Device won't join the domain during OSD TS

[fj40ratt 0]

Good morning SCCM brains.  Here is one that has me about ready to trade mine in for a beer.  Last week our AD admin changed the password for the account that does our AD joins during task sequence image deployments.  I have entered the new password in the TS, verified it's access to the OU in AD successfully, and can use the new password to manually join a device to the domain without issue.  Unfortunately when the TS now runs the device fails to join the domain.  I've looked in the netsetup.log, setuperr.log and setupact.log to verify the correct account is present which it is but the error indicates it is still a bad username or password.  I had our AD admin change the password back to the original password in AD and imaging works perfectly with the device joining the domain as expected.  Is there somewhere else in SCCM I should be looking for that password to be changed?  Thanks in advance.

[anyweb 478]

The username and password is defined in the Configure Network Step, where you should have defined the domain\username in the Specify the account that has permission to join the domain section, you can click on set and test the username and password in there, did you try that ?

have you double check that you don't have more than that step in the task sequence ? or that you are indeed editing the correct task sequence ?

[fj40ratt 0]

Always appreciate your advice Niall.  I have.  I'm actually using it in the Apply Network Settings task.  I don't have a Join Domain section in the TS anywhere.  Another test I just ran is I added an additional character to the original password to create a new password of 9 characters.  Old password that worked prior was only 8 characters.  I then changed the pwd in the TS to the new 9 character pwd and it still works as intended.  When my AD admin changed the password earlier on the domain join account, he changed it to a 20 character password and that is the TS would fail to join the device to the domain.  Is there a password length restriction that anyone is aware of?

[anyweb 478]

not that i'm aware of, what version of ConfigMgr are you using and is it MDT integrated ?

[fj40ratt 0]

Version 2002

Console Version: 5.2002.1083.2000

Site Verison: 5.0.8968.1000

[pzov 0]

I have experienced this when the password used for the domain join had a special character that it did not like (I do not recall the offending character), but try configuring a basic password with no special characters, just to rule that out.

[fj40ratt 0]

Thanks pzov, appreciate the input.  I've run up against that type of issue with other systems in the past as well.  I believe this is the first time I've attempted that complex of a password with SCCM.  You would like to believe that Microsoft would make sure their complexity requirements were standard across the company.  If Active Directory accepts that long of a password from a user, their own systems should allow it when they talk to each other. lol  I will test with a long password avoiding any special characters and update here with the results.

[fj40ratt 0]

Update: A 15 character pwd with nothing but upper and lowercase letters and numbers caused the device to not join the domain.  Also double checked to make sure the password was meeting the domain complexity requirements and it is.  This one is really odd.

[anyweb 478]

i'll see if i can replicate this in my lab,

was ConfigMgr integrated with MDT or not and if so which version ?

[fj40ratt 0]

It was not integrated.  Thanks Niall.  Good luck.  I'm trying to do more testing this week myself.

[anyweb 478]

how many characters do you have in the computername ? can you share the smsts.log with me ?

[fj40ratt 0]

The computer name has 8 characters.  I won't be able to get a smsts.log file to you until Monday.  I have people imaging this week so I can't test a password change until they are finished.

[anyweb 478]

ok thanks

are there any odd ascii characters in that password ? can you please share a screenshot of your join domain step, i've contacted Microsoft PG and they don't believe there's any restrictions on password length, the join domain step should even accept 500 characters...

i definitely need the log file from a failing domain join to get more understanding of this

[fj40ratt 0]

Will try to get that info to you sometime today or tomorrow.  Attempting another password change today.

[fj40ratt 0]

Update: New 15 character password that utilized all 4 of the complexity rules in AD worked successfully.  The previous attempts that were failing were only matching 3 of the 4 requirements which should have still worked since the password rule states you must have at least 3 of the 4.  Really odd.  Thanks for the input and willingness to help test everyone.

[fj40ratt 0]

Jumped the gun.  The new password works for one of my task sequences but not for any of my other TS's including any new from scratch TS's.  This is crazy.

[anyweb 478]

are you copy/pasting the step ? if so the password has to be re-entered...

[fj40ratt 0]

I've tried both creating a TS from scratch and copying from another TS.  Neither has been successful.  I even tried just making it a simple 8 character password containing nothing but letters with no luck.  Crazy thing is that when I verify the account and password connection to the OU within the TS it verifies just fine and that same account and password will manually join a device to the domain successfully.  Might be time to get Microsoft involved.

[anyweb 478]

zip up the logs please and include the netsetup.log from %windir%\debug