 14:22:54:589     Architecture: 64-bit (AMD64)
11/11/2014 14:22:54:589 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/11/2014 14:22:54:589 NetpGetLsaPrimaryDomain: status: 0x0
11/11/2014 14:22:54:589 NetpMachineValidToJoin: status: 0x0
11/11/2014 14:22:54:589 NetpJoinDomain
11/11/2014 14:22:54:589     HostName: IMAGE-TEST
11/11/2014 14:22:54:589     NetbiosName: IMAGE-TEST
11/11/2014 14:22:54:589     Domain: ad.domain.com\PDC.ad.domain.com
11/11/2014 14:22:54:589     MachineAccountOU: (NULL)
11/11/2014 14:22:54:589     Account: domain\wdsclient
11/11/2014 14:22:54:589     Options: 0x23
11/11/2014 14:22:54:589 NetpLoadParameters: loading registry parameters...
11/11/2014 14:22:54:589 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/11/2014 14:22:54:589 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/11/2014 14:22:54:589 NetpLoadParameters: status: 0x2
11/11/2014 14:22:54:589 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/11/2014 14:22:54:589 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/11/2014 14:22:54:886 NetpJoinDomainOnDs: status of connecting to dc '\\PDC.ad.domain.com': 0x0
11/11/2014 14:22:54:886 NetpJoinDomainOnDs: Passed DC 'PDC.ad.domain.com' verified as DNS name '\\PDC.ad.domain.com'
11/11/2014 14:22:54:886 NetpLoadParameters: loading registry parameters...
11/11/2014 14:22:54:886 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1'     0x2
11/11/2014 14:22:54:886 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/11/2014 14:22:54:886 NetpLoadParameters: status: 0x2
11/11/2014 14:22:54:886 NetpDsGetDcName: status of verifying DNS A record name resolution for     'PDC.ad.domain.com': 0x0
11/11/2014 14:22:54:886 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/11/2014 14:22:54:902 NetpProvisionComputerAccount:
11/11/2014 14:22:54:902     lpDomain: ad.domain.com
11/11/2014 14:22:54:902     lpHostName: IMAGE-TEST
11/11/2014 14:22:54:902     lpMachineAccountOU: (NULL)
11/11/2014 14:22:54:902     lpDcName: PDC.ad.domain.com
11/11/2014 14:22:54:902     lpMachinePassword: (null)
11/11/2014 14:22:54:902     lpAccount: domain\wdsclient
11/11/2014 14:22:54:902     lpPassword: (non-null)
11/11/2014 14:22:54:902     dwJoinOptions: 0x23
11/11/2014 14:22:54:902     dwOptions: 0x40000003
11/11/2014 14:22:54:917 NetpLdapBind: Verified minimum encryption strength on PDC.ad.domain.com:     0x0
11/11/2014 14:22:54:917 NetpLdapGetLsaPrimaryDomain: reading domain data
11/11/2014 14:22:54:917 NetpGetNCData: Reading NC data
11/11/2014 14:22:54:917 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:917 NetpGetDomainData: Lookup crossref data for:     CN=Partitions,CN=Configuration,DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:949 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
11/11/2014 14:22:54:949 NetpCheckForDomainSIDCollision: returning 0x0(0).
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Cracking DNS domain name ad.domain.com/ into     Netbios on \\PDC.ad.domain.com
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Crack results:     name = domain\
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Cracking account name domain\IMAGE-TEST$ on     \\PDC.ad.domain.com
