Machine fails to join domain with error (NetJoinDomain failed error code is [2202])
Hello. I thought I was on the right track but I am still having some problems with a Windows 7 machine joining a domain. I am hoping someone can point me in the right direction. I am using SCCM 2007 SP2 with R2 and MDT 2010 integration. I have successfully captured Win7 Enterprise x86 and imported it into the available OS. In my custom settings package, I have configured the customsettings.ini to run several stored procedures that determine computer name, domain to join, OU, and packages to install. In my custom settings package, I also have an unattend.xml file that I have configured with a few items (this could possibly be my problem). The task sequence I am using is a MDT client sequence with no capture. During a build, I see the gather step run and it using my customsettings.ini. If I look in ztigather.log, I see the correct domain, ou, packages, and computer name. However, during the configure step and throughout the build, the machine never joins the domain. Do I need to configure something in unattend.xml? If so, I know how to configure it with static information (see below). How do I configure the unattend.xml if the values are not static and vary across the enterprise? I am sure I am making this harder than it is. Any advice would be appreciated. <Identification> <Credentials> <Domain>fabrikam.com</Domain> <Password>MyPassword</Password> <Username>MyUserName</Username> </Credentials> <JoinDomain>fabrikam.com</JoinDomain> <MachinePassword>ComputerPassword</MachinePassword></Identification>
April 1st, 2010 9:54pm

well if its not joining the domain then what does the netsetup.log file say on the client, you'll find it in c:\windows\debug you could also use collection variables to do the above and it's easier and cleaner than mucking around with customsettings.ini in my opinion, here's how My step by step SCCM Guides windows-noob on Twitter
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2010 10:01pm

Thank you for the reply. In netsetup.log, it only information about joining a workgroup. Could this mean that my step for joining a domain is out of place? I am using the default steps when I create a MDT task sequence. Regarding collections variables, that is an interesting approach. The problem I see with that is that I have 200+ sites. I assume that I would need a collection for each with collection variables in place and a task sequence for each. Is this correct or am I misunderstanding?
April 1st, 2010 10:59pm

If the ZTIGather.log looks correct you can also check ZTIConfigure.log, that's the component updating unattend.xml with the values. Did you configure the task sequence to join a domain or workgroup? I agree with Mr. Brady that collection variables are easier, but for me they are not flexible enough (I'm a die hard MDT fan), so I stick with the MDT rules... :)
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2010 7:16am

Thank you for the response. I am using the Apply Network Settings step to join the domain. I have it set to run before the Setup windows and ConfigMgr. I created a simple task sequence. Below are my steps. The machine still does not join the domain. Is my order incorrect? Task Sequence Steps 1. Format and Partition Disk 2. Use Microsoft Deployment Toolkit Package 3. Gather (Using my customsetting.ini with domain to join, ou, etc) 4. Apply Operating System Image (applies windows 7 enterprise x86) 5. Apply Windows Settings 6. Run Command-Line (runs zticonfigure.wsf) 7. Auto Apply Drivers 8. Apply Network Settings ( Selected join domain with the domain value as %JOINDOMAIN% and Domain OU value as %MACHINEOBJECTOU%. I have configured an account with permissions to join the domain) 9. Setup windows and ConfigMgr
April 5th, 2010 7:16pm

There are some built-in Task Sequence templates that are very helpful and I've had success using both the SCCM one and the MDT one. You could just create one of the built-in ones and use it as a reference to ensure that you have all the steps you need in the right order. Mike N.
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 11:57pm

Thank you for the reply. I have used the built-in ones with the same results. I am starting to think there is a problem with my captured image. When I look at the zticonfigure log, I see messages about not being able to locate unattend.xml in c:\windows\panther. I mounted my captured wim and I checked. There is not unattend.xml in the entire image. Could this be my problem? I thought that the custom settings package I have with an unattend.xml was what was used.
April 6th, 2010 3:48pm

After further research into this, I see that the unattend.xml file in c:\windows\panther\unattend is being updated with the correct information. If I look at c:\windows\panther\unattendedGC, I see the setupact.log. When I look in it, I can see where the domain and account for joining are present. When it tries to join the domain, the below error messages are present. [DJOIN.EXE] Unattended Join: NetJoinDomain attempt failed: 0x89a, will retry in 5 seconds... (Does this for 5 minutes) After 5 minutes, the below error messages appear. [DJOIN.EXE] Unattended Join: NetJoinDomain failed error code is [2202] [DJOIN.EXE] Unattended Join: Unable to join; gdwError = 0x89a My initial searches for error code 2202 have not produced any results. I am assuming it is not an account problem because the same account is used to join XP machines to the domain. Anyone seen this before?
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2010 7:20pm

