Active Directory, Configuration Manager 2012, Deployment

Debugging Domain Join Issues with NetSetup.LOG

One log file details the entire process of joining the domain:  C:\Windows\debug\NetSetup.log.  Look for the section with today’s date to watch the process from the beginning, or go to the bottom of the file to see the last attempt and why it failed.  If an attempt fails, Windows makes another attempt every five seconds, up to 80 times, As a result, your log may contains many duplicate failure messages.

A successful domain join displays the following message:

05/01/2012 09:28:01:740 NetpDoDomainJoin: status: 0x0

This line appears at the bottom of the last attempt, and denotes that the domain join process succeeded.  Any return status other than 0x0 denotes a failure.  You may also see the following lines above it, which also show success:

05/01/2012 09:28:01:740 NetpCompleteOfflineDomainJoin: status: 0x0 05/01/2012 09:28:01:740 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0

Failure, again, is a non-zero return code:

01/20/2012 10:53:01:232 NetpDoDomainJoin: status: 0x2

One of the most common failures is an error attempting to connect to the IPC$ share on the domain controller.  It will look like this:

05/02/2012 23:14:21:057 NetUseAdd to \\\IPC$ returned XXXX

Get the returned message (XXXX) and run net helpmsg XXXX from a command prompt to see the specific error.  The following are common domain join errors and solutions to those errors.

Failure 1326

05/02/2012 23:07:31:696 NetUseAdd to \\\IPC$ returned 1326
05/02/2012 23:07:31:696 NetpJoinDomain: status of connecting to dc ‘\\’: 0x52e
05/02/2012 23:07:31:696 NetpJoinDomainOnDs: Function exits with status of: 0x52e
05/02/2012 23:07:31:696 NetpDoDomainJoin: status: 0x52e

Failure 1326 is a straightforward password error, “Logon failure: unknown user name or bad password.”  Double-check the username and password in your unattend.xml file.

Failure 1909

05/02/2012 23:14:21:057 NetUseAdd to \\\IPC$ returned 1909
05/02/2012 23:14:21:057 NetpJoinDomain: status of connecting to dc ‘\\’: 0x77
505/02/2012 23:14:21:057 NetpJoinDomainOnDs: Function exits with status of: 0x775
05/02/2012 23:14:21:057 NetpDoDomainJoin: status: 0x775

A 1909 error means “The referenced account is currently locked out and may not be logged on to.”  Go to your Active Directory and unlock the account.  You should also determine how the account got locked.  Often the account becomes locked because the unattend.xml has an incorrect password.  Attempting to join a domain retries dozens of times. If the password is incorrect, you might get three password failures and dozens of “account locked” failures.

Bad OU specified

01/20/2012 10:53:01:232 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x2
01/20/2012 10:53:01:232 NetpProvisionComputerAccount: LDAP creation failed: 0x2
01/20/2012 10:53:01:232 NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported
01/20/2012 10:53:01:232 ldap_unbind status: 0x0
01/20/2012 10:53:01:232 NetpJoinDomainOnDs: Function exits with status of: 0x2
01/20/2012 10:53:01:232 NetpJoinDomainOnDs: status of disconnecting from ‘\\’: 0x0
01/20/2012 10:53:01:232 NetpDoDomainJoin: status: 0x2

The message “Cannot retry downlevel, specifying OU is not supported” means that the specified OU is invalid.  This error could indicate that the OU does not exist within the AD, or that you are attempting to specify the default Computers container.  Windows requires that the default OU be left unspecified, so if you want to put new desktops into the default Computers OU, you must delete the <MachineObjectOU> line entirely.  Look further up the log file for what the specified OU is:

01/20/2012 10:53:01:123    lpMachineAccountOU: OU=Computers,OU=VDI,DC=company,DC=local

Verify the existence of the specified OU and confirm that it is not the top-level Computers container.

Bad domain specified

If the domain name itself is invalid, a domain join makes no entries to NetSetup.log and does not create a log file.  In this situation, look in C:\Windows\Panther\UnattendGC\setupact.log for lines like this:

2012-07-13 16:11:15, Warning    [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 5 seconds…

The error text for 0x54b (1355) is “The specified domain either does not exist or could not be contacted.”  You can look further up in the setupact.log to see exactly what domain you were trying to join.  Note that this is an error with the “JoinDomain” tag, not the credentials.

Insufficient user rights

07/17/2012 13:26:47:524 NetpMapGetLdapExtendedError: Parsed [0x5] from server extended error string: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
07/17/2012 13:26:47:524 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x32 0x5
07/17/2012 13:26:47:524 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x5
07/17/2012 13:26:47:524 NetpProvisionComputerAccount: LDAP creation failed: 0x5 …
07/17/2012 13:26:47:539 NetpDoDomainJoin: status: 0x5

The user account you specify must have rights to add machine accounts to the domain in the specified OU. This error appears when you have a valid account with insufficient privileges. Either try a different account or adjust the account privileges in the domain.