11/11/2014 14:22:54:964 NetpGetComputerObjectDn: Crack results:     (Account already exists) DN =     CN=IMAGE-TEST,CN=Computers,DC=ad,DC=domain,DC=com
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Initial attribute values:
11/11/2014 14:22:54:964         objectClass  =  Computer
11/11/2014 14:22:54:964         SamAccountName  =  IMAGE-TEST$
11/11/2014 14:22:54:964         userAccountControl  =  0x1000
11/11/2014 14:22:54:964         DnsHostName  =  IMAGE-TEST.ad.domain.com
11/11/2014 14:22:54:964         ServicePrincipalName  =  HOST/IMAGE-TEST.ad.domain.com      RestrictedKrbHost/IMAGE-TEST.ad.domain.com  HOST/IMAGE-TEST  RestrictedKrbHost/IMAGE-TEST
11/11/2014 14:22:54:964         unicodePwd  =  <SomePassword>
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
11/11/2014 14:22:54:964         objectClass  =  top  person  organizationalPerson  user  computer
11/11/2014 14:22:54:964         SamAccountName  =  IMAGE-TEST$
11/11/2014 14:22:54:964         userAccountControl  =  0x1000
11/11/2014 14:22:54:964         DnsHostName  =
11/11/2014 14:22:54:964         ServicePrincipalName  =
11/11/2014 14:22:54:964         unicodePwd  =  Account exists, resetting password: <SomePassword>
11/11/2014 14:22:54:964 NetpModifyComputerObjectInDs: Attribute values to set:
11/11/2014 14:22:54:964         DnsHostName  =  IMAGE-TEST.ad.domain.com
11/11/2014 14:22:54:964         ServicePrincipalName  =  HOST/IMAGE-TEST.ad.domain.com      RestrictedKrbHost/IMAGE-TEST.ad.domain.com  HOST/IMAGE-TEST  RestrictedKrbHost/IMAGE-TEST
11/11/2014 14:22:54:964         unicodePwd  =  <SomePassword>
11/11/2014 14:22:54:980 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error     string: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
11/11/2014 14:22:54:980 NetpModifyComputerObjectInDs: ldap_modify_s failed: 0x32 0x5
11/11/2014 14:22:54:980 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
11/11/2014 14:22:54:980 NetpProvisionComputerAccount: LDAP creation failed: 0x5
11/11/2014 14:22:54:980 NetpProvisionComputerAccount: Retrying downlevel per options
11/11/2014 14:22:54:995 NetpManageMachineAccountWithSid: NetUserAdd on 'PDC.ad.domain.com' for     'IMAGE-TEST$' failed: 0x8b0
11/11/2014 14:22:54:995 SamOpenUser on 1639 failed with 0xc0000022
11/11/2014 14:22:54:995 NetpManageMachineAccountWithSid: status of attempting to set password on     'PDC.ad.domain.com' for 'IMAGE-TEST$': 0x5
11/11/2014 14:22:54:995 NetpProvisionComputerAccount: retry status of creating account: 0x5
11/11/2014 14:22:54:995 ldap_unbind status: 0x0
11/11/2014 14:22:54:995 NetpJoinCreatePackagePart: status:0x5.
11/11/2014 14:22:54:995 NetpAddProvisioningPackagePart: status:0x5.
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: Function exits with status of: 0x5
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: status of disconnecting from '\\PDC.ad.domain.com':     0x0
11/11/2014 14:22:54:995 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/11/2014 14:22:54:995 NetpDoDomainJoin: status: 0x5
11/11/2014 14:23:05:027 -----------------------------------------------------------------

