FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

Hi, My name is Ankit Shukla. Let’s discuss FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d in my first post.

I have been Working in SCCM/MECM technology for more than 7 years. I would be sharing my experience and issues which I have faced in my IT career and posting a solution for that.

My Posts will not only help you to find the solution but also if you start following them, you will see the approach we need to follow while troubleshooting issues.

Let’s Get Started!

Patch My PC

Little Background and Issue – ldap_add_s failed: 0x35 0x216d

I was setting up OSD from the scratch in the new AD Forest for Windows 10 machines, During the testing phase while Imaging machines via MECM I faced an issue that after a few successful Imaging machines were failing to Join the domain.

Few machines were built successfully with the same task sequence, but it stopped without doing any changes to the Task Sequence

Troubleshooting ldap_add_s failed: 0x35 0x216d

Let’s try to FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d. The first step was to check the task sequence ‘Apply Network Settings’ Step.

After checking the Deployment status of Task Sequence from the Monitoring Node it guided me to Look for the error in NetSetup.log (Path C:\Windows\Debug\NetSetup.log).

Adaptiva
FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr
  • After Checking NetSetup.log and setuperr.log
    • (Path %Systemdrive%\panther\UnattendGC\)
  • It clearly showed the error showing the machine unable to join the domain.

NetSetup.log

Check the following log file to get more details -> NetSetup.log:

Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr

Setuperr.log

This is another log that you need to check to get more details ->Setuperr.log

Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr

Further Analysis – FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

The next step was to check the Task Sequence step ‘Apply Network Settings’ and verify the account used to join the domain. I used an account that was not domain administrator as it was in the testing phase, I Logged into the problematic machine as a Local Admin defined in TS and tried to join the machine in the domain manually with the same account in Task Sequence. It failed with the same error.

NOTE! – Don’t use the Domain Admin account to join Windows 10 and Windows 11 devices into the domain instead use the service account delegated permissions to perform domain join the action. Thanks to Martin Wüthrich to highlight this on the Twitter thread.

I used different accounts manually to join the machine to the domain and it was successful. During the testing, it was also noticed that ‘domain users’ are also able to join machines to the domain.

Gathering info, resulted in the ms-DS-MachineAccountQuota attribute issue on the new configured AD forest.

By default, a domain user can join 10 computer accounts to a domain, which is not right from a security perspective. Only Domain Administrators should have access to join machines. The service account should be used to perform domain join the action as discussed above.

Checking the properties in AD gave me the exact count (Connect to your Active directory via ‘dsa.msc’ and see below ‘Advance Features’ is enabled)

Fix SCCM OSD Machine not Joining to Domain ldap_add_s failed: 0x35 0x216d - ConfigMgr
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d – ConfigMgr

Right-click on the properties of the domain and go to attribute editor, search for the ms-DS-MachineAccountQuota and see its value. The value set here is the count of machines each domain user can join a computer account to the domain.

Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

Properties of the computer object

FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d 1
Fix SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

You can also use the PowerShell command to get this detail.

Get-ADObject ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d 2
Machine not Joining Domain

FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d

Ideally, this value should be ‘0’ from a security point of view, just double click on the attribute value and change it. A value of 0 means that domain users are not allowed to add computer accounts

That’s it I used the Domain admin account service account with minimum required delegated permissions for domain join in the Task Sequence step and since then machines are getting joined to a domain without issue during imaging, but using a different account guided me to this issue which I think is a valuable outcome of troubleshooting.

Thanks to Martin Wüthrich to highlight about domain join account scenario on the Twitter thread. He also suggested setting msds-machineaccountquota to 0. This, msds-machineaccountquota to 0, is something he always configures in a Domain.

Happy Learning!

Resources

Author

Hi, My Name is Ankit Shukla, and I have been working in IT since 2012. For the last 7 years, I have been working on SCCM/MECM. In these years have worked on different features of this tool, including Migration/designing the infrastructure/OSD/Custom SQL Reporting/Client-Side troubleshooting, and others. With my Blog Posts, you will find my experience on the issues which I have faced and solutions for them. The major objective of these posts is to reach out to the audience who are working as Support team members as SCCM Admins in their organizations.

4 thoughts on “FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d”

  1. Perhaps security would be better served to setup a service account with the minimum permissions to join\delete a machine from the domain. Using a domain admin account may cache the credentials of that domain admin account on every machine you build, which at least briefly, (until that accounts password is changed) allow malware bad actors to access or compromise the account and laterally move through the domain machines? A remote possibility but the concept of “minimum privilege” applied here may be the safest approach.

    Reply
    • We are still in configuring stage and as a testing purpose a dedicated domain join account was created, but you are right a service account with least permissions is the best practice from security perspective.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.