Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

4
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed 0x35 0x216d

Hi, My name is Ankit Shukla. This (Fix SCCM OSD Machine Domain Join Issue) is my first post, I have been Working in SCCM/MECM technology for more than 7 years. I would be sharing my experience and issues which I have faced in my IT career and posting a solution for that.

My Posts will not only help you to find the solution but also if you start following them, you will see the approach we need to follow while troubleshooting issues.

Let’s Get Started!

Little Background and Issue

I was setting up OSD from the scratch in the new AD Forest for Windows 10 machines, During the testing phase while Imaging machines via MECM I faced an issue that after few successful Imaging machines were failing to Join to the domain. Few machines were built successfully with the same task sequence, but it stopped without doing any changes to the Task Sequence

Troubleshooting

  • First step was to check the task sequence ‘Apply Network Settings’ Step.
  • After checking the Deployment status of Task Sequence from the Monitoring Node it guided me to Look for the error in NetSetup.log (Path C:\Windows\Debug\NetSetup.log).
Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr
  • After Checking NetSetup.log and setuperr.log
    • (Path %Systemdrive%\panther\UnattendGC\)
  • It clearly showed the error showing the machine unable to join the domain.

NetSetup.log

More details NetSetup.log:

Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr

Setuperr.log

More details from Setuperr.log

Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr

Further Analysis

  • The next step was to check the Task Sequence step ‘Apply Network Settings’ and verify the account used to join the domain. I used account which was not domain administrator as it was in the testing phase, I Logged into the problematic machine as a Local Admin defined in TS and tried to join the machine in domain manually with the same account in Task Sequence. It failed with the same error.
  • Used different accounts manually to join the machine to the domain and it was successful. During the testing, it was also noticed that ‘domain users’ are also able to join machines to the domain.
  • Gathering info, it resulted in ms-DS-MachineAccountQuota attribute issue on the new configured AD forest.
  • By Default, a domain user can join 10 computer accounts to a domain, which is not right from a security perspective. Only Domain Administrators should have access to join machines.
  • Checking the properties in AD gave me the exact count (Connect to your Active directory via ‘dsa.msc’ and see below ‘Advance Features’ is enabled)
Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr
  • Right-click at the properties of domain and go to attribute editor, search for the ms-DS-MachineAccountQuota and see its value. The value set here is the count of machines each domain user can join a computer account to the domain.
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
  • Properties of the computer object
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d 1
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
  • You can also use the PowerShell command to get this detail.
Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d 2
Machine not Joining to Domain

Fix SCCM OSD Machine Domain Join Issue

  • Ideally, this value should be ‘0’ from a security point of view, just double click on the attribute value and change it. A value of 0 means that domain users are not allowed to add computer accounts
  • That’s it I used Domain admin account in the Task Sequence step and since then machines are getting joined to a domain without issue during imaging, but using a different account guided me to this issue which I think is a valuable outcome of troubleshooting.

Happy Learning!

Resources

4 COMMENTS

  1. Perhaps security would be better served to setup a service account with the minimum permissions to join\delete a machine from the domain. Using a domain admin account may cache the credentials of that domain admin account on every machine you build, which at least briefly, (until that accounts password is changed) allow malware bad actors to access or compromise the account and laterally move through the domain machines? A remote possibility but the concept of “minimum privilege” applied here may be the safest approach.

    • We are still in configuring stage and as a testing purpose a dedicated domain join account was created, but you are right a service account with least permissions is the best practice from security perspective.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.