I did notice the "INSUFF_ACCESS_RIGHTS" tag but the account used is a Domain Admin account so I'm not sure what else could be at cause here. Thoughts?

Edit 3: Also, the client computer I'm testing this with is an Hyper-V VM which has a checkpoint prior to being imaged. I revert the machine, delete the object from AD, purge the WDS server of approved devices and then I restart the whole process whenever the unattended installation doesn't work. Again, I don't think this is relevant but it's all the info I can give.

Edit 4: I think I'm starting to see what's happening. After the unattend operation, I tried adding the workstation to the domain using the same account information I have specified in my unattend file only to be greeted with the following error message:

"The join operation was not successful. This could be because an existing computer
account having name “IMAGE” was previously created using a different set of
credentials. Use a different computer name, or contact your administrator to remove
any stale conflicting account. The error was:

Access is denied."

I tried with another domain admin account and I get the same error. My guess is that somehow, something is not deleted properly in AD and its messing up because the station has already been domain-joined before. I'm going to try again by re-creating a brand new VM and will post back the results.

Edit 5: Creating a brand new VM with a blank hard-drive gave me the same result and log errors using the Credentials setting. I also tried adding the checkmark for the WDS server that says "Do not join the client to a domain after an installation." thinking that there may be a conflict there and with the answer file but to no avail... I've tried setting the UnsecureJoin to True again and removing the Credentials setting with a brand new VM as well just to see but I get the previous error again... Help?

