Hi, My name is Ankit Shukla. This (Fix SCCM OSD Machine Domain Join Issue) is my first post, I have been Working in SCCM/MECM technology for more than 7 years. I would be sharing my experience and issues which I have faced in my IT career and posting a solution for that.
My Posts will not only help you to find the solution but also if you start following them, you will see the approach we need to follow while troubleshooting issues.
Let’s Get Started!
Little Background and Issue
I was setting up OSD from the scratch in the new AD Forest for Windows 10 machines, During the testing phase while Imaging machines via MECM I faced an issue that after few successful Imaging machines were failing to Join to the domain. Few machines were built successfully with the same task sequence, but it stopped without doing any changes to the Task Sequence
- First step was to check the task sequence ‘Apply Network Settings’ Step.
- After checking the Deployment status of Task Sequence from the Monitoring Node it guided me to Look for the error in NetSetup.log (Path C:\Windows\Debug\NetSetup.log).
- After Checking NetSetup.log and setuperr.log
- (Path %Systemdrive%\panther\UnattendGC\)
- It clearly showed the error showing the machine unable to join the domain.
More details NetSetup.log:
More details from Setuperr.log
- The next step was to check the Task Sequence step ‘Apply Network Settings’ and verify the account used to join the domain. I used account which was not domain administrator as it was in the testing phase, I Logged into the problematic machine as a Local Admin defined in TS and tried to join the machine in domain manually with the same account in Task Sequence. It failed with the same error.
- Used different accounts manually to join the machine to the domain and it was successful. During the testing, it was also noticed that ‘domain users’ are also able to join machines to the domain.
- Gathering info, it resulted in ms-DS-MachineAccountQuota attribute issue on the new configured AD forest.
- By Default, a domain user can join 10 computer accounts to a domain, which is not right from a security perspective. Only Domain Administrators should have access to join machines.
- Checking the properties in AD gave me the exact count (Connect to your Active directory via ‘dsa.msc’ and see below ‘Advance Features’ is enabled)
- Right-click at the properties of domain and go to attribute editor, search for the ms-DS-MachineAccountQuota and see its value. The value set here is the count of machines each domain user can join a computer account to the domain.
- Properties of the computer object
- You can also use the PowerShell command to get this detail.
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
Fix SCCM OSD Machine Domain Join Issue
- Ideally, this value should be ‘0’ from a security point of view, just double click on the attribute value and change it. A value of 0 means that domain users are not allowed to add computer accounts
- That’s it I used Domain admin account in the Task Sequence step and since then machines are getting joined to a domain without issue during imaging, but using a different account guided me to this issue which I think is a valuable outcome of troubleshooting.
- SCCM OSD Troubleshooting using SMSTS Log with Vishal | ConfigMgr
- OSD Known Issues Troubleshooting Guide |SCCM |ConfigMgr