AD Join Not Functioning (Code 87)

  • Moderator

    Fog Client 0.11.5
    Fog Server 1.3.0-RC-8
    Client OS - Windows 10 (including anniversary update)

    Hostname successfully changes but domain join shows error code 87 (The Parameter is incorrect.

    I have checked the domain - manual joins function.
    Checked time and timezone - all OK
    Reimaged and tried again to make sure there was no problem there.
    Tried multiple usernames and passwords - Domain admin and specifically created user for fog.

  • @VincentJ I can assure you that the fog client can join a host if there is not a pre-existing object. I do it all the time, other techs at work do it all the time.

    I would suspect the Administrators group is somehow limited in what it can do regarding joining hosts. This could be an obscure permission that was set previously somewhere.

    I think Google would be a good place to start researching. I guess it could be OU delegation issues, too. Or maybe even remote domain trust issues.

  • Moderator

    Strange update…

    4 VMs that i’ve been playing with.

    Two of them got manually joined to the domain.

    I reimaged the VMs as i had been playing with the registry to no avail… and suddenly two were able to join to the domain via the client… I added computer objects for the last two in the AD and the remaining two joined also after a few minutes.

    Tested the dedicated FOG user as well… success at domain join.

    Seems the problem is resolved and another has poked it’s head up. The Client does not seem to be able to join the domain without a pre-staged computer object - Even when FOG has the domain administrator’s credentials to join the domain.

  • @VincentJ said in AD Join Not Functioning (Code 87):

    Do you have windows 10 machines, with the anniversary update applied, running with successful domain joins? (Version 1607)

    We’ve been using the new fog client since Win7.

    We’ve used it for Win Vista, Win7, 8, 8.1, and Win10 Enterprise and Win10 LTSB. It works fine.

    A large portion of FOG’s community base uses the new client to join Windows to a domain, it’s probably the largest selling-point of the fog client. It’s solid. 19 times out of 20, it’s a configuration issue - like how you’re configuring the settings. the other 1 out of 20, is Active Directory issues or DNS issues or image issues. I don’t have enough fingers and toes to count how many threads the forums have had about domain joining problems, and were due to the above mentioned issues.

    I have been looking at the domain join scripts, do you use the netapi32.dll NetJoinDomain because the client is unable to run Powershell commands?

    The client uses that because that’s how it’s done on windows, this is how windows does it when you join manually.

    Where is the host you’re trying to join? Is it on a different subnet? Can you just elaborate more about the setup, maybe something will stick out? Also - just experiment. Does domain joining not work in just one location? All locations? For a certain image? On a certain switch? On a certain subnet? On a certain version of Windows?

  • Senior Developer

    @VincentJ please check the windows event log for the corresponding error.

  • Moderator

    Just installed a fresh windows 10 professional and it also has error 87.

    Can i make the client output everything it’s trying to execute?

  • Moderator

    Indeed, I only reimaged once so i could exclude any errors on the first one.

    Same issue with the administrator account and password.

    Do you have windows 10 machines, with the anniversary update applied, running with successful domain joins? (Version 1607)

    I have been looking at the domain join scripts, do you use the netapi32.dll NetJoinDomain because the client is unable to run Powershell commands?

  • @VincentJ Use the administrator account - at least temporarily for troubleshooting. Are you imaging for every try? If so, that’s not necessary. Just sit a computer down and start trying different things. Restart the FOGService on the computer after each change to speed things along. Check the log moments after each restart.

    Also - make sure the computer isn’t already joined to the domain - that would throw errors too.

  • Moderator

    I deliberately changed the password to be wrong… and i get a different error telling me the username / password is wrong.

    I know the username and password are correct. and the domain is correct because i’m looking at it in AD Users and Computers and Group Policy and in the fog gui.

    no OU set.

  • Moderator

    Set a specific user ‘fogad’ as a domain admin
    Tested a manual domain join on a different VM, imaged from the same master as this one.

    reset the info in the AD section of that host and first typed the password into notepad to confirm it’s the same as it should be.

    I don’t see anywhere i could be getting it wrong.

    Even double checked the client can ping domain.lan

  • @VincentJ Domain joining errors are super-literal. It says the parameter is incorrect, it means one of the parameters are incorrect.

    Leave OU blank for testing purposes. Put in just a username - no slashes or anything. Just a clear-text pass in the NOT legacy field, and put the FQDN in the domain name part.

    Also - the account you’re using needs to have both disable privileges on the computer objects, and domain joining privileges. If the host’s name changes and an old object is tied to the computer’s identifier, that old object is disabled by the client, and a new object made with the correct name.

  • Moderator

    I specifically set this host’s AD settings. Have not set the default ones yet.

    I have also tried the cleartext password (Thank-You for adding that) as well as the old encrypted one in the other box.

  • Senior Developer

    The AD Pass was set to clear text password and updated for all hosts using the new client?

Log in to reply