Edit 6: Another thing that I doubt is relevant is the fact that the computer is UEFI and not BIOS.

Edit 7: Using the following answer file, I'm able to join the domain successfully everytime when the "request admin approval" checkbox in WDS is unchecked. As soon as it is checked, it fails and greets me with the error:

"NetpLdapBind: ldap_bind failed on PDC.ad.domain.com: 49: Informations d'identification non valides".

This last part translates to "Identification information is invalid".

Important part of the answer file, let me know if you need anything else:

<settings pass="specialize">
    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <Identification>
            <UnsecureJoin>true</UnsecureJoin>
        </Identification>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <ComputerName>%MACHINENAME%</ComputerName>
        <RegisteredOrganization>Organization</RegisteredOrganization>
        <RegisteredOwner>Utilisateur</RegisteredOwner>
    </component>
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <InputLocale>0c0c:00001009</InputLocale>
        <SystemLocale>0c0c:00001009</SystemLocale>
        <UILanguage>fr-CA</UILanguage>
        <UserLocale>en-US</UserLocale>
    </component>
</settings>

Edit 8

Specialize section now looks like:

<settings pass="specialize">
    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <Identification>
            <UnsecureJoin>true</UnsecureJoin>
            <JoinDomain>%MACHINEDOMAIN%</JoinDomain>
        </Identification>
    </component>
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <RegisteredOrganization>Organization</RegisteredOrganization>
        <RegisteredOwner>Utilisateur</RegisteredOwner>
    </component>
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <InputLocale>1009:00001009</InputLocale>
        <SystemLocale>en-US</SystemLocale>
        <UILanguage>fr-FR</UILanguage>
        <UserLocale>en-US</UserLocale>
    </component>
</settings>

And NetSetup log gives me this repeatedly:

11/20/2014 14:22:53:596 NetpDoDomainJoin
11/20/2014 14:22:53:612 NetpDoDomainJoin: using new computer names
11/20/2014 14:22:53:612 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/20/2014 14:22:53:612 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/20/2014 14:22:53:612 NetpMachineValidToJoin: 'WIN-6PMPRQ5FVI5'
11/20/2014 14:22:53:612     OS Version: 6.3
11/20/2014 14:22:53:612     Build number: 9600 (9600.winblue_r3.140827-1500)
11/20/2014 14:22:53:659     SKU: Windows 8.1 Professionnel
11/20/2014 14:22:53:659     Architecture: 64-bit (AMD64)
11/20/2014 14:22:53:659 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/20/2014 14:22:53:659 NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 14:22:53:659 NetpMachineValidToJoin: status: 0x0
11/20/2014 14:22:53:659 NetpJoinDomain
11/20/2014 14:22:53:659     HostName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:659     NetbiosName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:659     Domain: ad.domain.com\PDC.ad.domain.com
11/20/2014 14:22:53:659     MachineAccountOU: (NULL)
11/20/2014 14:22:53:659     Account: (NULL)
11/20/2014 14:22:53:659     Options: 0x61
11/20/2014 14:22:53:659 NetpLoadParameters: loading registry parameters...
11/20/2014 14:22:53:659 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 14:22:53:659 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 14:22:53:659 NetpLoadParameters: status: 0x2
11/20/2014 14:22:53:659 NetpJoinDomainOnDs: Unsecure join requested.
11/20/2014 14:22:53:659 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/20/2014 14:22:53:659 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/20/2014 14:22:53:799 [000004e4] NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 14:22:53:846 NetpJoinDomainOnDs: status of connecting to dc '\\PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:846 NetpJoinDomainOnDs: Passed DC 'PDC.ad.domain.com' verified as DNS name '\\PDC.ad.domain.com'
11/20/2014 14:22:53:846 NetpLoadParameters: loading registry parameters...
11/20/2014 14:22:53:846 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 14:22:53:846 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 14:22:53:846 NetpLoadParameters: status: 0x2
11/20/2014 14:22:53:846 NetpDsGetDcName: status of verifying DNS A record name resolution for 'PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:846 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/20/2014 14:22:53:862 NetpProvisionComputerAccount:
11/20/2014 14:22:53:862     lpDomain: ad.domain.com
11/20/2014 14:22:53:862     lpHostName: WIN-6PMPRQ5FVI5
11/20/2014 14:22:53:862     lpMachineAccountOU: (NULL)
11/20/2014 14:22:53:862     lpDcName: PDC.ad.domain.com
11/20/2014 14:22:53:862     lpMachinePassword: (null)
11/20/2014 14:22:53:862     lpAccount: ad.domain.com\WIN-6PMPRQ5FVI5$
11/20/2014 14:22:53:862     lpPassword: (null)
11/20/2014 14:22:53:862     dwJoinOptions: 0x61
11/20/2014 14:22:53:862     dwOptions: 0xc0000007
11/20/2014 14:22:53:877 NetpLdapBind: Verified minimum encryption strength on PDC.ad.domain.com: 0x0
11/20/2014 14:22:53:877 NetpLdapGetLsaPrimaryDomain: reading domain data
11/20/2014 14:22:53:877 NetpGetNCData: Reading NC data
11/20/2014 14:22:53:877 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/20/2014 14:22:53:877 NetpGetDomainData: Failed to find the domain data: 0x6e
11/20/2014 14:22:53:877 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x6e
11/20/2014 14:22:53:893 ldap_unbind status: 0x0
11/20/2014 14:22:53:893 NetpJoinCreatePackagePart: status:0x6e.
11/20/2014 14:22:53:893 NetpAddProvisioningPackagePart: status:0x6e.
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: Function exits with status of: 0x6e
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: status of disconnecting from '\\PDC.ad.domain.com': 0x0
11/20/2014 14:22:53:893 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/20/2014 14:22:53:893 NetpDoDomainJoin: status: 0x6e

