Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1744
  • Last Modified:

UnattendJoin using Windows 7 sysprep and unattend xml file

Hi,

I have created a custom Windows 7 image and I am now trying to configure the unattendjoin component of my unattend file to make the computer join our domain as part of the sysprep process.

I have this working partially. Using the following entries I can get the PC to join the Domain but when I try to log on as Domain admins to the recently sysprep'd machine I am given some sort of error which is associated with there being no machine account in Active Directory.

Why if the unattend file is joining the machine to the domain is it not creating a machine account in AD?

Is there an option to get the PC to prompt you as part of the setup to put the machine on the Domain just like sysprep worked in Windows XP?

Furthermore there appears to be two options for joining the machine to the domain, secure and unsecure. I am led to believe that if you leave unsecure as false the you must enter domain name, username and password credentials for joining the PC to the Domain under the credentials field. (This is the option that I have been using that results in the PC appearing as if it is on the Domain but has no machine account associated in AD, and yes the credentials I am using are domain admins!)

If setting unsecurejoin to true apparently you leave all fields under credentials blank but instead enter the relevant details under the Identifications field for Domain etc. There is also a field for Machine password. Can anything be typed in here???

UNSECUREJOIN FALSE EXAMPLE

 <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                       <Domain>MYDomain</Domain>
                    <Password>MyPassword</Password>
                    <Username>Administrator</Username>
                </Credentials>
                <JoinDomain>MyDomain</JoinDomain>

UNSECUREJOIN TRUE EXAMPLE

<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                    <Domain></Domain>
                    <Password></Password>
                    <Username></Username>
                </Credentials>
                <JoinDomain>MyDomain</JoinDomain>
                <MachineObjectOU></MachineObjectOU>
                <UnsecureJoin>true</UnsecureJoin>

This options results in my pc being on the Workgroup whilst the first option results in my pc being on the domain but has no machine account in AD.

Has anyone managed to get this working?

I am working from a sypreped image and using ghost to deploy.
0
Anne_Ward
Asked:
Anne_Ward
  • 2
1 Solution
 
footechCommented:
Can you post the actual error message you are seeing?

Are you sure the computer is actually joined to the domain?  If you log on locally, look at computer properties...

I tend to prefer using UnsecureJoin=true so I don't have to included credentials in any text file, but anyway...  If using this, the credentials section should not have empty elements, so delete it entirely.  Also delete the MachineObjectOU element unless you're filling it out.

Are you using the Windows AIK to create the answer file?

Also, in both cases, how are you going about naming the computer?  This has to be set in the answer file for the domain join to succeed.

There is no way to prompt you to join the domain.
0
 
Anne_WardAuthor Commented:
Hi Footech:

The error is:

The trust relationship between this workstation and the primary domain failed.

I have already double checked under the properties and the PC has a fqdn PC3600.local.mydomain.co.uk.

Also i did not realise that you ahve to remove the machine password and credentials if not using which is good however i do have sysprep prompting for the PC name as we have nop way of automating the PC names because they are the same as the asset tag we put on them.

Does this then mean that the only way to get the PC to join the Domain, in my case, with the correct PC name is to do it manually?

Thanks
0
 
footechCommented:
Correct.  The domain join process happens in phase 4 (specialize).  If you don't supply a computer name until the prompt, this is happening in stage 7 (OOBE).  Frankly I'm surprised that it's being joined to the domain at all, as I've never heard of this succeeding unless the computer name is specified in the answer file as well (either specifically or with *).

I suppose you could use a random name to do the join and then change it manually afterwards to match the asset tag, but it doesn't save you much work, if any.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now