1 2 Previous Next 17 Replies Latest reply on Nov 17, 2016 6:00 AM by amarsolan

    Fail to join Domain

    amarsolan Rookie

      My provisioning template is successful thru CTOS.  The template continues after the reboot, but fails when joining the domain.  The generic Microsoft error is bad username/password.  If I manually apply the username/password the join is successful.

       

      The JoinDomainHandler log has an interesting entry;

      2016-09-02 20:30:50(5312-5316) JoinDomainHandler.exe:TryallWebService exitcode: 0

      2016-09-02 20:30:50(5312-5316) JoinDomainHandler.exe:Unable to decipher password: 15

      2016-09-02 20:30:50(5312-5316) JoinDomainHandler.exe:Joining domain <MyDomain> and OU OU=<MyOU>.

      2016-09-02 20:30:53(5312-5316) JoinDomainHandler.exe:NetJoinDomain() unknown error: 1326

       

      The password is alphanumeric, no special characters.  I am using LDMS2016, ver. 10.0.0.271.

      JoinDomain.jpg 

       

      Any ideas?

        • 1. Re: Fail to join Domain
          FrugalRain Apprentice

          Have you tried using a public variable ?

          Also ensure the username you are using has rights to join machines to the domain...

           

          • 2. Re: Fail to join Domain
            amarsolan Rookie

            Haven't tried that yet.  Just trying the very basic template.  The administrative account has rights, as I can manually join the domain with that account after the provisioning template fails.  Was wondering if there might be a bug in the domain action handler with how it encrypts/decrypts the password?

             

            Update:  Tried the public variables and I loose the "can't decipher password" entry, but still get a IPC$ returned 1326 error.

            Tried running from a dos prompt; net use \\dcname\ipc$ /u:< domain\user > < password > and receive the command completed successfully. I have opened a ticket with the Domain Admin group to see if they can tell why the DC's are rejecting the request.

            • 3. Re: Fail to join Domain
              phoffmann SupportEmployee

              Yeah - your first step here will be enabling NT account auditing on the DC ... that can get very chatty. Hopefully it'll give you a useful set of messages (they sometimes aren't). *fingers crossed* .

              • 4. Re: Fail to join Domain
                amarsolan Rookie

                Sorry for the dead space, got pulled away on a different project.

                 

                I could never get the domain admin group to tell me why the DC's were rejecting the Landesk "join domain" action item.

                 

                Finally got this to work, but it is a huge workaround.  I created a powershell script to join the domain only to find Windows will not execute a remote powershell script because it is restricted.  So then I created a batch file that launches the powershell script in unrestricted mode.  One problem here is the password.  The only way it would work is having the password in clear txt in the ps script*. I can add an action item to remove the scripts after the domain join, so nothing is available to the local user.  I am now looking into creating an admin account that only has permission to join computers to the domain.

                 

                *Landesk will let me use a public variable in the ps script, but I have no idea what the encryption key is.  Maybe with that info, I can pass the key info in the ps script for decryption.  Maybe just using a special admin account is best..

                JoinDomainScripts.jpg

                • 5. Re: Fail to join Domain
                  Dave Johnston Apprentice

                  Another option would be to use an unattend file and join it to the domain during Windows setup.  Once the OS is deployed, you can delete the old one, and insert the new unattend.xml file with the "Microsoft-Windows-UnattendedJoin" component configured for your domain.

                   

                  • 6. Re: Fail to join Domain
                    amarsolan Rookie

                    That seems to be the recommended way, but I have no experience with unattend.xml files and when I opened the Windows System Image Manager to create one I got intimidated.  Its probably easy once one knows how but I could not find good documentation on what to do.  Still learning...

                    • 7. Re: Fail to join Domain
                      Frank Wils ITSMMVPGroup

                      Also always be sure to check the local c:\windows\debug\netsetup.log

                       

                      This contains all the details on how the join domain is handled by Windows.

                       

                      Frank

                      • 8. Re: Fail to join Domain
                        amarsolan Rookie

                        Thanks Frank, I have been using the log and that is how I know its a username/password error.  Windows is particular in decrypting passwords.  The PC joining the domain requires the encryption key to be local.  I think that is what I am running into when using the Landesk join domain action item without having the agent installed on the PC first.  I haven't tested the action item with the agent installed yet.  Since the PC is not a domain member, it cannot access resources from a domain server, so I thought I would join it to the domain first before installing the agent and software.  The other solution to this would be to map a drive to the core/preferred server and install the agent first before using the Landesk action items.

                        • 9. Re: Fail to join Domain
                          Frank Wils ITSMMVPGroup

                          You should be able to Join the Domain using a LANDESK action before deploying the agent. The action will create a 'command' with the username and decrypted password.

                           

                          At a certain point LANDESK changed its encryption method and required all passwords in variables to be re-entered and saved. Have you tried this? It might be just as simple as that...

                           

                          Frank

                          • 10. Re: Fail to join Domain
                            Frank Wils ITSMMVPGroup

                            Passwords in Provisioning variables and Provisioning actions. Sorry.

                            • 11. Re: Fail to join Domain
                              amarsolan Rookie

                              I just applied the SU4 update last week and tried re-entering the password in the action item and via a variable and still no love...

                              • 12. Re: Fail to join Domain
                                jParnell Specialist

                                I highly suggest you learn about building answer files; the WAIK / ADK makes it extremely easy to do in a graphical way, and there are many different support options all over the internet (example, Google "join domain unattend.xml". The first result has a step-by-step explanation, with links to a youtube video on Windows 7 unattended installation).

                                 

                                The best training, if you can interpret it, is always going to be from Technet. For example, Building an Answer File

                                 

                                As well, here is the video the first result linked to Create unnatended.xml for Windows 7 - YouTube

                                 

                                Keep in mind, you can also use variables for your username and passwords; for instance, in ours, we have the domain account in the xml as %ldServiceAcct% and the password as %ldServicePswd%; those variables are stored as public variables in LDMS and are updated to reflect real text values using the "Inject Script" action.

                                • 13. Re: Fail to join Domain
                                  BD_RB Apprentice

                                  If you did an upgrade from 9.6 to 2016 check and make sure the old .0 certs are removed from your boot.wim and boot64.wim in \cba8\cbaroot\certs

                                   

                                  This worked for us after 9.6 to 2016 upgrade join domain tasks did not work with provisioning until we removed the old certs from boot.wims

                                  • 14. Re: Fail to join Domain
                                    amarsolan Rookie

                                    Thanks, JP for the links, I will definitely look into this.  Attended a Connect event yesterday and the Landesk folks recommended I open a ticket.  I am still testing the product and would think the basic action items would work.  I also experienced a failure with mapping a drive.  Seems like when I try to pass a username and password I get a failure.

                                    1 2 Previous Next