As you can see, the name above "WIN-6PMPRQ5FVI5" was automatically generated and the name I provided is nowhere to be seen... The worse part is this worked fine prior to 2012 WDS so I'm not sure what they changed exactly outside of the interface shown. Thanks for your help though!

Edit 9: I tried again putting both the %MACHINEDOMAIN% and the %MACHINENAME% values. This didn't work either but I end up with the following info from NetSetup.log instead:

11/20/2014 16:23:32:232 NetpDoDomainJoin
11/20/2014 16:23:32:232 NetpDoDomainJoin: using new computer names
11/20/2014 16:23:32:232 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
11/20/2014 16:23:32:232 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
11/20/2014 16:23:32:232 NetpMachineValidToJoin: 'IMAGE-TEST'
11/20/2014 16:23:32:232     OS Version: 6.3
11/20/2014 16:23:32:232     Build number: 9600 (9600.winblue_r3.140827-1500)
11/20/2014 16:23:32:295     SKU: Windows 8.1 Professionnel
11/20/2014 16:23:32:295     Architecture: 64-bit (AMD64)
11/20/2014 16:23:32:295 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
11/20/2014 16:23:32:295 NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 16:23:32:295 NetpMachineValidToJoin: status: 0x0
11/20/2014 16:23:32:295 NetpJoinDomain
11/20/2014 16:23:32:295     HostName: IMAGE-TEST
11/20/2014 16:23:32:295     NetbiosName: IMAGE-TEST
11/20/2014 16:23:32:295     Domain: ad.domain.com\dc.ad.domain.com
11/20/2014 16:23:32:295     MachineAccountOU: (NULL)
11/20/2014 16:23:32:295     Account: (NULL)
11/20/2014 16:23:32:295     Options: 0x61
11/20/2014 16:23:32:295 NetpLoadParameters: loading registry parameters...
11/20/2014 16:23:32:295 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 16:23:32:295 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 16:23:32:295 NetpLoadParameters: status: 0x2
11/20/2014 16:23:32:295 NetpJoinDomainOnDs: Unsecure join requested.
11/20/2014 16:23:32:295 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
11/20/2014 16:23:32:295 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
11/20/2014 16:23:32:482 [0000051c] NetpGetLsaPrimaryDomain: status: 0x0
11/20/2014 16:23:32:498 NetpJoinDomainOnDs: status of connecting to dc '\\dc.ad.domain.com': 0x0
11/20/2014 16:23:32:513 NetpJoinDomainOnDs: Passed DC 'dc.ad.domain.com' verified as DNS name '\\dc.ad.domain.com'
11/20/2014 16:23:32:513 NetpLoadParameters: loading registry parameters...
11/20/2014 16:23:32:513 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
11/20/2014 16:23:32:513 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
11/20/2014 16:23:32:513 NetpLoadParameters: status: 0x2
11/20/2014 16:23:32:513 NetpDsGetDcName: status of verifying DNS A record name resolution for 'dc.ad.domain.com': 0x0
11/20/2014 16:23:32:513 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: ad.domain.com
11/20/2014 16:23:32:529 NetpProvisionComputerAccount:
11/20/2014 16:23:32:529     lpDomain: ad.domain.com
11/20/2014 16:23:32:529     lpHostName: IMAGE-TEST
11/20/2014 16:23:32:529     lpMachineAccountOU: (NULL)
11/20/2014 16:23:32:529     lpDcName: dc.ad.domain.com
11/20/2014 16:23:32:529     lpMachinePassword: (null)
11/20/2014 16:23:32:529     lpAccount: ad.domain.com\IMAGE-TEST$
11/20/2014 16:23:32:529     lpPassword: (null)
11/20/2014 16:23:32:529     dwJoinOptions: 0x61
11/20/2014 16:23:32:529     dwOptions: 0xc0000007
11/20/2014 16:23:32:545 NetpLdapBind: Verified minimum encryption strength on dc.ad.domain.com: 0x0
11/20/2014 16:23:32:545 NetpLdapGetLsaPrimaryDomain: reading domain data
11/20/2014 16:23:32:545 NetpGetNCData: Reading NC data
11/20/2014 16:23:32:545 NetpGetDomainData: Lookup domain data for: DC=ad,DC=domain,DC=com
11/20/2014 16:23:32:545 NetpGetDomainData: Failed to find the domain data: 0x6e
11/20/2014 16:23:32:545 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x6e
11/20/2014 16:23:32:545 ldap_unbind status: 0x0
11/20/2014 16:23:32:545 NetpJoinCreatePackagePart: status:0x6e.
11/20/2014 16:23:32:545 NetpAddProvisioningPackagePart: status:0x6e.
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: Function exits with status of: 0x6e
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: status of disconnecting from '\\dc.ad.domain.com': 0x0
11/20/2014 16:23:32:545 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
11/20/2014 16:23:32:545 NetpDoDomainJoin: status: 0x6e

At least now the name given in WDS is used but now the error that sticks out is: NetpGetDomainData: Failed to find the domain data: 0x6e and I'm not sure why. I'll try hardcoding the domain instead of putting %MACHINEDOMAIN% and will post back the results.

Edit 10: Currently got a ticket for this with MS. Will get back with the solution once they find it. So far, seems like a bug in WS2012 WDS. Will post more info once available.

Mat
  • 135
  • 1
  • 1
  • 8
  • @WinOutreach2 I've tried setting UnsecureJoin to False and setting the credentials instead to see if it would succeed and I still get an error although different. See the edit above for the relevant NetSetup.log information. – Mat Nov 11 '14 at 14:20
  • @tfrederick74656 Seemed like a decent thing to try since my problem seems related to "name and approve" specifically but unfortunately, no dice. I put %MACHINEDOMAIN% instead of "somedomain.com" which should be properly populated by WDS but to no avail. Also, removing the field prompted me to enter a computer name during the OOBE process... Also, it seems like WDS is ignoring the name I put in "name and approve". See edit #8 above for the appropriate NetSetup log info. – Mat Nov 20 '14 at 13:59
  • I am having the exact same issue. Server 2016, WDS, UEFI, Approved machines from WDS console. HAve to delete comp account and join manually. – Ben Oct 17 '18 at 01:02

6 Answers6

6

It is a bug in WDS. When you approve a UEFI device it gives the wrong permissions. If you look under the security permissions on the computer object you will see it has set deny for Domain Admins against the 'Change password' and 'Reset password'. Remove the deny for both of these and you are good to go.

