Windows 7 MDT Offline Domain Join
In a scenario where a user does not have access to the corporate network, a mostly automated media-based refresh is implemented.
- Refresh laptops from Windows XP/Vista to Windows 7
- MDT task sequence, OS, drivers, apps, contained on a supplied DVD
- User needs only to select the task sequence from the Wizard menu, all else is automated
- Hardlink user state capture and migration
The problem exists with joining the offline computer to the corporate domain. If the domain join fails, the user can't log on to his/her restored domain user profile.
Does anyone have any experience or tips related to using the Win7/2008 djoin.exe utility with an automated MDT task sequence? I can't find much information on it, and it's new to me.
I gather that you have to join the object at the domain first, then extract the required metadata, and somehow inject this individual computer data (aka Base64 blob) in the 'Microsoft-Windows-UnattendJoin/Identification/Provisioning' section of the unattend.xml
... but how to do that with some type of variable? I'd like to avoid creating a customized DVD for every single computer in the field.
I'll keep searching, but if anyone has done this before please let me know your experiences.
Appreciate the reply, but I've already read through that. I'm looking for information specific to MDT and suggestion on how to include the process in a [semi] automated task sequence in a media-based offline scenario.
A general idea would be to compile a text file of target computer names, run a script to execute djoin.exe against the list to provision all the computers, generating a base64 blob text file for each. Then, store that repository of files in the deployment
share so it is included on the MDT media. Call the file as a Run Command step using the computer name variable during the task sequence State Restore phase to execute the offline join. eg:
cmd.exe /c djoin.exe /requestODJ /loadfile %ScriptRoot%\Blobs\%OSDComputerName%.txt /windowspath %windir% /localos
In testing, provisioning an existing computer on the DC breaks any domain relationship because the computer account is reset by the /reuse parameter. The relationship can be fixed by running the /requestODJ command on the computer - essentially 'rejoining'
the machine to the domain - but it presents a problem for the time lapse between pre-staging computers and distributing the media. Since the users are all currently running XP or Vista, it doesn't make sense to explore a theory of re-using the same blob
data multiple times, such as immediately after provisioning and then again during the reimage.
I'm opening a call with MS support, but still interested to hear if anyone has used this utility with MDT at all.
Similar Messages
-
Offline domain join for MDT 2012 media based deployments at offsite
Hi,
How do we bring device into domain in media based deployments for offsite (device doesn't have access to the domain network) devices?
I am planning to run media based TS, shutdown the device (using shutdown command line in TS), adding step for 'recover from domain' after shutown step.
TS is working fine but it loose the continuity and gives an message that there already been deployment running on this device, do you want to continue(yes\No). If I click on NO, it proceed further with 'recover from domain'. Is there any step that I can
run before shutdown that can store the current status for TS and continue clean once system boot onsite ?
Regards,The simple answer is: two Task Sequences.
The first would be to put the WIM on the machine, do any config you need and install any applications that can be installed sans network. This would be an Offline Media Task Sequence that you would run with the USB stick and no network connection.
This Task Sequence wouldn't join the domain, but would be configured to join a Workgroup. Name it like MDT-ConfigImage or something so you can easily spot devices on your network that haven't yet run TS#2.
The second would a Task Sequence to just run the join domain command, maybe run Windows Update (now that it's presumably connected to a WSUS server) and install any apps that require a connection to the network (hopefully none). This Task Sequence
would be pretty simple and could be launched via LiteTouch.vbs directly or configured to be booted from, then have the TS boot the full OS already installed (from Task Sequence #1) and "complete the configuration."
Keeping it as two has the added ability to quickly modify and update TS#2 without needing to regenerate your Offline Media for TS#1 and provide to whoever is doing that imaging. This is effectively what happens with some of the vendors (like Dell)
when they image your machine with your image in their config center and then they send you the box and you "finish it" on network (while it can join domain, etc.).
David Coulter | http://DCtheGeek.blogspot.com |
@DCtheGeek -
Upgrading Windows 10 for Domain joined PC's
It's worth noting the text just above the download buttons:
TextIf you’re on an Enterprise edition, the media creation tool won’t work for an upgrade. Please see the Volume Licensing Service Center for more information.Sorry if this has already been posted but I thought this may help some people
https://www.microsoft.com/en-us/software-download/windows10
This topic first appeared in the Spiceworks Community -
Domain Join Issue during Task Sequence
SCCM 2012 R2 CU3 running Primary Site.
Using SCCM task sequence. Everything works except the machine won't join the domain.
Netsetup.log
12/20/2013 10:17:01:583 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
12/20/2013 10:17:01:583 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 10:17:01:583 NetpMachineValidToJoin: status: 0x0
12/20/2013 10:17:01:583 NetpJoinDomain
12/20/2013 10:17:01:583 Machine: 243WIN7BASETST
12/20/2013 10:17:01:583 Domain: judicial
12/20/2013 10:17:01:583 MachineAccountOU: (NULL)
12/20/2013 10:17:01:583 Account: judicial\pcsetup2
12/20/2013 10:17:01:583 Options: 0x27
12/20/2013 10:17:01:583 NetpLoadParameters: loading registry parameters...
12/20/2013 10:17:01:583 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
12/20/2013 10:17:01:583 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
12/20/2013 10:17:01:583 NetpLoadParameters: status: 0x2
12/20/2013 10:17:01:583 NetpValidateName: checking to see if 'judicial' is valid as type 3 name
12/20/2013 10:17:01:692 NetpCheckDomainNameIsValid [ Exists ] for 'judicial' returned 0x0
12/20/2013 10:17:01:692 NetpValidateName: name 'judicial' is valid for type 3
12/20/2013 10:17:01:692 NetpDsGetDcName: trying to find DC in domain 'judicial', flags: 0x40001010
12/20/2013 10:17:16:699 NetpDsGetDcName: failed to find a DC having account '243WIN7BASETST$': 0x525, last error is 0x0
12/20/2013 10:17:16:699 NetpLoadParameters: loading registry parameters...
12/20/2013 10:17:16:699 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
12/20/2013 10:17:16:699 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
12/20/2013 10:17:16:699 NetpLoadParameters: status: 0x2
12/20/2013 10:17:16:699 NetpDsGetDcName: status of verifying DNS A record name resolution for 'ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 10:17:16:699 NetpDsGetDcName: found DC '\\ATREYU1V-PII.jis.state.ct.us' in the specified domain
12/20/2013 10:17:16:699 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
12/20/2013 10:17:16:746 NetpJoinDomain: status of connecting to dc '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 10:17:16:746 NetpProvisionComputerAccount:
12/20/2013 10:17:16:746 lpDomain: judicial
12/20/2013 10:17:16:746 lpMachineName: 243WIN7BASETST
12/20/2013 10:17:16:746 lpMachineAccountOU: (NULL)
12/20/2013 10:17:16:746 lpDcName: ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:746 lpDnsHostName: (NULL)
12/20/2013 10:17:16:746 lpMachinePassword: (null)
12/20/2013 10:17:16:746 lpAccount: judicial\pcsetup2
12/20/2013 10:17:16:746 lpPassword: (non-null)
12/20/2013 10:17:16:746 dwJoinOptions: 0x27
12/20/2013 10:17:16:746 dwOptions: 0x40000003
12/20/2013 10:17:16:746 NetpLdapBind: Verified minimum encryption strength on ATREYU1V-PII.jis.state.ct.us: 0x0
12/20/2013 10:17:16:746 NetpLdapGetLsaPrimaryDomain: reading domain data
12/20/2013 10:17:16:746 NetpGetNCData: Reading NC data
12/20/2013 10:17:16:746 NetpGetDomainData: Lookup domain data for: DC=jis,DC=state,DC=ct,DC=us
12/20/2013 10:17:16:746 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=jis,DC=state,DC=ct,DC=us
12/20/2013 10:17:16:746 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Cracking DNS domain name jis.state.ct.us/ into Netbios on
\\ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Crack results: name = JUDICIAL\
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Cracking account name JUDICIAL\243WIN7BASETST$ on
\\ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Crack results: Account does not exist
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Cracking Netbios domain name JUDICIAL\ into root DN on
\\ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Crack results: name = DC=jis,DC=state,DC=ct,DC=us
12/20/2013 10:17:16:761 NetpGetComputerObjectDn: Got DN CN=243WIN7BASETST,OU=JB New Computers,DC=jis,DC=state,DC=ct,DC=us from the default computer container
12/20/2013 10:17:16:761 NetpModifyComputerObjectInDs: Initial attribute values:
12/20/2013 10:17:16:761 objectClass = Computer
12/20/2013 10:17:16:761 SamAccountName = 243WIN7BASETST$
12/20/2013 10:17:16:761 userAccountControl = 0x1000
12/20/2013 10:17:16:761 DnsHostName = 243WIN7BASETST.jis.state.ct.us
12/20/2013 10:17:16:761 ServicePrincipalName = HOST/243WIN7BASETST.jis.state.ct.us RestrictedKrbHost/243WIN7BASETST.jis.state.ct.us HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST
12/20/2013 10:17:16:761 unicodePwd = <SomePassword>
12/20/2013 10:17:16:761 NetpModifyComputerObjectInDs: Computer Object does not exist in OU
12/20/2013 10:17:16:761 NetpModifyComputerObjectInDs: Attribute values to set:
12/20/2013 10:17:16:761 objectClass = Computer
12/20/2013 10:17:16:761 SamAccountName = 243WIN7BASETST$
12/20/2013 10:17:16:761 userAccountControl = 0x1000
12/20/2013 10:17:16:761 DnsHostName = 243WIN7BASETST.jis.state.ct.us
12/20/2013 10:17:16:761 ServicePrincipalName = HOST/243WIN7BASETST.jis.state.ct.us RestrictedKrbHost/243WIN7BASETST.jis.state.ct.us HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST
12/20/2013 10:17:16:761 unicodePwd = <SomePassword>
12/20/2013 10:17:16:886 NetpEncodeProvisioningBlob: Encoding provisioning data
12/20/2013 10:17:16:886 NetpInitBlobWin7: Constructing blob...
12/20/2013 10:17:16:886 Blob version: 1
12/20/2013 10:17:16:886 lpDomain: judicial
12/20/2013 10:17:16:886 lpMachineName: 243WIN7BASETST
12/20/2013 10:17:16:886 lpMachinePassword: <omitted from log>
12/20/2013 10:17:16:886 DomainDnsPolicy:
12/20/2013 10:17:16:886 Name: JUDICIAL
12/20/2013 10:17:16:886 DnsDomainName: jis.state.ct.us
12/20/2013 10:17:16:886 DnsForestName: jis.state.ct.us
12/20/2013 10:17:16:886 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 10:17:16:886 Sid: S-1-5-21-1552756269-800212831-618671499
12/20/2013 10:17:16:886 DcInfo:
12/20/2013 10:17:16:886 DomainControllerName:
\\ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:886 DomainControllerAddress:
\\10.16.6.99
12/20/2013 10:17:16:886 DomainControllerAddressType: 1
12/20/2013 10:17:16:886 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 10:17:16:886 DomainName: jis.state.ct.us
12/20/2013 10:17:16:886 DnsForestName: jis.state.ct.us
12/20/2013 10:17:16:886 Flags: 0xe00031fc
12/20/2013 10:17:16:886 DcSiteName: Judicial-Data-Centers
12/20/2013 10:17:16:886 ClientSiteName: EHFD-99ERiver
12/20/2013 10:17:16:886 Options: 0x40000003
12/20/2013 10:17:16:886 NetpInitBlobWin7: Blob pickling result: 0
12/20/2013 10:17:16:886 NetpEncodeProvisioningBlob: result: 0x0
12/20/2013 10:17:16:886 ldap_unbind status: 0x0
12/20/2013 10:17:16:886 NetpRequestOfflineDomainJoin:
12/20/2013 10:17:16:886 dwProvisionBinDataSize: 960
12/20/2013 10:17:16:886 JoinOptions: 0x27
12/20/2013 10:17:16:886 Options: 0x40000003
12/20/2013 10:17:16:886 lpWindowsPath: C:\Windows
12/20/2013 10:17:16:886 NetpDecodeProvisioningBlob: Unpickling provisioning blob with size 960 bytes
12/20/2013 10:17:16:886 NetpDecodeProvisioningBlob: Searching 1 blobs for supported ODJ blob, highest supported version: 1
12/20/2013 10:17:16:886 NetpDecodeProvisioningBlob: Found ODJ blob version: 1
12/20/2013 10:17:16:886 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1
12/20/2013 10:17:16:886 Blob version: 1
12/20/2013 10:17:16:886 lpDomain: judicial
12/20/2013 10:17:16:886 lpMachineName: 243WIN7BASETST
12/20/2013 10:17:16:886 lpMachinePassword: <omitted from log>
12/20/2013 10:17:16:886 DomainDnsPolicy:
12/20/2013 10:17:16:886 Name: JUDICIAL
12/20/2013 10:17:16:886 DnsDomainName: jis.state.ct.us
12/20/2013 10:17:16:886 DnsForestName: jis.state.ct.us
12/20/2013 10:17:16:886 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 10:17:16:886 Sid: S-1-5-21-1552756269-800212831-618671499
12/20/2013 10:17:16:886 DcInfo:
12/20/2013 10:17:16:886 DomainControllerName:
\\ATREYU1V-PII.jis.state.ct.us
12/20/2013 10:17:16:886 DomainControllerAddress:
\\10.16.6.99
12/20/2013 10:17:16:886 DomainControllerAddressType: 1
12/20/2013 10:17:16:886 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 10:17:16:886 DomainName: jis.state.ct.us
12/20/2013 10:17:16:886 DnsForestName: jis.state.ct.us
12/20/2013 10:17:16:886 Flags: 0xe00031fc
12/20/2013 10:17:16:886 DcSiteName: Judicial-Data-Centers
12/20/2013 10:17:16:886 ClientSiteName: EHFD-99ERiver
12/20/2013 10:17:16:886 Options: 0x40000003
12/20/2013 10:17:16:886 NetpDoInitiateOfflineDomainJoin
12/20/2013 10:17:16:886 NetpDoInitiateOfflineDomainJoin: Setting backup/restore privileges
12/20/2013 10:17:16:902 NetpInitiateOfflineJoin
12/20/2013 10:17:16:902 lpLocalRegistryPath: C:\Windows\system32\config\SYSTEM
12/20/2013 10:17:16:902 dwOptions: 0x40000003
12/20/2013 10:17:16:902 NetpConvertBlobToJoinState: Translating provisioning data to internal format
12/20/2013 10:17:16:902 NetpConvertBlobToJoinState: Selecting version 1
12/20/2013 10:17:16:902 NetpConvertBlobToJoinState: exiting: 0x0
12/20/2013 10:17:16:902 NetpValidateFullJoinState: Validating provisioning data...
12/20/2013 10:17:16:902 NetpValidateFullJoinState: exiting: 0x0
12/20/2013 10:17:16:902 NetpClearFullJoinState: Removing cached state from the registry...
12/20/2013 10:17:16:902 NetpClearFullJoinState: Status of deleting join state key 0x2
12/20/2013 10:17:16:902 NetpSaveFullJoinStateInternal: Injecting provisioning data into image...
12/20/2013 10:17:16:902 NetpSaveFullJoinStateInternal: exiting: 0x0
12/20/2013 10:17:16:902 NetpSetComputerNamesOffline: Checking for pending name changes...
12/20/2013 10:17:16:902 SetHostName: TRUE
12/20/2013 10:17:16:902 SetDnsDomain: TRUE
12/20/2013 10:17:16:902 SetNetBiosName: TRUE
12/20/2013 10:17:16:902 SetCurrentValues: TRUE
12/20/2013 10:17:16:902 NetpSetComputerNamesOffline: Setting Hostname to 243WIN7BASETST
12/20/2013 10:17:16:902 NetpSetComputerNamesOffline: Setting Domain name to jis.state.ct.us
12/20/2013 10:17:16:902 NetpSetComputerNamesOffline: Setting NetBios computer name to 243WIN7BASETST
12/20/2013 10:17:16:917 NetpDoInitiateOfflineDomainJoin: status: 0x0
12/20/2013 10:17:16:917 NetRequestOfflineDomainJoin: Successfully initiated the offline domain join
12/20/2013 10:17:16:917 NetpJoinDomainOnDs: Setting netlogon cache.
12/20/2013 10:17:16:917 NetpJoinDomainOnDs: status of setting netlogon cache: 0x0
12/20/2013 10:17:16:917 NetpJoinDomainOnDs: Function exits with status of: 0x0
12/20/2013 10:17:16:917 NetpJoinDomainOnDs: status of disconnecting from '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 10:17:16:917 NetpCompleteOfflineDomainJoin
12/20/2013 10:17:16:917 fBootTimeCaller: FALSE
12/20/2013 10:17:16:917 fSetLocalGroups: TRUE
12/20/2013 10:17:16:917 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 10:17:16:917 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 10:17:16:917 NetpJoinDomainLocal: NetpHandleJoinedStateInfo returned: 0x0
12/20/2013 10:17:16:917 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 10:17:17:292 NetpJoinDomainLocal: NetpManageMachineSecret returned: 0x0.
12/20/2013 10:17:17:292 Calling NetpQueryService to get Netlogon service state.
12/20/2013 10:17:17:292 NetpJoinDomainLocal: NetpQueryService returned: 0x0.
12/20/2013 10:17:17:417 NetpSetLsaPrimaryDomain: for 'JUDICIAL' status: 0x0
12/20/2013 10:17:17:417 NetpJoinDomainLocal: status of setting LSA pri. domain: 0x0
12/20/2013 10:17:17:417 NetpManageLocalGroupsForJoin: Adding groups for new domain, removing groups from old domain, if any.
12/20/2013 10:17:17:417 NetpManageLocalGroups: Populating list of account SIDs.
12/20/2013 10:17:17:760 [000004ec] NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 10:17:17:791 NetpManageLocalGroupsForJoin: status of modifying groups related to domain 'JUDICIAL' to local groups: 0x0
12/20/2013 10:17:17:791 NetpManageLocalGroupsForJoin: INFO: No old domain groups to process.
12/20/2013 10:17:17:791 NetpJoinDomainLocal: Status of managing local groups: 0x0
12/20/2013 10:17:18:275 [00000164] NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 10:17:18:665 NetpJoinDomainLocal: status of setting ComputerNamePhysicalDnsDomain to 'jis.state.ct.us': 0x0
12/20/2013 10:17:18:665 NetpJoinDomainLocal: Controlling services and setting service start type.
12/20/2013 10:17:18:665 NetpJoinDomainLocal: Updating W32TimeConfig
12/20/2013 10:17:18:743 NetpUpdateW32timeConfig: 0x0
12/20/2013 10:17:18:743 NetpClearFullJoinState: Removing cached state from the registry...
12/20/2013 10:17:18:743 NetpClearFullJoinState: Status of deleting join state key 0x0
12/20/2013 10:17:18:743 NetpCompleteOfflineDomainJoin: status: 0x0
12/20/2013 10:17:18:743 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0
12/20/2013 10:17:18:743 NetpDoDomainJoin: status: 0x0
12/20/2013 10:17:21:953 -----------------------------------------------------------------
12/20/2013 10:17:21:953 NetpChangeMachineName: from '243WIN7BASETST' to '243WIN7BASEtst' using 'judicial\pcsetup2' [0x1000]
12/20/2013 10:17:21:953 NetpDsGetDcName: trying to find DC in domain 'JUDICIAL', flags: 0x1010
12/20/2013 10:17:21:953 NetpDsGetDcName: found DC '\\ATREYU1V-PII' in the specified domain
12/20/2013 10:17:21:953 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 10:17:21:953 NetpGetDnsHostName: Read NV Domain: jis.state.ct.us
12/20/2013 10:17:21:969 NetpGetComputerObjectDn: Cracking account name JUDICIAL\243WIN7BASETST$ on
\\ATREYU1V-PII
12/20/2013 10:17:21:969 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=243WIN7BASETST,OU=JB New Computers,DC=jis,DC=state,DC=ct,DC=us
12/20/2013 10:17:21:969 NetpModifyComputerObjectInDs: Initial attribute values:
12/20/2013 10:17:21:969 DnsHostName = 243WIN7BASEtst.jis.state.ct.us
12/20/2013 10:17:21:969 ServicePrincipalName = HOST/243WIN7BASEtst.jis.state.ct.us RestrictedKrbHost/243WIN7BASEtst.jis.state.ct.us HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST
12/20/2013 10:17:21:985 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
12/20/2013 10:17:21:985 DnsHostName = 243WIN7BASETST.jis.state.ct.us
12/20/2013 10:17:21:985 ServicePrincipalName = RestrictedKrbHost/243WIN7BASETST HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST.jis.state.ct.us HOST/243WIN7BASETST.jis.state.ct.us
12/20/2013 10:17:21:985 NetpModifyComputerObjectInDs: There are _NO_ modifications to do
12/20/2013 10:17:21:985 ldap_unbind status: 0x0
12/20/2013 10:17:21:985 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x0
12/20/2013 13:30:34:370 -----------------------------------------------------------------
12/20/2013 13:30:34:440 NetpValidateName: checking to see if '243WIN7BASETST' is valid as type 1 name
12/20/2013 13:30:34:460 NetpCheckNetBiosNameNotInUse for '243WIN7BASETST' [MACHINE] returned 0x0
12/20/2013 13:30:34:460 NetpValidateName: name '243WIN7BASETST' is valid for type 1
12/20/2013 13:30:34:553 -----------------------------------------------------------------
12/20/2013 13:30:34:553 NetpValidateName: checking to see if '243WIN7BASEtst.jis.state.ct.us' is valid as type 5 name
12/20/2013 13:30:34:553 NetpValidateName: name '243WIN7BASEtst.jis.state.ct.us' is valid for type 5
12/20/2013 13:30:34:569 -----------------------------------------------------------------
12/20/2013 13:30:34:569 NetpValidateName: checking to see if 'JIS' is valid as type 2 name
12/20/2013 13:30:34:569 NetpCheckNetBiosNameNotInUse for 'JIS' [ Workgroup as MACHINE] returned 0x0
12/20/2013 13:30:34:569 NetpValidateName: name 'JIS' is valid for type 2
12/20/2013 13:30:34:585 -----------------------------------------------------------------
12/20/2013 13:30:34:585 NetpUnJoinDomain: unjoin from 'JUDICIAL' using '(null)' creds, options: 0x4
12/20/2013 13:30:34:585 OS Version: 6.1
12/20/2013 13:30:34:585 Build number: 7601 (7601.win7sp1_rtm.101119-1850)
12/20/2013 13:30:34:585 ServicePack: Service Pack 1
12/20/2013 13:30:34:585 SKU: Windows 7 Professional
12/20/2013 13:30:34:585 NetpUnJoinDomain: status of getting computer name: 0x0
12/20/2013 13:30:34:585 NetpApplyJoinState: actions: 0x2b805a
12/20/2013 13:30:34:585 NetpDsGetDcName: trying to find DC in domain 'JUDICIAL', flags: 0x1010
12/20/2013 13:30:34:694 NetpDsGetDcName: found DC '\\ATREYU1V-PII' in the specified domain
12/20/2013 13:30:34:819 NetUseAdd to \\ATREYU1V-PII\IPC$ returned 1326
12/20/2013 13:30:34:819 Trying add to
\\ATREYU1V-PII\IPC$ using NULL Session
12/20/2013 13:30:34:850 NetpApplyJoinState: status of connecting to dc '\\ATREYU1V-PII': 0x0
12/20/2013 13:30:36:113 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
12/20/2013 13:30:36:145 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
12/20/2013 13:30:36:145 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:36:145 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:36:145 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:36:410 SamOpenUser on 48956 failed with 0xc0000022
12/20/2013 13:30:36:410 NetpManageMachineAccountWithSid: status of disabling account '243WIN7BASETST$' on '\\ATREYU1V-PII': 0x5
12/20/2013 13:30:36:410 NetpApplyJoinState: status of disabling account: 0x5
12/20/2013 13:30:36:410 NetpApplyJoinState: initiating a rollback due to earlier errors
12/20/2013 13:30:36:410 NetpApplyJoinState: actions: 0x440210
12/20/2013 13:30:36:410 NetpDsGetDcName: trying to find DC in domain '(null)', flags: 0x1020
12/20/2013 13:30:36:425 NetpDsGetDcName: found DC '\\ATREYU1V-PII.jis.state.ct.us' in the specified domain
12/20/2013 13:30:36:441 NetUseAdd to
\\ATREYU1V-PII.jis.state.ct.us\IPC$ returned 1326
12/20/2013 13:30:36:441 Trying add to
\\ATREYU1V-PII.jis.state.ct.us\IPC$ using NULL Session
12/20/2013 13:30:36:441 NetpApplyJoinState: status of connecting to dc '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 13:30:36:441 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:36:441 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 13:30:36:675 NetpSetMachineAccountPassword: NetUserSetInfo (level 1003) on '\\ATREYU1V-PII.jis.state.ct.us' for '243WIN7BASETST$' failed: 0x5
12/20/2013 13:30:36:675 NetpApplyJoinState: status of setting machine password: 0x5
12/20/2013 13:30:36:956 NetpApplyJoinState: status of starting and setting start type of Netlogon to 4: 0x0
12/20/2013 13:30:36:956 NetpApplyJoinState: NON FATAL: status of adding DNS registrations: 0x0
12/20/2013 13:30:36:956 NetpApplyJoinState: status of disconnecting from '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 13:30:36:956 NetpApplyJoinState: status of disconnecting from '\\ATREYU1V-PII': 0x0
12/20/2013 13:30:36:956 NetpUnJoinDomain: status: 0x5
12/20/2013 13:30:41:886 -----------------------------------------------------------------
12/20/2013 13:30:41:886 NetpUnJoinDomain: unjoin from 'JUDICIAL' using 'jis.state.ct.us\a' creds, options: 0x4
12/20/2013 13:30:41:886 OS Version: 6.1
12/20/2013 13:30:41:886 Build number: 7601 (7601.win7sp1_rtm.101119-1850)
12/20/2013 13:30:41:886 ServicePack: Service Pack 1
12/20/2013 13:30:41:886 SKU: Windows 7 Professional
12/20/2013 13:30:41:886 NetpUnJoinDomain: status of getting computer name: 0x0
12/20/2013 13:30:41:886 NetpApplyJoinState: actions: 0x2b805a
12/20/2013 13:30:41:886 NetpDsGetDcName: trying to find DC in domain 'JUDICIAL', flags: 0x1010
12/20/2013 13:30:41:886 NetpDsGetDcName: found DC '\\ATREYU1V-PII' in the specified domain
12/20/2013 13:30:44:974 NetUseAdd to \\ATREYU1V-PII\IPC$ returned 1326
12/20/2013 13:30:44:974 Trying add to
\\ATREYU1V-PII\IPC$ using NULL Session
12/20/2013 13:30:44:990 NetpApplyJoinState: status of connecting to dc '\\ATREYU1V-PII': 0x0
12/20/2013 13:30:46:301 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
12/20/2013 13:30:46:301 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
12/20/2013 13:30:46:301 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:46:301 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:46:301 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:46:394 SamOpenUser on 48956 failed with 0xc0000022
12/20/2013 13:30:46:394 NetpManageMachineAccountWithSid: status of disabling account '243WIN7BASETST$' on '\\ATREYU1V-PII': 0x5
12/20/2013 13:30:46:394 NetpApplyJoinState: status of disabling account: 0x5
12/20/2013 13:30:46:394 NetpApplyJoinState: initiating a rollback due to earlier errors
12/20/2013 13:30:46:394 NetpApplyJoinState: actions: 0x440210
12/20/2013 13:30:46:394 NetpDsGetDcName: trying to find DC in domain '(null)', flags: 0x1020
12/20/2013 13:30:46:410 NetpDsGetDcName: found DC '\\ATREYU1V-PII.jis.state.ct.us' in the specified domain
12/20/2013 13:30:46:425 NetUseAdd to
\\ATREYU1V-PII.jis.state.ct.us\IPC$ returned 1326
12/20/2013 13:30:46:425 Trying add to
\\ATREYU1V-PII.jis.state.ct.us\IPC$ using NULL Session
12/20/2013 13:30:46:425 NetpApplyJoinState: status of connecting to dc '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 13:30:46:425 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:46:425 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 13:30:46:659 NetpSetMachineAccountPassword: NetUserSetInfo (level 1003) on '\\ATREYU1V-PII.jis.state.ct.us' for '243WIN7BASETST$' failed: 0x5
12/20/2013 13:30:46:659 NetpApplyJoinState: status of setting machine password: 0x5
12/20/2013 13:30:46:815 NetpApplyJoinState: status of starting and setting start type of Netlogon to 4: 0x0
12/20/2013 13:30:46:815 NetpApplyJoinState: NON FATAL: status of adding DNS registrations: 0x0
12/20/2013 13:30:46:815 NetpApplyJoinState: status of disconnecting from '\\ATREYU1V-PII.jis.state.ct.us': 0x0
12/20/2013 13:30:46:815 NetpApplyJoinState: status of disconnecting from '\\ATREYU1V-PII': 0x0
12/20/2013 13:30:46:815 NetpUnJoinDomain: status: 0x5
12/20/2013 13:30:46:831 -----------------------------------------------------------------
12/20/2013 13:30:46:831 NetpUnJoinDomain: unjoin from 'JUDICIAL' using 'jis.state.ct.us\a' creds, options: 0x0
12/20/2013 13:30:46:831 OS Version: 6.1
12/20/2013 13:30:46:831 Build number: 7601 (7601.win7sp1_rtm.101119-1850)
12/20/2013 13:30:46:831 ServicePack: Service Pack 1
12/20/2013 13:30:46:831 SKU: Windows 7 Professional
12/20/2013 13:30:46:831 NetpUnJoinDomain: status of getting computer name: 0x0
12/20/2013 13:30:46:831 NetpApplyJoinState: actions: 0x2b005a
12/20/2013 13:30:47:096 [000009d8] NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:47:611 [000004e8] NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:48:173 NetpApplyJoinState: status of stopping and setting start type of Netlogon to 16: 0x0
12/20/2013 13:30:48:173 NetpApplyJoinState: NON FATAL: status of removing DNS registrations: 0x0
12/20/2013 13:30:48:173 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:48:173 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:48:173 NetpLsaOpenSecret: status: 0x0
12/20/2013 13:30:48:391 NetpSetLsaPrimaryDomain: for 'JUDICIAL' status: 0x0
12/20/2013 13:30:48:391 NetpApplyJoinState: status of setting LSA pri. domain: 0x0
12/20/2013 13:30:48:625 NetpApplyJoinState: status of clearing ComputerNamePhysicalDnsDomain: 0x0
12/20/2013 13:30:48:625 NetpManageLocalGroups: Populating list of account SIDs.
12/20/2013 13:30:48:858 [000004e8] NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:48:889 NetpApplyJoinState: status of removing from local groups: 0x0
12/20/2013 13:30:48:889 NetpUpdateW32timeConfig: 0x0
12/20/2013 13:30:48:905 NetpUnJoinDomain: status: 0x0
12/20/2013 13:30:48:936 -----------------------------------------------------------------
12/20/2013 13:30:48:936 NetpDoDomainJoin
12/20/2013 13:30:48:936 NetpMachineValidToJoin: '243WIN7BASETST'
12/20/2013 13:30:48:936 OS Version: 6.1
12/20/2013 13:30:48:936 Build number: 7601 (7601.win7sp1_rtm.101119-1850)
12/20/2013 13:30:48:936 ServicePack: Service Pack 1
12/20/2013 13:30:48:952 SKU: Windows 7 Professional
12/20/2013 13:30:48:952 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 13:30:48:952 NetpMachineValidToJoin: status: 0x0
12/20/2013 13:30:48:952 NetpJoinWorkgroup: joining computer '243WIN7BASETST' to workgroup 'JIS'
12/20/2013 13:30:48:952 NetpValidateName: checking to see if 'JIS' is valid as type 2 name
12/20/2013 13:30:48:952 NetpCheckNetBiosNameNotInUse for 'JIS' [ Workgroup as MACHINE] returned 0x0
12/20/2013 13:30:48:952 NetpValidateName: name 'JIS' is valid for type 2
12/20/2013 13:30:49:077 NetpSetLsaPrimaryDomain: for 'JIS' status: 0x0
12/20/2013 13:30:49:295 NetpJoinWorkgroup: status: 0x0
12/20/2013 13:30:49:295 NetpDoDomainJoin: status: 0x0
12/20/2013 13:39:24:681 -----------------------------------------------------------------
12/20/2013 13:39:24:697 NetpValidateName: checking to see if 'WIN7SP1BASE' is valid as type 1 name
12/20/2013 13:39:24:728 NetpCheckNetBiosNameNotInUse for 'WIN7SP1BASE' [MACHINE] returned 0x0
12/20/2013 13:39:24:728 NetpValidateName: name 'WIN7SP1BASE' is valid for type 1
12/20/2013 13:39:24:775 -----------------------------------------------------------------
12/20/2013 13:39:24:775 NetpValidateName: checking to see if 'WIN7SP1BASE' is valid as type 5 name
12/20/2013 13:39:24:775 NetpValidateName: name 'WIN7SP1BASE' is valid for type 5
12/20/2013 14:22:43:445 -----------------------------------------------------------------
12/20/2013 14:22:43:445 NetpValidateName: checking to see if '243WIN7BASETST' is valid as type 1 name
12/20/2013 14:22:43:445 NetpCheckNetBiosNameNotInUse for '243WIN7BASETST' [MACHINE] returned 0x0
12/20/2013 14:22:43:445 NetpValidateName: name '243WIN7BASETST' is valid for type 1
12/20/2013 14:22:43:508 -----------------------------------------------------------------
12/20/2013 14:22:43:508 NetpValidateName: checking to see if '243WIN7BASEtst' is valid as type 5 name
12/20/2013 14:22:43:508 NetpValidateName: name '243WIN7BASEtst' is valid for type 5
12/20/2013 14:26:14:548 -----------------------------------------------------------------
12/20/2013 14:26:14:548 NetpValidateName: checking to see if '243WIN7BASETST' is valid as type 1 name
12/20/2013 14:26:14:548 NetpCheckNetBiosNameNotInUse for '243WIN7BASETST' [MACHINE] returned 0x0
12/20/2013 14:26:14:548 NetpValidateName: name '243WIN7BASETST' is valid for type 1
12/20/2013 14:26:14:595 -----------------------------------------------------------------
12/20/2013 14:26:14:595 NetpValidateName: checking to see if '243WIN7BASEtst' is valid as type 5 name
12/20/2013 14:26:14:595 NetpValidateName: name '243WIN7BASEtst' is valid for type 5
12/20/2013 14:26:14:626 -----------------------------------------------------------------
12/20/2013 14:26:14:626 NetpValidateName: checking to see if 'judicial' is valid as type 3 name
12/20/2013 14:26:14:751 NetpCheckDomainNameIsValid [ Exists ] for 'judicial' returned 0x0
12/20/2013 14:26:14:751 NetpValidateName: name 'judicial' is valid for type 3
12/20/2013 14:26:25:156 -----------------------------------------------------------------
12/20/2013 14:26:25:156 NetpDoDomainJoin
12/20/2013 14:26:25:156 NetpMachineValidToJoin: '243WIN7BASETST'
12/20/2013 14:26:25:156 OS Version: 6.1
12/20/2013 14:26:25:156 Build number: 7601 (7601.win7sp1_rtm.101119-1850)
12/20/2013 14:26:25:156 ServicePack: Service Pack 1
12/20/2013 14:26:25:156 SKU: Windows 7 Professional
12/20/2013 14:26:25:156 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
12/20/2013 14:26:25:156 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 14:26:25:156 NetpMachineValidToJoin: status: 0x0
12/20/2013 14:26:25:156 NetpJoinDomain
12/20/2013 14:26:25:156 Machine: 243WIN7BASETST
12/20/2013 14:26:25:156 Domain: judicial
12/20/2013 14:26:25:156 MachineAccountOU: (NULL)
12/20/2013 14:26:25:156 Account: judicial\pcsetup2
12/20/2013 14:26:25:156 Options: 0x25
12/20/2013 14:26:25:156 NetpLoadParameters: loading registry parameters...
12/20/2013 14:26:25:156 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
12/20/2013 14:26:25:156 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
12/20/2013 14:26:25:156 NetpLoadParameters: status: 0x2
12/20/2013 14:26:25:156 NetpValidateName: checking to see if 'judicial' is valid as type 3 name
12/20/2013 14:26:25:265 NetpCheckDomainNameIsValid [ Exists ] for 'judicial' returned 0x0
12/20/2013 14:26:25:265 NetpValidateName: name 'judicial' is valid for type 3
12/20/2013 14:26:25:265 NetpDsGetDcName: trying to find DC in domain 'judicial', flags: 0x40001010
12/20/2013 14:26:25:374 NetpLoadParameters: loading registry parameters...
12/20/2013 14:26:25:374 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
12/20/2013 14:26:25:374 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
12/20/2013 14:26:25:374 NetpLoadParameters: status: 0x2
12/20/2013 14:26:25:374 NetpDsGetDcName: status of verifying DNS A record name resolution for 'Wabash00-PII.jis.state.ct.us': 0x0
12/20/2013 14:26:25:374 NetpDsGetDcName: found DC '\\Wabash00-PII.jis.state.ct.us' in the specified domain
12/20/2013 14:26:25:374 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
12/20/2013 14:26:25:608 NetpJoinDomain: status of connecting to dc '\\Wabash00-PII.jis.state.ct.us': 0x0
12/20/2013 14:26:25:608 NetpProvisionComputerAccount:
12/20/2013 14:26:25:608 lpDomain: judicial
12/20/2013 14:26:25:608 lpMachineName: 243WIN7BASETST
12/20/2013 14:26:25:608 lpMachineAccountOU: (NULL)
12/20/2013 14:26:25:608 lpDcName: Wabash00-PII.jis.state.ct.us
12/20/2013 14:26:25:608 lpDnsHostName: (NULL)
12/20/2013 14:26:25:608 lpMachinePassword: (null)
12/20/2013 14:26:25:608 lpAccount: judicial\pcsetup2
12/20/2013 14:26:25:608 lpPassword: (non-null)
12/20/2013 14:26:25:608 dwJoinOptions: 0x25
12/20/2013 14:26:25:608 dwOptions: 0x40000003
12/20/2013 14:26:25:749 NetpLdapBind: Verified minimum encryption strength on Wabash00-PII.jis.state.ct.us: 0x0
12/20/2013 14:26:25:749 NetpLdapGetLsaPrimaryDomain: reading domain data
12/20/2013 14:26:25:749 NetpGetNCData: Reading NC data
12/20/2013 14:26:25:764 NetpGetDomainData: Lookup domain data for: DC=jis,DC=state,DC=ct,DC=us
12/20/2013 14:26:25:764 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=jis,DC=state,DC=ct,DC=us
12/20/2013 14:26:25:764 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
12/20/2013 14:26:25:780 NetpGetComputerObjectDn: Cracking DNS domain name jis.state.ct.us/ into Netbios on
\\Wabash00-PII.jis.state.ct.us
12/20/2013 14:26:25:780 NetpGetComputerObjectDn: Crack results: name = JUDICIAL\
12/20/2013 14:26:25:780 NetpGetComputerObjectDn: Cracking account name JUDICIAL\243WIN7BASETST$ on
\\Wabash00-PII.jis.state.ct.us
12/20/2013 14:26:25:796 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=243WIN7BASETST,OU=JB New Computers,DC=jis,DC=state,DC=ct,DC=us
12/20/2013 14:26:25:796 NetpModifyComputerObjectInDs: Initial attribute values:
12/20/2013 14:26:25:796 objectClass = Computer
12/20/2013 14:26:25:796 SamAccountName = 243WIN7BASETST$
12/20/2013 14:26:25:796 userAccountControl = 0x1000
12/20/2013 14:26:25:796 DnsHostName = 243WIN7BASETST.jis.state.ct.us
12/20/2013 14:26:25:796 ServicePrincipalName = HOST/243WIN7BASETST.jis.state.ct.us RestrictedKrbHost/243WIN7BASETST.jis.state.ct.us HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST
12/20/2013 14:26:25:796 unicodePwd = <SomePassword>
12/20/2013 14:26:25:796 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
12/20/2013 14:26:25:796 objectClass = top person organizationalPerson user computer
12/20/2013 14:26:25:796 SamAccountName = 243WIN7BASETST$
12/20/2013 14:26:25:796 userAccountControl = 0x1000
12/20/2013 14:26:25:796 DnsHostName = 243WIN7BASETST.jis.state.ct.us
12/20/2013 14:26:25:796 ServicePrincipalName = TERMSRV/243WIN7BASETST TERMSRV/243WIN7BASEtst.jis.state.ct.us RestrictedKrbHost/243WIN7BASETST HOST/243WIN7BASETST RestrictedKrbHost/243WIN7BASETST.jis.state.ct.us
HOST/243WIN7BASETST.jis.state.ct.us
12/20/2013 14:26:25:796 unicodePwd = Account exists, resetting password: <SomePassword>
12/20/2013 14:26:25:796 NetpModifyComputerObjectInDs: Attribute values to set:
12/20/2013 14:26:25:796 unicodePwd = <SomePassword>
12/20/2013 14:26:25:967 NetpModifyComputerObjectInDs: Toggled UserAccountControl successfully
12/20/2013 14:26:25:967 NetpEncodeProvisioningBlob: Encoding provisioning data
12/20/2013 14:26:25:967 NetpInitBlobWin7: Constructing blob...
12/20/2013 14:26:25:967 Blob version: 1
12/20/2013 14:26:25:967 lpDomain: judicial
12/20/2013 14:26:25:967 lpMachineName: 243WIN7BASETST
12/20/2013 14:26:25:967 lpMachinePassword: <omitted from log>
12/20/2013 14:26:25:967 DomainDnsPolicy:
12/20/2013 14:26:25:967 Name: JUDICIAL
12/20/2013 14:26:25:967 DnsDomainName: jis.state.ct.us
12/20/2013 14:26:25:967 DnsForestName: jis.state.ct.us
12/20/2013 14:26:25:967 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 14:26:25:967 Sid: S-1-5-21-1552756269-800212831-618671499
12/20/2013 14:26:25:967 DcInfo:
12/20/2013 14:26:25:967 DomainControllerName:
\\Wabash00-PII.jis.state.ct.us
12/20/2013 14:26:25:967 DomainControllerAddress:
\\10.16.8.100
12/20/2013 14:26:25:967 DomainControllerAddressType: 1
12/20/2013 14:26:25:967 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 14:26:25:967 DomainName: jis.state.ct.us
12/20/2013 14:26:25:967 DnsForestName: jis.state.ct.us
12/20/2013 14:26:25:967 Flags: 0xe00033fc
12/20/2013 14:26:25:967 DcSiteName: Judicial-Data-Centers
12/20/2013 14:26:25:967 ClientSiteName: EHFD-99ERiver
12/20/2013 14:26:25:983 Options: 0x40000003
12/20/2013 14:26:25:983 NetpInitBlobWin7: Blob pickling result: 0
12/20/2013 14:26:25:983 NetpEncodeProvisioningBlob: result: 0x0
12/20/2013 14:26:25:983 ldap_unbind status: 0x0
12/20/2013 14:26:25:983 NetpRequestOfflineDomainJoin:
12/20/2013 14:26:25:983 dwProvisionBinDataSize: 960
12/20/2013 14:26:25:983 JoinOptions: 0x25
12/20/2013 14:26:25:983 Options: 0x40000003
12/20/2013 14:26:25:983 lpWindowsPath: C:\Windows
12/20/2013 14:26:25:983 NetpDecodeProvisioningBlob: Unpickling provisioning blob with size 960 bytes
12/20/2013 14:26:25:983 NetpDecodeProvisioningBlob: Searching 1 blobs for supported ODJ blob, highest supported version: 1
12/20/2013 14:26:25:983 NetpDecodeProvisioningBlob: Found ODJ blob version: 1
12/20/2013 14:26:25:983 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1
12/20/2013 14:26:25:983 Blob version: 1
12/20/2013 14:26:25:983 lpDomain: judicial
12/20/2013 14:26:25:983 lpMachineName: 243WIN7BASETST
12/20/2013 14:26:25:983 lpMachinePassword: <omitted from log>
12/20/2013 14:26:25:983 DomainDnsPolicy:
12/20/2013 14:26:25:983 Name: JUDICIAL
12/20/2013 14:26:25:983 DnsDomainName: jis.state.ct.us
12/20/2013 14:26:25:983 DnsForestName: jis.state.ct.us
12/20/2013 14:26:25:983 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 14:26:25:983 Sid: S-1-5-21-1552756269-800212831-618671499
12/20/2013 14:26:25:983 DcInfo:
12/20/2013 14:26:25:983 DomainControllerName:
\\Wabash00-PII.jis.state.ct.us
12/20/2013 14:26:25:983 DomainControllerAddress:
\\10.16.8.100
12/20/2013 14:26:25:983 DomainControllerAddressType: 1
12/20/2013 14:26:25:983 DomainGuid: 8108ed1e-d08f-40a0-8089-598b7f58e1e7
12/20/2013 14:26:25:983 DomainName: jis.state.ct.us
12/20/2013 14:26:25:983 DnsForestName: jis.state.ct.us
12/20/2013 14:26:25:983 Flags: 0xe00033fc
12/20/2013 14:26:25:983 DcSiteName: Judicial-Data-Centers
12/20/2013 14:26:25:983 ClientSiteName: EHFD-99ERiver
12/20/2013 14:26:25:983 Options: 0x40000003
12/20/2013 14:26:25:983 NetpDoInitiateOfflineDomainJoin
12/20/2013 14:26:25:983 NetpDoInitiateOfflineDomainJoin: Setting backup/restore privileges
12/20/2013 14:26:25:983 NetpInitiateOfflineJoin
12/20/2013 14:26:25:983 lpLocalRegistryPath: C:\Windows\system32\config\SYSTEM
12/20/2013 14:26:25:983 dwOptions: 0x40000003
12/20/2013 14:26:25:983 NetpConvertBlobToJoinState: Translating provisioning data to internal format
12/20/2013 14:26:25:983 NetpConvertBlobToJoinState: Selecting version 1
12/20/2013 14:26:25:983 NetpConvertBlobToJoinState: exiting: 0x0
12/20/2013 14:26:25:983 NetpValidateFullJoinState: Validating provisioning data...
12/20/2013 14:26:25:983 NetpValidateFullJoinState: exiting: 0x0
12/20/2013 14:26:25:983 NetpClearFullJoinState: Removing cached state from the registry...
12/20/2013 14:26:25:983 NetpClearFullJoinState: Status of deleting join state key 0x2
12/20/2013 14:26:25:983 NetpSaveFullJoinStateInternal: Injecting provisioning data into image...
12/20/2013 14:26:25:983 NetpSaveFullJoinStateInternal: exiting: 0x0
12/20/2013 14:26:25:983 NetpSetComputerNamesOffline: Checking for pending name changes...
12/20/2013 14:26:25:983 SetHostName: TRUE
12/20/2013 14:26:25:983 SetDnsDomain: TRUE
12/20/2013 14:26:25:983 SetNetBiosName: TRUE
12/20/2013 14:26:25:983 SetCurrentValues: TRUE
12/20/2013 14:26:25:983 NetpSetComputerNamesOffline: Setting Hostname to 243WIN7BASETST
12/20/2013 14:26:25:983 NetpSetComputerNamesOffline: Setting Domain name to jis.state.ct.us
12/20/2013 14:26:25:983 NetpSetComputerNamesOffline: Setting NetBios computer name to 243WIN7BASETST
12/20/2013 14:26:25:983 NetpDoInitiateOfflineDomainJoin: status: 0x0
12/20/2013 14:26:25:983 NetRequestOfflineDomainJoin: Successfully initiated the offline domain join
12/20/2013 14:26:25:983 NetpJoinDomainOnDs: Setting netlogon cache.
12/20/2013 14:26:26:014 NetpJoinDomainOnDs: status of setting netlogon cache: 0x0
12/20/2013 14:26:26:014 NetpJoinDomainOnDs: Function exits with status of: 0x0
12/20/2013 14:26:26:014 NetpJoinDomainOnDs: status of disconnecting from '\\Wabash00-PII.jis.state.ct.us': 0x0
12/20/2013 14:26:26:014 NetpCompleteOfflineDomainJoin
12/20/2013 14:26:26:014 fBootTimeCaller: FALSE
12/20/2013 14:26:26:014 fSetLocalGroups: TRUE
12/20/2013 14:26:26:014 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 14:26:26:030 NetpGetLsaPrimaryDomain: status: 0x0
12/20/2013 14:26:26:030 NetpJoinDomainLocal: NetpHandleJoinedStateInfo returned: 0x0
12/20/2013 14:26:26:030 NetpLsaOpenSecret: status: 0xc0000034
12/20/2013 14:26:26:326 NetpJoinDomainLocal: NetpManageMachineSecret returned: 0x0.
12/20/2013 14:26:26:326 Calling NetpQueryService to get Netlogon service state.
12/20/2013 14:26:26:326 NetpJoinDomainLocal: NetpQueryService returned: 0x0.
12/20/2013 14:26:26:420 NetpSetLsaPrimaryDomain: for 'JUDICIAL' status: 0x0
12/20/2013 14:26:26:420 NetpJoinDomainLocal: status of setting LSA pri. domain: 0x0
12/20/2013 14:26:26:420 NetpManageLocalGroupsForJoin: Adding groups for new domain, removing groups from old domain, if any.
Windows IP Configuration from machine not joining the domain
Host Name . . . . . . . . . . . . : 243sccmtest5
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : jis.state.ct.us
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : jis.state.ct.us
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection #2
Physical Address. . . . . . . . . : B4-B5-2F-C0-D1-08
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::857e:ee89:64be:e243%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.211.236(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, November 12, 2014 11:59:47 AM
Lease Expires . . . . . . . . . . : Wednesday, November 12, 2014 7:59:46 PM
Default Gateway . . . . . . . . . : fe80::21f:6cff:febf:4bf%12
10.16.211.1
DHCP Server . . . . . . . . . . . : 10.16.204.101
DNS Servers . . . . . . . . . . . : 10.16.8.100
10.16.5.100
10.16.6.100
10.16.206.100
10.16.204.100
Primary WINS Server . . . . . . . : 10.16.8.100
Secondary WINS Server . . . . . . : 10.16.5.100
10.16.6.100
10.16.206.100
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : jis.state.ct.us
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Windows IP Configuration from Domain Joined Machine
Host Name . . . . . . . . . . . . : 2433ZENTEST01PC
Primary Dns Suffix . . . . . . . : jis.state.ct.us
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : jis.state.ct.us
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : jis.state.ct.us
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 74-46-A0-90-37-49
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.16.211.201(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, October 15, 2014 7:39:26 AM
Lease Expires . . . . . . . . . . : Wednesday, November 12, 2014 8:40:50 PM
Default Gateway . . . . . . . . . : 10.16.211.1
DHCP Server . . . . . . . . . . . : 10.16.4.101
DNS Servers . . . . . . . . . . . : 10.16.8.100
10.16.5.100
10.16.6.100
10.16.206.100
Primary WINS Server . . . . . . . : 10.16.5.100
Secondary WINS Server . . . . . . : 10.16.8.100
NetBIOS over Tcpip. . . . . . . . : Enabled
Seems like DNS IssueHi,
Have you tried to delete the computer account from AD?
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Hi All,
We are facing a issue with domain joining against RODC
We have a RODC which is separated from RWDC using firewall. The replication is configured using IPSEC and all is working fine.
The servers in RODC site do not have any connectivity to RWDC. We add the Servers in RODC site by following the script mentioned in the below link
https://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx
The Servers which are in same subnet as RODC are able to join and login properly into the Domain. But the servers which are in different subnet are not able to join Domain and giving error “ Specified Domain either does not exist or cannot be contacted”
I am able to ping the RODC using IP and FQDN but not using netbios name
Nslookup works for FQDN of RODC and Domain name but fails for netbios names
I have checked the link http://blogs.technet.com/b/networking/archive/2008/07/25/netbios-browsing-across-subnets-may-fail-after-upgrading-to-windows-server-2008.aspx and as per that the browser service is started in PDC as well as in RODC
The subnet of Server is associated to RODC site
I have created a registry entry SiteName in the server and specified the RODC site
Checked at network level and nothing is blocked there
Tried creating the record for in host file but no useHi All,
We are facing a issue with domain joining against RODC
We have a RODC which is separated from RWDC using firewall. The replication is configured using IPSEC and all is working fine.
The servers in RODC site do not have any connectivity to RWDC. We add the Servers in RODC site by following the script mentioned in the below link
Firstly if you have RODC in a site, place a RWDC in that site as well OR enable
Bridge all site links. Also you need to provision the computer accounts in your RWDC, in that case the computer accounts will be replicated to the RODC and you can join. Look at RODC section here:
Offline Domain Join
Reading this link by Jorge is highly recommended:
Domain Join through an RODC instead of an RWDC
Do not forget that if your windows server are 2003 they need to have direct connectivity to the RWDC for tasks like password changing. Also for time synchronization, an RODC is authorized to sync the computers time if and only if the computer password is
cached, otherwise the computer must contact the RWDC directly.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or
to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
DNS working intermittently for non-domain joined machines
I have a small single Server 2012 based network, with about 90% windows clients. DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine. Within the DNS configuration I have all of my windows
clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well. All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
7 machine originally. In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues. However, the non-domain joined machines, both
Windows and not, are consistently inconsistent. To be more precise, when I try to resolve a name it will randomly work and randomly not. IP setup and configuration looks correct, meaning they have valid IP, DNS is set to my Windows Server,
default gateway, etc. are all correct. Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot. The only exception to this is the Windows Server 2012 machine itself,
which always works.
From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest. I also have visitors occasionally come by, who I cannot expect to join my
domain just to make things work normally.
This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago. I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
I upgraded. Nope...
Any ideas as to the cause of this and what I can do about it?
Thanks,
peterIts really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine. Take a look at this screen copy below:
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
Server: orac.bakonet.local
Address: 192.168.124.9
Name: apollo.bakonet.local
Address: 192.168.124.27
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>ipconfig /all |more
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win10
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bakonet.local
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : bakonet.local
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
Default Gateway . . . . . . . . . : 192.168.124.1
DHCP Server . . . . . . . . . . . : 192.168.124.1
DHCPv6 IAID . . . . . . . . . . . : 60852404
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
DNS Servers . . . . . . . . . . . : 192.168.124.9
24.229.54.212
216.144.187.199
Primary WINS Server . . . . . . . : 192.168.124.9
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Does this actually make sense? Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration. So why would it not work?! -
Using MDT to re-join computers to a domain after a re-image
Since 2010 we have been using WDS to build, capture and deploy our image across our organisation (A High School) which has worked well enough. While WDS can do all this the build and capture is a little clunky and relies on you to manually installing all
programmes and then mounting the WIM file and inject the drivers so I have moved us onto MDT for the build and capture before importing the finished WIM file into WDS for deployment.
This has worked much better as MDT makes it much quicker to get an image up and going (programme silent installs, testing is much quicker etc) and drive management is as simple as telling MDT to put ALL the drivers you want into the image but I have been
reading that you should link MDT and WDS together.
I followed the instruction and imported the LiteTouchPE wim file into WDS and we are able to PXE boot right into MDT and either make a new image or capture the one we are working on but I am trying to automate the deployment so it is more like what we have
when just using WDS for deployment. Because I want to retain the ability to use MDT to make a new image I cannot customise the customesettings.ini file too much and instead I am relying on MDT task sequences for must of the customisations.
Currently all our systems are pre-staged into WDS (I think it is actually Active Directory at the end of the day but you use wdsutil to pre-stage them) so when we boot into PXE WDS deploys and configures the machines using WDSClientUnattend and ImageUnattend
XML file so that once the deployment is finished it is sitting at the logon screen waiting for the user to login already joined to the domain and our wireless network.
I am having trouble trying to achieve this same result using our WDS + MDT combo with the main sticking point being trying to re-join the computer back to the domain (we re-image machines constantly so re-join back to the domain is a must). I wrote/found
a PowerShell script that does the domain join but because an account already exists (all our machines are pre-staged under their service tag and GUID) it throws an error about their already being an account with that name (the computer still appear to join
the domain and I can logon using my domain account). Because of this error MDT borks the deployment and doesn't finish up and complains about deployment being in progress etc.
Is using WDS to boot the LiteTouchPE and then deploying through MDT the best way or are we better off going back to using MDT to do the build and capture and then using WDS and it's pre-staging to do the deploy? I really like that with MDT I can have a little
more control over driver deployment (recently had a problem where we got a new laptop and injecting the new drivers into the WIM broke the entire image for all our machines except the new one) and software at the time of the re-image (I cannot install the
Lenovo hotkey software in a virtual machine because it does a hardware check and fails to install so either the entire image needs to be made on a Lenovo or the software doesn't get installed).
I am currently making a Windows 8.1.1 x64 Enterprise SOE/MOE/whatever you would like to call it using MDT 2013 with WDS running on Windows Server 2012 R2 x64.Hello,
It is better to use so-called "thin" images. These contain only the operating system (in a facility and captures vm). Subsequently pilots and soft will be deployed by the bais of MTD.
For drivers I recommend you to use selection profiles. Moreover it is necessary to put a condition in step "Inject Drivers". Condition Type: Variable called MODEL, variable value Latitude E6430 (change the value to the desired model). It is necessary
to add more step Inject Drivers that type of position.
Application level, you import the different applications in MDT allowing you to select only the desired wizard when applications. If you want to automate this step you will need to indicate statically in the task sequence to install applications, this will
require the creation of several task sequence.
Best Regards
Well I am well aware the Microsoft recommends a thin image it is simply not practical in a School environment where Students change in and our of subjects and where the combination of subject specific software is nearly infinite the overhead is too great
(maybe if we used something like SCCM where we could deploy applications based on OU or group membership).
All your other points aside my problem/issue/question which appears to have been lost is, how do I rejoin a computer to the domain using MDT? We re-image laptops constantly and using WDS they rejoin with no problems but using MDT an error is thrown because
the account already exists. In WDS we have all our machines pre-staged so is there an MDT equivalent that will let me re-image a laptop and have it re-join the domain under the same account without throwing and error. -
Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHuiHi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS -
Domain joined Windows 8.1 using OneDrive to sync passwords across devices
Background : Domain joined Windows 8.1 devices using OneDrive to sync settings across devices, including "Passwords" under Other Settings. Domain user accounts are NOT local administrators.
Issue : When one drive goes to sync Wireless network security settings (passphrases etc...), a User Account Control (UAC) dialogue pops up from "Program Name : Networks" to enter administrator credentials. Domain users do not have administrator access
to local computers by strict policy.
The only way identified so far to stop the dialogue pop-up is to disable the password sync by group policy. However, that turns off ALL password syncing, including passwords desired to be sync'd, that do not encounter this issue.
Can the UAC be suppressed? Is there a way to NOT sync the wireless password settings?
Welcome any thoughts, direction, assistance, etc... :) Thanks much and have a good day!Hi,
I searched around but haven't find one way to achieve this, thus I'm afraid that we're unable to prevent the specific network password setting. the syncing settings for all passwords are combined together.
To suppress UAC, we can turn off the UAC under control panel\User Account or via GP Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options ,but we don't recommend this.
Yolanda Zhu
TechNet Community Support -
Sideloading on domain joined Windows 8.1 Professional Update Tablets
Hi folks,
first, I want to apologize for my bad English. I'm out of practice since several years and Google Translator is not the best assistance.
We are developing a Windows 8 LOB App for our customer. This App shall only be available for the employees of this customer. Therefore, releasing the App in the Windows Store is not an option.
As far as I understand the announcements by Microsoft, it is now possible to sideload Windows Store Apps on devices where Windows 8.1 Pro Update is installed. The requirements are the app has to be signed, the group policy "Allow all trusted apps to install"
has to be enabled and the devices must be part of a domain. A sideloading key is not required anymore.
At the moment I try to sideload an app to an Windows 8.1 Pro lenovo tablet. The System is up to date and the device is part of an AD-Domain.
To sideload the app, I've done the following:
-> First I deleted the developer license from my testing device.
-> Then I've created a code signing certificate with mkcert and Pvk2Pfx according to.
-> Creating and signing the App package with Visual Studio 2013 worked without problems.
-> I activated the local GP "Allow all trusted apps to install" and installed the certificate under the local machine\Trusted Root Certification Authority certificate store.
But when I try to install the app with Add-AppPackage, the process abort with an error. The error message says, that a developer license or a sideloading key is required.
What do I wrong? Has someone managed to sideload an App to a domain joined Windows 8.1 Pro device and can give me some advice?
Many thanks in advance.
TobiasHello,
though, I have not updated this thread in the last days, I'm still not sure, whether sideloading keys are necessary to successfully sideload apps to domain joined Windows 8.1 Pro devices.
To make sure that I have got you right: Might someone confirm to me, that even for domain joined devices with Windows 8.1 Pro Update installed, sideloading keys are necessary, because these devices are only ready to, but not yet enabled for sideloading.
If no sideloading keys are necessary, is it required, for successful sideloading, that the devices are logged into the domain network and connected with the domain controller, for a successful deployment? My test device is domain joined but at the moment it
is not logged into that domain network.
Thanks.
Tobias
I'm unable to confirm myself, since I don't use Pro edition in my organisation (we use Enterprise edition because we purchased that in our agreement).
It might be possible, that the MSFT statements for Pro (does not require sideloading key), might only be functional when using the Volume Licensing channel product for Pro. i.e. maybe the OEM channel and Retail channel of Pro might not be enabled for sideloading?
It sounds like you are using an OEM or Retail channel Pro (i.e. that OS shipped on the Lenovo device).
This is my observation from your symptoms. I'm not sure how to validate that, without trying each case.
It may be necessary to raise a support call with MSFT to validate that.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
i know that using sideloading keys are required in all scenario's whenever i want to deploy modernUI apps to windows 8.1 devices. Using a domain joined enterprise Windows 8.1 device it should be required as i've heard. However, i'm looking for the exact
technical requirements to be able to deploy a modernUI app through the company portal from Intune. So far i know the following requirements:
device must be domain joined enterprise version OR use sideloading keys;
the device must be joined to the domain that is dirsynced with the Intune subscription;
AllowAllTrustedApps reg key must be set to 1 OR configure the corresponding GPO;
a Microsoft account is required to access the Windows Store;
a Windows Intune subscription user account is required to enroll the device into Windows Intune;
the modernUI (demo) app must be visible in the company portal;
app must be signed and the device must trust the corresponding cert OR use a developer sideloading key: Show-WindowsDeveloperLicenseRegistration;
does someone have a good overview of all requirements in relation to deploying modernUI apps?
I find it very confusing when to determine which requirements apply. thanks in advance!i know that using sideloading keys are required in all scenario's whenever i want to deploy modernUI apps to windows 8.1 devices. Using a domain joined enterprise Windows 8.1 device it should be required as i've heard. However, i'm looking for the exact
technical requirements to be able to deploy a modernUI app through the company portal from Intune. So far i know the following requirements:
device must be domain joined enterprise version OR use sideloading keys;
the device must be joined to the domain that is dirsynced with the Intune subscription;
AllowAllTrustedApps reg key must be set to 1 OR configure the corresponding GPO;
a Microsoft account is required to access the Windows Store;
a Windows Intune subscription user account is required to enroll the device into Windows Intune;
the modernUI (demo) app must be visible in the company portal;
app must be signed and the device must trust the corresponding cert OR use a developer sideloading key: Show-WindowsDeveloperLicenseRegistration;
does someone have a good overview of all requirements in relation to deploying modernUI apps?
I find it very confusing when to determine which requirements apply. thanks in advance!
If you have a domain joined Windows 8.x Enterprise workstation, you do not need the sideloading keys. You only need sideloading keys for Windows 8 Pro, RT etc.
It will install as long as:
Domain joined
AllowAllTrustedApps - GPO or Local Policy enabled
Signed by a trusted certificate -
Autologon fails after MDT domain join.
I have a Post OS Installation Task setup that I've added the
Recover form Domain step to. I use this TS just to join the PC to our domain. When I run the TS the PC does join our domain correctly but after the reboot it tells me that the username or password is incorrect. I'm presented
with a logon prompt and the username is set to ".\Administrator". I simply type in our default local admin password (not changing the username) and the PC logs in and the TS finishes successfully. What has me confused is I've checked the unattend.xml
file and the username and password is correct, although the username is entered as just "Administrator". I'm pretty sure that the ".\" just refers to the local computer instead of a domain so I don't see what the problem is. Any suggestions
on this one?'Define Target Computer
strComputer = "."
'Set object values
Set oArguments = WScript.Arguments.Named
Set oShell = CreateObject("WScript.Shell")
Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\CIMV2")
'Define ASCII Characters
chrSpace = Chr(32)
chrSingleQuote = Chr(39)
chrDoubleQuote = Chr(34)
'Show Script Usage
If (oArguments.Exists("?")) And (WScript.Arguments.Count = "1") Then
WScript.Echo(WScript.ScriptName & chrSpace & "Usage:" & _
vbCrLf & vbCrLf & _
"Script Interpreter: [cscript.exe] or [wscript.exe]" & _
vbCrLf & vbCrLf & _
"Script Location:" & chrSpace & chrDoubleQuote & Replace(oShell.CurrentDirectory & "\" & WScript.ScriptName, "\\", "\") & chrDoubleQuote & _
vbCrLf & vbCrLf & _
"Optional Arguments:" & _
vbCrLf & vbCrLf & _
"[/JoinDomain]" & chrSpace & "And" & chrSpace & "[/Domain:" & chrDoubleQuote & "MyDomain.com" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/JoinWorkgroup]" & chrSpace & "And" & chrSpace & "[/WorkGroup:" & chrDoubleQuote & "MyWorkGroup" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/Rename]" & chrSpace & "And" & chrSpace & "[/Name:" & chrDoubleQuote & "MyDeviceName" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/SvcAcctDmn:" & chrDoubleQuote & "MyDomain" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/SvcAcct:" & chrDoubleQuote & "MyDomain\MySvcAcct" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/SvcAcctPw:" & chrDoubleQuote & "MySvcAcctPw" & chrDoubleQuote & "]" & _
vbCrLf & vbCrLf & _
"[/UnjoinDomain]" & _
vbCrLf & vbCrLf & _
"[/Restart]")
WScript.Quit
End If
'Define Required Arguments
argDomain = Trim(UCase(oArguments.Item("Domain")))
argWorkGroup = Trim(UCase(oArguments.Item("Workgroup")))
argSvcAcct = Trim(UCase(oArguments.Item("SvcAcct")))
argSvcAcctDmn = Trim(UCase(oArguments.Item("SvcAcctDmn")))
argSvcAcctPw = oArguments.Item("SvcAcctPw")
'Define Optional Arguments
If (oArguments.Exists("Name")) Then
argName = Left(oArguments.Item("Name"), 15)
argName = Trim(UCase(argName))
End If
'Define Variables
'Amount of seconds to wait "Change the first number only as WScript.Sleep method expects the value in milliseconds."
intSeconds = Int(15 * 1000)
'Gather Information From WMI
'Query #1 - Win32_BIOS
Set oBIOS = oWMI.ExecQuery("Select * From Win32_BIOS")
If (oBIOS.Count > 0) Then
For Each oItem In oBIOS
If Not IsNull(oItem.SerialNumber) Then
strSerialNumber = Left(oItem.SerialNumber, 15)
strSerialNumber = Trim(UCase(strSerialNumber))
End If
Next
End If
'Query #2 - Win32_OperatingSystem
Function RestartDevice
Set oWMI = GetObject("winmgmts:{(Shutdown)}//" & strComputer & "/root/cimv2")
Set oOperatingSystem = oWMI.ExecQuery("Select * From Win32_OperatingSystem")
If (oOperatingSystem.Count > 0) Then
For Each oItem In oOperatingSystem
If (oItem.Primary = True) Then
RestartDevice = oItem.Reboot()
End If
Next
End If
End Function
'Query #3 - Win32_ComputerSystem
Set oComputerSystem = oWMI.ExecQuery("Select * From Win32_ComputerSystem")
'Process the collection only if the query has results
If (oComputerSystem.Count > 0) Then
'Begin a for loop on the collection
For Each oItem In oComputerSystem
'Determine the value of the "DNSHostName" property
If Not IsNull(oItem.DNSHostName) And Not IsNull(oItem.Domain) Then
strDNSHostName = Trim(UCase(oItem.DNSHostName & "." & oItem.Domain))
End If
'Determine the value of the "Domain" property
If Not IsNull(oItem.Domain) Then
strDomain = Trim(UCase(oItem.Domain))
End If
'Determine the value of the "PartOfDomain" property
If Not IsNull(oItem.PartOfDomain) Then
strPartOfDomain = Trim(UCase(oItem.PartOfDomain))
End If
'Determine the value of the "Name" property
If Not IsNull(oItem.Name) Then
strComputerName = Trim(UCase(oItem.Name))
End If
'Determine the value of the "Username" property
If Not IsNull(oItem.UserName) Then
strDomainUserName = Trim(oItem.UserName)
If InStr(oItem.UserName, "\") > 0 Then
strUserName = Mid(oItem.UserName, InStr(oItem.UserName, "\") + 1)
strUserName = Trim(strUserName)
End If
End If
'Determine the value of the "Workgroup" property
If Not IsNull(oItem.Workgroup) And (oItem.PartOfDomain = False) Then
strWorkgroup = Trim(UCase(oItem.Workgroup))
End If
'Rename the device using the name specified in ArgName (Specified name will be truncated to 15 characters for computer name limit)
If (oArguments.Exists("Rename")) And (oArguments.Exists("Name")) And Not (ArgName = "") Then
RenameDevice = oItem.Rename(argName, argSvcAcct, argSvcAcctPw)
WScript.Sleep(intSeconds)
If (RenameDevice = "0") Then
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was successfully renamed to" & chrSpace & chrDoubleQuote & argName & chrDoubleQuote & "." & vbCrLf)
Else
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was not renamed successfully." & chrSpace & "(" & RenameDevice & ")" & "." & vbCrLf)
WScript.Quit(RenameDevice)
End If
'Rename the device using its serial number truncated to 15 characters for computer name limit
ElseIf (oArguments.Exists("Rename")) And Not (oArguments.Exists("Name")) Then
