Deployment Solution

I've got DS 6.9.  We're ordering workstations with no OS.  I'm installing the automation partition with a CD, then running a Deploy Image job which has been tested extensively and works.  In this job, the workstation joins the domain (via sysprep).  I'd never had a problem with this before--the only issue to this point has been that, in order to push the image to an existing workstation, I had to delete the ocmputer account from the domain first (before configuration gets to that point).

The issue I'm coming across is, on a brand new workstation, it's not joining to the domain, even though the image job completes otherwise.  If I manually add the computer to the domain after the job completes, then run th same job to it (and delete the computer account from Active Directory while the image is downloading), everything works perfectly--it re-adds the computer account.  I've tried adding a Modify Configuration job to add to the domain, but this also fails.

I've seen a couple threads relating to this issue, but never saw a resolution.

I've honestly never liked using Sysprep to join the machine to the domain as I constantly received mixed results.. We created a script job that used netdom once the image was pushed and sysprep finished for the first time.. I can paste the details of the batch file if you need it.. let me know.

Hi JP,

First sort of off-topic:
You are getting this message, but it is more of a general point.

If you think you have a solution for a more general issue, why put a teaser only?
It is so off topic to ask, but I really wonder what your motivation is not to add the "details" in your first post?
What is there to gain or to loose?

On-topic:
I am always curious how other people are solving the obvious and the non-day-2-day issues.  So please let us see how you have solved this in your environment!

I agree with JP330ci on the issue of joining computers to the domain via sysprep.  One thing I would check is the domain controller's event log at the time the failed join domain happens.  There might be some clues (such as a bad account, a limit on how many computers a user can join to the domain...yes, there is a default limit in AD, etc.).

I'm not even really sure where to start with this... for some reason I think you just felt the need to either A) boost your post count or B) complain about something. I believe your post was much less constructive to this thread than mine was as you didn't offer any type of help at all, simply a personal rant of your own accord which should've been handled through PM if you truly felt the need.

First off -

I did not provide any type of solution to his issue, much rather I provided an alternative route to achieve what he is trying to do.

Second -

I was at home when I made that post and I didn't have the script readily available to provide to him. Also I feel that Netdom is something that every engineer should know and / or learn at the earliest stages of development. Simply providing him with a script would have created a "give a man a fish scenario" rather than letting him research Netdom and learning the benefits of it by himself so he can remember it for future uses.

Now actually to go back onto Topic.

Here is a script that we use in order to join the machine to the domain once the sysprep process has completed, please keep in mind that you must have the altiris agent installed onto the machine (via the run once option in sysprep is best) in order for this to work properly.

Create a step in your imaging process after the image has been completely pushed and the agent installed. This will join the machine to the domain for you.

' Joins the computer to the domain

Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144

strDomain = "Add domain here"
strUser = "User account here"
strPassword = "User password here"

Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, NULL, JOIN_DOMAIN + ACCT_CREATE)

wscript.sleep 20000 

The only thing I don't like about this script is that it requires the username / password to be hardcoded inside.. That was something we decided to live with since it resolved all of our other issues. Also since the user doesn't have any other rights than joining machines to the domain.. I hope this helps you in giving you options to resolve your current issue. However please research the Netdom command as it is extremely useful in many cases, as you can see there are many ways to skin a cat so to speak.

Hi Boots,

The sysprep domain join has always been a thorn in my side with sysprep. On some sites it works flawlessly, others might see failures on the join perhaps 30% of the time, and on other sites it fails utterly.

Whenever I come across a site where this does not work as expected although everything looks fine,  I normally resort to using an Altiris Configuration task to execute the domain join. This works 100% of the time for me, so would be interesting to dig further into your setup to see what's amiss. 

Kind Regards,
Ian./

I had a similar in that the deployed image finished but could not join the domain from configuartion option.  Because the computer name already existed in AD i had to delete the computer account from AD. 

What i did to resolve that issue was to remove the machines entry from DHCP. Joining the domain worked fine on new computer with a new computer name but if it was a new computer using an existing name on the network that was when i had the problem.

Thanks for all the replies.  I'm still having no luck.  I tried adding a configuration change to add to the domain, and that didn't work.  I also tried copying the script JP supplied into a .bat file (changing domain name, account, and password of course) and that didn't work for me either--I'm not well-versed in netdom, so I'll have to do my homework to figure out why it didn't work.  (I didn't bother to do an install for the Agent, because the agent exists on the image--is it still necessary to re-install the agent in order for the script to run?)