This is when I'd go back and look at the netsetup.log file. If the machine is actually trying to join the domain then something should get logged into that file...and that log file is much more verbose so you'll see tons of information. Mike N.
April 6th, 2010 10:53pm

I am building a machine now and I will check. However, I thought netsetup.log was for pre-Vista machines.
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2010 11:09pm

Thanks for the tip. I checked the log and I see the below repeated over and over. 04/06/2010 16:10:08:213 NetpDoDomainJoin04/06/2010 16:10:08:213 NetpMachineValidToJoin: 'WIN-1OG243V57BH'04/06/2010 16:10:08:213 OS Version: 6.104/06/2010 16:10:08:213 Build number: 7600 (7600.win7_rtm.090713-1255)04/06/2010 16:10:08:213 SKU: Windows 7 Enterprise04/06/2010 16:10:08:213 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x004/06/2010 16:10:08:213 NetpGetLsaPrimaryDomain: status: 0x004/06/2010 16:10:08:213 NetpMachineValidToJoin: status: 0x004/06/2010 16:10:08:213 NetpJoinDomain04/06/2010 16:10:08:213 Machine: WIN-1OG243V57BH04/06/2010 16:10:08:213 Domain: NA.FDS.COM\USNADC04.NA.FDS.COM04/06/2010 16:10:08:213 MachineAccountOU: OU=Workstation,OU=US,OU=Computers,OU=US,DC=NA,DC=FDS,DC=com04/06/2010 16:10:08:213 Account: "Add_Machine@NA.FDS.COM"04/06/2010 16:10:08:213 Options: 0x2304/06/2010 16:10:08:213 NetpLoadParameters: loading registry parameters...04/06/2010 16:10:08:213 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x204/06/2010 16:10:08:213 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x204/06/2010 16:10:08:213 NetpLoadParameters: status: 0x204/06/2010 16:10:08:213 NetpValidateName: checking to see if 'NA.FDS.COM' is valid as type 3 name04/06/2010 16:10:08:213 NetpValidateName: 'NA.FDS.COM' is not a valid NetBIOS domain name: 0x7b04/06/2010 16:10:08:432 NetpCheckDomainNameIsValid [ Exists ] for 'NA.FDS.COM' returned 0x004/06/2010 16:10:08:432 NetpValidateName: name 'NA.FDS.COM' is valid for type 304/06/2010 16:10:08:432 NetUseAdd to \\USNADC04.NA.FDS.COM\IPC$ returned 8704/06/2010 16:10:08:432 NetUseAdd bad parameter is 504/06/2010 16:10:08:432 NetpJoinDomain: status of connecting to dc '\\USNADC04.NA.FDS.COM': 0x89a04/06/2010 16:10:08:432 NetpJoinDomainOnDs: Function exits with status of: 0x89a04/06/2010 16:10:08:432 NetpDoDomainJoin: status: 0x89a AD is not my strong suit but if I remember correctly (NetUseAdd bad parameter is 5) means that it cannot access the DC. This confuses me since the same account works with my XP image deployments. Is there something special that has to be configure for the account I use to join for Windows 7? So far, I have not located anything different.
April 6th, 2010 11:38pm

I think I maybe have found a possible cause for my problem. It looks like the firewall is on when the machine is trying to join the domain. The only way I have seen to disable the firewall is during the windowsPE pass. I configured this in my unattend.xml but the firewall was still enabled. I think I am missing something simple on this.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2010 2:59am

A couple questions... In the netsetup.log file you should see where it details the account info that it is using to Join with...is the information in there correct? Also, what happens if you try to manually join the machine to the domain? What does the log show then? I'm not sure I'd go looking for firewall issues right away...I'd eliminate any potential issues with credentials first. Mike N.
April 7th, 2010 5:18pm

I can see the account information in netsetup.log (see below) Machine: USNA00881Domain: NA.FDS.COM\USNADC04.USNADC04.NA.FDS.COMMachineAccountOU: OU=Workstation,OU=US,OU=Computers,OU=US,DC=NA,DC=FDS,DC=comAccount: "S_join@NA.FDS.COM"Options: 0x23 Further down in the log, I see the below. I am assuming that this is my problem but so far I have not found any information on it. NetUseAdd to \\USNADC04.NA.FDS.COM\IPC$ returned 87NetUseAdd bad parameter is 5 When I manually add the machine using the same account information above, it joins successfully without any problems.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2010 6:50pm

Are you using two different accounts? I went back a few posts and looked at your log files and it looks like in that one you're using an accont called "Add_Machine@NA.FDS.COM" Now in this logfile you've got the account "S_join@NA.FDS.COM" I also went and looked on the net to see if I could find what that specific error means and I'm not having any luck either. Perhaps someone else knows exactly what that error means... Mike N.
April 7th, 2010 7:41pm

