1 of 1 people found this helpful
Domain trust failures can often happen when the computer account password (one that you never really deal with) get's out of date/sync. This can happen when restoring snapshots in a VM, or in imaging, I think it can happen if it wasn't sysprep'ed or something went wrong there, as sysprep should clear the identifiers that the DC/Domain would use.
It's one of the things that I touch upon during a Momentum Webinar scheduled later today around Provisioning.
Here's 3 different articles with different solutions to the problem.
The cause is essentially always "you captured a device while it was part of a domain" ... the upshot being "don't take an image of a device that's in a domain, even though Windows 7/8/10 should be fine" ... it's not always 100% fine .
Hope this helps.
Thanks for the info. I'll check it out. I thought I was signed up for your webinar, but I don't see It on my calendar, so I'll go track it down.
Oddly I do not have the issue following the same processes with Windows 7. Windows 10 Sysprep seems iffy and there are a lot of complaints online about it.
Running sysprep (from what I understand) is supposed to remove the device from the domain and clean it up. I never saw any issues with this on 7. Win 10 has constantly given me domain trust issues.
The only reason I had it join to the domain at all, was to automate the gold image build process. Now I am just mapping drives to server location shares to get past the authentication failures without joining the domain.
So far that seems to be stable. The LDMS Join Domain provisioning step would always flag green, so I also wasn't sure if maybe it was just an issue with the way that action item was calling the join.
I appreciate the help.
Hope you were able to attend the Webinar. In case you weren't able to ...
... yeah ... SYSPREP / domain trust is still "iffy" (mildly put). It "shouldn't happen" / "shouldn't be a problem" based on what I've read up from Microsoft from Windows 7 onwards ... but it still does.
So I personally encourage people to create SYSPREP images outside of domains (it's a one-off pain I hope) to reduce that particular pain. The "failing" AD authentication I could usually live with (since my distrust of DNS not working usually suggests using local rather than AD accounts to access shares), but the one chief point to fall flat on your provisioning face as it were, is always the "join domain" action ... if the domain feels ever so slightly grumpy ... it's a lot of clean-up.
So ... I try to front-load my provisioning with as much distrust of domain & DNS as I can ... it usually works for me .
YMMV of course ... .
Thanks again Paul. I was only able to jump on the last bit of it.
The only other issue I am really seeing now is a bit different. When re-imaging a device that had already joined the domain, I am seeing the 'Join Domain' action item flag successful, but in reality it fails to join the domain. In some cases, using my service account to re-join the domain will also fail and I have to delete the object out of AD using my DA account. This only occurs with Windows 10 images. Windows 7 doesn't seem to cause this issue for me. It seems pretty sporadic, so I have not narrowed it down just yet. Will keep pushing through.
The Webinar has been recorded & you can view it here (as well as download the presentation & so on):
As for troubleshooting that stuff - well - enable the relevant (Windows) Auditing on the DC that those boxes will talk to & see what Windows has to say for itself. From personal experience, you have to takes Microsofts' error messages with a pinch of salt (as usual) as it may be more indicative of what's ACTUALLY wrong rather than being "the whole truth and nothing but the truth".
As an aside, I've had a good bunch of success of running that PowerShell script 1 liner which resets the machine account, rather than rejoining the domain, A habit I would recommend, as yanking servers out & back into a domain can have very bad effects on the app-stack on them . Less of an issue for workstations (usually) but I prefer to be safe than sorry.
Good luck with the Windows 10 stuff ... and hopefully you'll get more useful error messages than I've had to try & make sense of / psycho-analyse in the past .