Yes, the JoinDomain account has the following permissions: This object and all Descendant object - Create and Delete Computer Objects
Descendant Computer Objects - Read All Properties - Write All Properties - Modify Permissions - Change Password - Reset Password - Validated write to DNS host name - Validated write to service principal name The OU is provided in the Task Sequence along with the join domain account and password. Still not working. The netsetup.log file shows the following: 03/24/2014 17:09:03:730 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2 03/24/2014 17:09:03:730 NetpProvisionComputerAccount: LDAP creation failed: 0x2 Any ideas? Thanks, Brian Date: Mon, 24 Mar 2014 14:31:03 -0700 Subject: Re: [MDT-OSD] machine fails to join domain From: [email protected] To: [email protected] a couple of things you can look into: Domain being resolved? Because of some issue we had with DNS, I had to add domain suffixes to the network task at my last place.Does the domain account being used have correct permissions? To "Create" objects on the necessary OUs or the built-in computer container. as mentioned by Isaac, when no OU is provided, the TS tries to add it to the default computer container. On Mon, Mar 24, 2014 at 2:18 PM, Isaac Holmes <[email protected]> wrote: I’ve not had to pre-create objects in AD when I specify a “Domain OU” on the “Apply Network Settings” step. As I understand it if no OU is specified it tries to place the computer object in the default Computers OU in AD which in my case no one has rights to. So I either have to pre-create AD computer objects or specify the target OU. In my TS I have taken to building bare metal machines and placing them in a default build OU and moving them manually when finished. And using the same TS if the object already exists it is joined to the existing object during the build. Isaac From: [email protected] [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Monday, March 24, 2014 5:05 PM To: [email protected]; [email protected] Subject: [MDT-OSD] machine fails to join domain I am attempting to join a bare metal machine to the domain using an SCCM 2012 R2 TS. The machine fails to join to the domain. The NIC driver is injecting properly as part of the installation process. The SMSTS.log doesn't tell me much other than the fact that the Apply Network Settings step executed. In our previous SCCM 2007 environment we always had to create the computer object in the domain before imaging. That was the only way we could make t join during OS deployment process. Is this mandatory? I have a service account setup to join PCs to the domain. I have validated the password and permissions. Am I missing something here? Seems nuts to have to put the computer in AD before machines will join to the domain as part of OSD. I appreciate any input. Thanks, Brian