You will need to do this for each UEFI computer you approve through WDS but it is better than nothing.

hailstorm
  • 61
  • 1
  • 2
  • I would have assumed that Microsoft would know about and fix such a bug. The fact that even going through their **paid** support service and have them just giving up 2 weeks in without actually finding the problem is.... In any case, +1 for actually giving me a reason as to why this doesn't work! Any idea on whether or not it'll do the same thing in the next Server iteration that will come out in 2016? I'm aware of the public beta right now so not sure if anybody has tested this yet? – Mat Jul 29 '15 at 12:36
  • 2
    I cannot believe this is still not fixed. It just cost me 30 hours. – Christopher Edwards Jan 14 '16 at 14:09
  • 1
    Still not fixed in Server 2016. If you manually specify a user in WDS they will also get the deny. – maxf Jan 02 '18 at 13:54
3

We ended up contacting Microsoft regarding this and after several weeks of useless tests, turns out there is a bug in WDS name and approve and PXE booting when using UEFI over BIOS and unattended domain joining is simply non-functional over UEFI when pxe booting with WDS name and approve.

Long story short, keep using BIOS if you want automated joins with WDS. If you are forced to use UEFI, the only other alternative would be to use a logon script after deployment but this assumes the account that will be logged in is an administrator. Either that or manually join the domain post-deployment!

Hope this helps somebody else with this same problem. I know it caused me some major headaches.

Cheers!

Mat
  • 135
  • 1
  • 1
  • 8
2

You are still missing either the Credentials setting or the Provisioning setting. See AccountData for how to use UnattendedJoin without entering credentials through Provisioning.

WinOutreach2
  • 276
  • 1
  • 3
  • I never added this that one time it worked and we have never needed it in previous deployments of Windows XP and 7. Also, wouldn't the information entered here only be valid for that one machine? We're trying to get this image working so it can be pushed out to a few hundred machines afterwards. – Mat Nov 10 '14 at 16:58
  • It's been a while since I configured this in my environment, but IIRC you have two options for authenticating the join. Either you supply the credentials for a user authorized to join the computer, or you precreate the computer account in AD and use the machine password to join it. The second option is called an unsecure join, and that's why you were able to get it to work once. @WinOutreach2 provided the correct answer, you need to supply credentials for the join or pre-provision the computer account for each system. – tfrederick74656 Nov 18 '14 at 17:06
  • I'm actually able to get it working consistently now using unsecurejoin but ONLY if I remove the "request admin approval" checkbox from WDS. As soon as I check it and "name and approve" the station, it fails! I'll post an edit with the up-to-date answer file I'm using. – Mat Nov 18 '14 at 19:07
2

Added info, this also occurs with 2008 Std R2 with W7 Pro machines.

To all whom it may concern, since this issue is applicable only at the Domain Admin group level, I thought to try with an account give all rights through Delegation control at the domain root level, which works as well, so there is no need to go and change the security settings on each and every UEFI computer object :).

How-to:

  1. I created a user WDSinstall, whose only group membership is Domain User.
  2. Then I simply ran through the Delegate Control wizard (in this case, right-click your root Domain node and select Delegate Control).
  3. Add your newly created account and click Next.
  4. Select Create custom tasks to delegate and click next.
  5. Keep "This folder, existing objects in this....." selected, click Next.
  6. Make sure that all 3 options under "Show these permissions" are ticked, meaning: General, Property-Specific and Creation/Deletion of specific child-objects.
  7. In the Permissions box, simply tick Full Control, this will select all other permissions as well. Click Next.
  8. Click Finish.

Now you have an account which is in essence a Domain Admin account, and as such, you can use it for all your WDS and deployment needs.

I hope this helps someone as much as this original post helped me (a lot).

techraf
  • 4,163
  • 8
  • 27
  • 44
Ken L.
  • 36
  • 1
1

Ok, looking at your edit #7, you have two errors:

Firs, you're missing <JoinDomain>somedomain.com</JoinDomain> with your domain name filled in.

Second, you need to remove the <ComputerName>%MACHINENAME%</ComputerName> line.

That should get you working.

tfrederick74656
  • 1,442
  • 1
  • 12
  • 29
0

Here's what I've found in regard to unsecure setups: you don't need computername or domainname set. On install when you auth to the server to pull the image file you need to connect to WDS with a domain account with the rights to do password resets on the computer account - the computer name, domain name and reset password are pulled at this point. The password reset is done by the winPE client machine, not the WDS server.

Here are my notes:Jims WDS notes

Hope that helps

Jim

Jim Potter
  • 36
  • 2