No, I am only using one account. One is from production and the other is from my lab. I am pulling in the join account, domain and OU to the unattend.xml with a stored procedure in my customsettings.ini. As a test, I am not going use the customsettings.ini and use the step Apply Network Settings step to join the domain instead. I will be using the same account, s_join. My assumption is that if it joins the step then something is being written incorrectly to the unattend.xml when it is being pulling in by my customsettings.
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 2:16am

Yeah, that sounds like a good test... Reduce things to their least complex form.Mike N.
April 8th, 2010 4:33pm

i had an issue with comptuers joining the domain if they were previously joined to the domain using another domain join account, could that be your problem also ? My step by step SCCM Guides windows-noob on Twitter
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 4:38pm

If the account is configured with the right permissions, then that should not be a problem. Some people do not give their service accounts the ability to Delete a comptuer ojbect. If you don't have that permission, then you'll most likely end up not being able to re-join a machine to the domain, especially if the new object is going into a different OU than the one that is already there. Of course, if you give the new computer a different name, then it should join without any problems no matter what OU you try to put it in... Mike N.
April 8th, 2010 5:25pm

I double checked the account and it is good. Here are the steps I tried today. So far, I still cannot join the domain with my task sequence using my task sequence that queries the SQL database. My task sequence consists of the below. This is the task sequence that does not work. 1. Partition Disk 2. Use Toolkit Package 3. Gather (using my customsettings.ini) 4. Apply Operation System (using my unattend.xml) 5. Configure 6. Apply Device Drivers 7 Setup windows and ConfigMgr As a test, I reconfigured the task sequence as follows. The machine did join the domain and went into the correct OU. 1. Partition 2. Apply Operating System (Use an unattend.xml that had no configurations. Idea being that the two below steps would populate it.) 3. Apply Windows Settings (Entered user name, organization, product key, and admin password) 4. Apply Windows Settings (Configured to join domain using same account as the above TS and be placed in the correct OU) 5. Apply Drivers 6. Setup Windows and ConfigMgr As a further test, before the machine rebooted with the reconfigured task sequence. I grabbed the unattend.xml in c:\windows\panther\unattend. I added this to my customsettings package and pointing the Apply Operating System step to use it. I then built a machine using it. Before the machine rebooted for setup, I grab the unattend.xml from c:\windows\panther. It was identical to what was used in the task sequence that works. This is really odd to me. I assume something is being pulled over incorrectly but I am not sure.
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2010 12:49am

I found the problem. I looked more carefully at the ztigather, zticonfigure and the unattend.xml. I noticed that in ztigather when it was running my stored procedure to pull in the domain admin account and password. It was putting quotes around them. So the account was "s_join" instead of sjoin. I have modified the stored procedure to remove the quotes. So, it was the account. Thanks for the help.
April 9th, 2010 8:55pm

good detective work, and well done for finding out the problem and reporting the solution My step by step SCCM Guides windows-noob on Twitter
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2010 9:00pm

I may have a similar issue - however unable to debug further because last line on my Panther\UnattendGC\setupact.log is <timestamp> info [DJOIN.EXE] Unattended join: Calling DsGetDcName for <domain>... and there is nothing in windows\debug\netsetup.log Something is seriously stuck because I get no error messages or logging?
November 4th, 2010 2:21pm

hi Niall, I am using answer file to join the Domain and a script at the initialize phase of my MDT 2010 TS to change the computer name the computer name gets changed but the machine is unable to join the domain. My answer file looks like this:- My netsetup.log file is this:- i am applying the domain credentials in my answer file but it's not in netsetup.log.... please help. Thanks Pranay
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2011 3:13am

hi Niall, I am using answer file to join the Domain and a script at the initialize phase of my MDT 2010 TS to change the computer name the computer name gets changed but the machine is unable to join the domain. My answer file consists of all the credentials and the domain name. My netsetup.log file does not have any specification of domain name. i am applying the domain credentials in my answer file but it's not in netsetup.log.... please help. Thanks Pranay
October 27th, 2011 3:59am

i guess it was an image capture problem,I was using a recaptured image.... captured a fresh image using MDT 2010 ts & then deployed it.... deployment went smoothly and the machine joined the domain with other answer file settings. Thanks Pranay.
Free Windows Admin Tool Kit Click here and download it now
October 29th, 2011 7:34am

i guess it was an image capture problem,I was using a recaptured image.... captured a fresh image using MDT 2010 ts & then deployed it.... deployment went smoothly and the machine joined the domain with other answer file settings. Thanks Pranay.
October 29th, 2011 2:31pm

Something else I ran into when using the JoinDomain option in the unattended.xml file is that the server will be added to the default OU in the domain. Make sure that the account you are using has access to the OU. If you are trying to add a server to a different OU, you will have to use a post-build script to accomplish this.
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2011 9:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics