fj40ratt 0 Posted December 21, 2020 Report post Posted December 21, 2020 Good morning SCCM brains. Here is one that has me about ready to trade mine in for a beer. Last week our AD admin changed the password for the account that does our AD joins during task sequence image deployments. I have entered the new password in the TS, verified it's access to the OU in AD successfully, and can use the new password to manually join a device to the domain without issue. Unfortunately when the TS now runs the device fails to join the domain. I've looked in the netsetup.log, setuperr.log and setupact.log to verify the correct account is present which it is but the error indicates it is still a bad username or password. I had our AD admin change the password back to the original password in AD and imaging works perfectly with the device joining the domain as expected. Is there somewhere else in SCCM I should be looking for that password to be changed? Thanks in advance. Quote Share this post Link to post Share on other sites
anyweb 478 Posted December 21, 2020 Report post Posted December 21, 2020 The username and password is defined in the Configure Network Step, where you should have defined the domain\username in the Specify the account that has permission to join the domain section, you can click on set and test the username and password in there, did you try that ? have you double check that you don't have more than that step in the task sequence ? or that you are indeed editing the correct task sequence ? Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 21, 2020 Report post Posted December 21, 2020 Always appreciate your advice Niall. I have. I'm actually using it in the Apply Network Settings task. I don't have a Join Domain section in the TS anywhere. Another test I just ran is I added an additional character to the original password to create a new password of 9 characters. Old password that worked prior was only 8 characters. I then changed the pwd in the TS to the new 9 character pwd and it still works as intended. When my AD admin changed the password earlier on the domain join account, he changed it to a 20 character password and that is the TS would fail to join the device to the domain. Is there a password length restriction that anyone is aware of? Quote Share this post Link to post Share on other sites
anyweb 478 Posted December 21, 2020 Report post Posted December 21, 2020 not that i'm aware of, what version of ConfigMgr are you using and is it MDT integrated ? Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 21, 2020 Report post Posted December 21, 2020 Version 2002 Console Version: 5.2002.1083.2000 Site Verison: 5.0.8968.1000 Quote Share this post Link to post Share on other sites
pzov 0 Posted December 22, 2020 Report post Posted December 22, 2020 I have experienced this when the password used for the domain join had a special character that it did not like (I do not recall the offending character), but try configuring a basic password with no special characters, just to rule that out. Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 22, 2020 Report post Posted December 22, 2020 Thanks pzov, appreciate the input. I've run up against that type of issue with other systems in the past as well. I believe this is the first time I've attempted that complex of a password with SCCM. You would like to believe that Microsoft would make sure their complexity requirements were standard across the company. If Active Directory accepts that long of a password from a user, their own systems should allow it when they talk to each other. lol I will test with a long password avoiding any special characters and update here with the results. Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 24, 2020 Report post Posted December 24, 2020 Update: A 15 character pwd with nothing but upper and lowercase letters and numbers caused the device to not join the domain. Also double checked to make sure the password was meeting the domain complexity requirements and it is. This one is really odd. Quote Share this post Link to post Share on other sites
anyweb 478 Posted December 24, 2020 Report post Posted December 24, 2020 i'll see if i can replicate this in my lab, was ConfigMgr integrated with MDT or not and if so which version ? Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 29, 2020 Report post Posted December 29, 2020 It was not integrated. Thanks Niall. Good luck. I'm trying to do more testing this week myself. Quote Share this post Link to post Share on other sites
anyweb 478 Posted December 29, 2020 Report post Posted December 29, 2020 how many characters do you have in the computername ? can you share the smsts.log with me ? Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted December 31, 2020 Report post Posted December 31, 2020 The computer name has 8 characters. I won't be able to get a smsts.log file to you until Monday. I have people imaging this week so I can't test a password change until they are finished. Quote Share this post Link to post Share on other sites
anyweb 478 Posted December 31, 2020 Report post Posted December 31, 2020 ok thanks are there any odd ascii characters in that password ? can you please share a screenshot of your join domain step, i've contacted Microsoft PG and they don't believe there's any restrictions on password length, the join domain step should even accept 500 characters... i definitely need the log file from a failing domain join to get more understanding of this Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted January 4 Report post Posted January 4 Will try to get that info to you sometime today or tomorrow. Attempting another password change today. Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted January 5 Report post Posted January 5 Update: New 15 character password that utilized all 4 of the complexity rules in AD worked successfully. The previous attempts that were failing were only matching 3 of the 4 requirements which should have still worked since the password rule states you must have at least 3 of the 4. Really odd. Thanks for the input and willingness to help test everyone. Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted January 13 Report post Posted January 13 Jumped the gun. The new password works for one of my task sequences but not for any of my other TS's including any new from scratch TS's. This is crazy. Quote Share this post Link to post Share on other sites
anyweb 478 Posted January 13 Report post Posted January 13 are you copy/pasting the step ? if so the password has to be re-entered... Quote Share this post Link to post Share on other sites
fj40ratt 0 Posted January 14 Report post Posted January 14 I've tried both creating a TS from scratch and copying from another TS. Neither has been successful. I even tried just making it a simple 8 character password containing nothing but letters with no luck. Crazy thing is that when I verify the account and password connection to the OU within the TS it verifies just fine and that same account and password will manually join a device to the domain successfully. Might be time to get Microsoft involved. Quote Share this post Link to post Share on other sites
anyweb 478 Posted January 14 Report post Posted January 14 zip up the logs please and include the netsetup.log from %windir%\debug Quote Share this post Link to post Share on other sites