I'm not going to waste a huge amount of time on this, because I ahve to touch every machine to rename it and do some other configuration that can't be automated anway, and manually adding it to the domain isn't a big deal when I'm already there.  But I'll try a few more things and keep y'all posted.  Again, thanks all!

Hi Brian,

That one did come up in my Googles, but I think this one is mostly legacy -applicable to early NTFS support and DOS imaging.

In this case, I reckon it's possible we've got a problem delivering over an OEM partition -that's why I've asked for a gdisk output and a wipdrive.

Ian, I think you replied to the wrong thread here.  

Did you by chance check the event log on the domain controller(s) when the join domain fails?  It might give a clue on why it's failing.

Jeeze... how the hell did I do that?? 

No luck, sir--no corresponding events related to the username or the computer name that I could find.  I think it's failing before it even gets that far--I created a job with just the batch file in it, and it's immediatley failing with an "error 1 during script execution"

Hi Boots,

Let me make a last ditch attempt to stay on topic.... ;-)

When you tried the "Modify Configuration" job, have you tried using the domain admin account? Just to see if it's a rights issue of the account you've been given. I'm not saying long term this is a sensible account to use, it would be good to eliminate this.

And test the modify configuration job on a workgroup machine first, not ever been in a domain. A VM can be good for that. Just to check the the configuration job does actually work to join the machine to the domain...

There is a thread I recall reading in the Ghost Solution Suite forum where a user reports that Sysprep is unable to join a machine to the domain if you also use Sysprep to supply the Computername. If you leave the machine name undefined, then apparently the domain join works. YMMV

One clever solution I have seen, used the Asset Tagging feature of the system bios (Lenovo and HP support this and probably quite a few others too) to store the Computername allocate to the machine. The build process could then read this using a bit of WMI code and set the machine name accordingly. After a reboot, the machine was then joined to the domain.

No doubt one day Microsoft will get Sysprep to work properly in all cases - I just hope I get to see it before I reach retirement age....

Error 1 usually means a syntax problem.  Can you post the batch file contents here?

ianatkin: I'm certain it's not a rights issue on the account I'm using.  If a machine existed on the domain and I reimage it, as long as I delete the existing AD computer account before Sysprep gets to the "add to domain" part, it adds it in fine.  And, the computers I've tried this on are workgroup computers that have never been a part of my domain.  (that's the thing . . . sysprep can add them if they've been in the domain before.  It's wierd)

bhawyer: I used the batch file given in this thread (adding in my domain name--both "long" and "short"--username and password, tried them both iwth and without quotes as I wasn't sure of the syntax) copied/pasted, so it's all up there from JP330ci's post above.

EdT: I currently have the computer name in the sysprep answer file as * so it uses the existing name (which is the asset tag/serial number as you've mentioned).

In experimenting with the netdom command, I'm running into 2 difficulties:

1) netdom isn't on my altiris server

2) how to populate the computer name in the command to be the local computer

Boots

Attached is a script we use to name the computer and then join it to the domain and then it reboots the computer. Since I could not attach it as a .vbs I changed it to a .txt just rename it back to .vbs.

This has only been used on computers not known to the Domain, in other words new computers. Also I run it manually off a thumb drive in windows 7. It has not been tested running from the deployment console so I hope it works for you.

Attachment(s)

jd.txt   1 KB 1 version

Boots have you tried doing this,

1. in a command prompt type,
   runas /user:mydomain\AddComputerAccount mmc
   
   The add computer account is the same account that you are using in your scripts to do the domain joins
    
2. In mmc navigate to the computer object of the machine you are going to image, and delete it.

I suspect you won't be able to do this. I believe the account you are using for domain joins only has the privileges to add computers to the destination container, but not to delete them too.

Once this has been resolved, any of the scripts and methods described above should work.

I have to add a addendum on my reply above.

We used this script on 7 computers and it worked fine but since then it has been hit and miss. One time it names a computer and another time it doesn't. The only thing it is consistent with is adding the computer to the domain.

If the domain join is removed from within sysprep, why not use an event condition based for the OS'es?

What I mean is something like this:

- default condition say for 2000/XP clients runs a VBS like attached and has only the requirement to have the Netdom.exe on the client;

- a condition for Win7 runs a PS script (also attached), where the PS is called from a CMD file just because we change the exec policy for PS for the execution of that script

Since we use sysprep in only LAB environments, I have been playing around with this for the above OS platforms and that always worked like a charm.

If it is helpful, please anyone comment back...

-BBC

Attachment(s)

Netdom.vbs_.txt   590 B 1 version

PS and CMD.txt   789 B 1 version