RenameDevice = oItem.Rename(strSerialNumber, argSvcAcct, argSvcAcctPw)
WScript.Sleep(intSeconds)
If (RenameDevice = "0") Then
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was successfully renamed to" & chrSpace & chrDoubleQuote & strSerialNumber & chrDoubleQuote & "." & vbCrLf)
Else
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was not renamed successfully." & chrSpace & "(" & RenameDevice & ")" & "." & vbCrLf)
WScript.Quit(RenameDevice)
End If
End If
'Remove device from the Domain
If (strPartOfDomain = "TRUE") And (oArguments.Exists("UnjoinDomain")) Then
UnjoinDomain = oItem.UnjoinDomainOrWorkgroup(argSvcAcctPw, argSvcAcct)
WScript.Sleep(intSeconds)
If (UnjoinDomain = "0") Then
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was successfully removed from the" & chrSpace & chrDoubleQuote & strDomain & chrDoubleQuote & chrSpace & "domain." & vbCrLf)
Else
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was unsuccessful" & chrSpace & "(" & UnjoinDomain & ")" & chrSpace & "in being removed from the" & chrSpace & chrDoubleQuote & strDomain & chrDoubleQuote & chrSpace & "domain." & vbCrLf)
WScript.Quit(UnjoinDomain)
End If
End If
'Join the specified Domain
If (strPartOfDomain = "FALSE") And (oArguments.Exists("JoinDomain")) And (oArguments.Exists("Domain")) And Not (argDomain = "") And Not (oArguments.Exists("JoinWorkGroup")) Then
Const Join_Domain = 1
Const Acct_Create = 2
Const Win9x_Upgrade = 16
Const Domain_Join_If_Joined = 32
Const Join_Unsecure = 64
Const Machine_Password_Passed = 128
Const Deferred_Spn_Set = 256
Const Install_Invocation = 262144
fJoinOptions = Join_Domain + Acct_Create
JoinDomain = oItem.JoinDomainOrWorkgroup(argDomain, argSvcAcctPw, argSvcAcct, Null, fJoinOptions)
WScript.Sleep(intSeconds)
If (JoinDomain = "0") Then
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was successful in joining the" & chrSpace & argDomain & chrSpace & "domain." & vbCrLf)
Else
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was unsuccessful" & chrSpace & "(" & JoinDomain & ")" & chrSpace & "in joining the" & chrSpace & chrDoubleQuote & argDomain & chrDoubleQuote & chrSpace & "domain." & vbCrLf)
WScript.Quit(JoinDomain)
End If
End If
'Join the specified Workgroup
If (strPartOfDomain = "FALSE") And (oArguments.Exists("JoinWorkGroup")) And (oArguments.Exists("WorkGroup")) And Not (argWorkGroup = "") And Not (oArguments.Exists("JoinDomain")) Then
JoinWorkGroup = oItem.JoinDomainOrWorkgroup(argWorkgroup, argSvcAcctPw, argSvcAcct, Null, 0)
WScript.Sleep(intSeconds)
If (JoinWorkGroup = "0") Then
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was successful in joining the" & chrSpace & argWorkgroup & chrSpace & "workgroup." & vbCrLf)
Else
WScript.Echo(chrDoubleQuote & strComputerName & chrDoubleQuote & chrSpace & "was unsuccessful" & chrSpace & "(" & JoinWorkgroup & ")" & chrSpace & "in joining the" & chrSpace & chrDoubleQuote & argWorkgroup & chrDoubleQuote & chrSpace & "workgroup." & vbCrLf)
WScript.Quit(JoinWorkGroup)
End If
End If
Next
End If
'Provide information about the device
If (oArguments.Exists("Info")) Then
If Not (strDNSHostName = "") Then
WScript.Echo("FDQN:" & chrSpace & strDNSHostName & vbCrLf)
End If
If Not (strDomain = "") Then
WScript.Echo("Domain:" & chrSpace & strDomain & vbCrLf)
End If
If Not (strPartOfDomain = "") Then
WScript.Echo("Currently joined to a domain:" & chrSpace & strPartOfDomain & vbCrLf)
End If
If Not (strComputerName = "") Then
WScript.Echo("Computer name:" & chrSpace & strComputerName & vbCrLf)
End If
If Not (strDomainUserName = "") Then
WScript.Echo("Current Username w/ Domain:" & chrSpace & strDOmainUserName & vbCrLf)
End If
If Not (strUserName = "") Then
WScript.Echo("Current Username w/o Domain:" & chrSpace & strUserName & vbCrLf)
End If
If Not (strWorkgroup = "") And (strPartOfDomain = "FALSE") Then
WScript.Echo("Workgroup:" & chrSpace & strWorkgroup & vbCrLf)
End If
End If
'Optionally Restart Device
If (oArguments.Exists("Restart")) Then
Call RestartDevice
End If
If you use this script at the end of your task sequence, it will complete the domain join. Working and tested successfully.
1. You need to remove Domain Information from Unattend.xml files for MDT so that it cannot write the variables to these sections and join the computer to the domain too early.
2. Create a Task Sequence Group
3. Create a "Run Command Line" Task Sequence Step
3a. Name the step as the following
Join "%OSDDomainName%" Domain as "%OSDJoinAccount%"
3b. Run the following command
cscript.exe "%SCRIPTROOT%\Custom-ZTIDomainJoin.vbs" /JoinDomain /Domain:"%OSDDomainName%"
/SvcAcct:"%OSDJoinAccount%" /SvcAcctPw:"%OSDJoinPassword%"
3c. Place the following conditions on it
If All Conditions Are True
Task Sequence Variable HostName equals %SerialNumber%
Task Sequence Variable IsVM equals False
This script can rename, join workgroup, join domain, unjoin domain, and restart the device all based on arguments
@Microsoft Import this into MDT somehow because the post DomainJoin functionality does not appear to work for my environment, but of course, this could be my environment, but hopefully this helps somebody! -
Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011
Hi,
What is the AD version for Windows 2012R2 ADRMS? Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
Any installation guide Non-domain-joined Mac Client with outlook 2011?
What is the SQL version for Windows 2012R2 ADRMS?
Please advise. Thanks.
Kelvin TeangHi Kelvin -
There is no RMS Client for Macs. That functionality is actually provided through the Office for Mac application (this is different compared to the PC). Domain-joined clients will autodiscover the RMS server and should be able to create and consume
protected content. Non-domain-joined clients cannot automatically discover their RMS server. In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users. They will open
the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server.
I hope that helps!
Micah LaNasa
Synergy Advisors
synergyadvisors.biz -
Windows 7 domain joined getting Windows 10 upgrade!!
I was building a reference image the other day for Windows 7 (we still want to use Windows 7 for "legacy" P4 machines) and it had activated itself via our KMS server and for some reason it would still show the Windows 10 Upgrade notification even though the upgrade doesn't (apparently) support KMS so it does seem there are some glitches with the update.
Also, I could understand not using WSUS in that case if its only a small collection of computers and it seems they do most work inside the XenApp server which I would hope. Although, it does sound like you have a server over there so it might be worth implementing if you ever make the move to Windows 10 as they are creating some sort of new solution that I believe is called "Windows Update for Business."Hi,
We have several computers that are not using WSUS and are Domain Joined that are trying to upgrade to Windows 10 automatically. Luckily they are failing but it has downloaded Windows 10 into the $Windows.~BT folder.
I checked the GWX event logs and says they are Domain Joined and I know they are not suppose to get Windows 10.
I think it is to do with KB2952664 as the computers that got the Windows 10 upgrade seem to have not restarted since this re-released patch was out.
Has anyone else had this happen? I've tried search with no joy.
Even though it is failing to preform the Upgrade now we are worried that Microsoft will make a change or something will happen and the upgrade will complete...
Aaron
This topic first appeared in the Spiceworks Community -
Hello,
I want to sideload a Microsoft Store App to a Lenovo Thinkpad 2 device. The device has an OEM / retail version of Windows 8.1 Pro installed and is part of an active directory domain network.
With this preconditions and according to announcements by Microsoft, it seems to be possible since May 2014 to deploy Apps directly to these devices. Without the need to buy a sideloading key.
To check this, I have generated an code signing certificate with makecert/Pvk2Pfx and then I followed the instructions in this
blog article.
Everything went fine, only the actual deployment with add-appxPackage didn't work. The installation aborts with the error message, that a developer or sideloading license is required, as no license or sideloading policy can be applied.
Can anybody in this forum give me some advice to these questions:
1. Does the new sideload licensing model for May 2014 also applies to OEM/retail versions of Windows 8.1, or is is volume licensing required?
2. Has anybody managed to successfully sideload an App to a OEM / retail Windows 8.1 Pro device?
3. At the moment I don't have access to the domain network. I can login with a domain user locally but changes to the local group policies and to the local certificate stores can't be confirmed by the domain controller. I'm not an administrator, so might this
be a source of error?
Thanks
TobiasHello Tobias,
Please check if you can normally sideload Windows Store App in other domain-joined OEM computer.
About the OEM issue, it is recommended to contact the manufacturer.
Best regards,
Fangzhou CHEN
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Ways to trigger a BPEL process
Hi, How many ways we can trigger a BPEL Process in 11g? Thanks, kpr Edited by: 975937 on Mar 11, 2013 10:26 AM
-
how do I cancel an active ITunes Match account in order to change the country of my ITunes store? My phone thinks I am in the India store, even though I have always been based in U.S. I cannot update apps on Iphone until I change the store. The Iphon
-
Problem transferin​g from Z30 to Outlook
I set up a new computer and synced my Z30 to it. only 10 of my contacts moved to my outlook contacts. I set the sync settings to solve conflicts by device and notifcation (several attempts), but when i have the notification on it tells me 72 conflict
-
Does Photoshop CS6 support Nikon D810 raw files?
Does Photoshop CS6 support Nikon D810 raw files? Photoshop won't allow me to open the raw files and Bridge won't display the files either. I tried to download the camera raw plug-in 8.6 but read somewhere that Photoshop CS6 doesn't support it? HELP!!
-
Can I delete Quiz Results slide in CP7?
Hi I am using CP 7.0.1.237. I have read that this cannot be done in CP6. Is there a way to delete the Quiz Results slide in CP7 atleast? I know I can hide it. But I prefer deleting. Sreekanth