AD Join Not Functioning (Code 87)

VincentJ

Set a specific user ‘fogad’ as a domain admin
Tested a manual domain join on a different VM, imaged from the same master as this one.

reset the info in the AD section of that host and first typed the password into notepad to confirm it’s the same as it should be.

I don’t see anywhere i could be getting it wrong.

Even double checked the client can ping domain.lan

VincentJ

I deliberately changed the password to be wrong… and i get a different error telling me the username / password is wrong.

I know the username and password are correct. and the domain is correct because i’m looking at it in AD Users and Computers and Group Policy and in the fog gui.

no OU set.

Wayne Workman

@VincentJ Use the administrator account - at least temporarily for troubleshooting. Are you imaging for every try? If so, that’s not necessary. Just sit a computer down and start trying different things. Restart the FOGService on the computer after each change to speed things along. Check the log moments after each restart.

Also - make sure the computer isn’t already joined to the domain - that would throw errors too.

VincentJ

Indeed, I only reimaged once so i could exclude any errors on the first one.

Same issue with the administrator account and password.

Do you have windows 10 machines, with the anniversary update applied, running with successful domain joins? (Version 1607)

I have been looking at the domain join scripts, do you use the netapi32.dll NetJoinDomain because the client is unable to run Powershell commands?

VincentJ

Just installed a fresh windows 10 professional and it also has error 87.

Can i make the client output everything it’s trying to execute?

Joe Schmitt

@VincentJ please check the windows event log for the corresponding error.

Wayne Workman

@VincentJ said in AD Join Not Functioning (Code 87):

Do you have windows 10 machines, with the anniversary update applied, running with successful domain joins? (Version 1607)

We’ve been using the new fog client since Win7.

We’ve used it for Win Vista, Win7, 8, 8.1, and Win10 Enterprise and Win10 LTSB. It works fine.

A large portion of FOG’s community base uses the new client to join Windows to a domain, it’s probably the largest selling-point of the fog client. It’s solid. 19 times out of 20, it’s a configuration issue - like how you’re configuring the settings. the other 1 out of 20, is Active Directory issues or DNS issues or image issues. I don’t have enough fingers and toes to count how many threads the forums have had about domain joining problems, and were due to the above mentioned issues.

I have been looking at the domain join scripts, do you use the netapi32.dll NetJoinDomain because the client is unable to run Powershell commands?

The client uses that because that’s how it’s done on windows, this is how windows does it when you join manually.

---

Where is the host you’re trying to join? Is it on a different subnet? Can you just elaborate more about the setup, maybe something will stick out? Also - just experiment. Does domain joining not work in just one location? All locations? For a certain image? On a certain switch? On a certain subnet? On a certain version of Windows?

VincentJ

Strange update…

4 VMs that i’ve been playing with.

Two of them got manually joined to the domain.

I reimaged the VMs as i had been playing with the registry to no avail… and suddenly two were able to join to the domain via the client… I added computer objects for the last two in the AD and the remaining two joined also after a few minutes.

Tested the dedicated FOG user as well… success at domain join.

Seems the problem is resolved and another has poked it’s head up. The Client does not seem to be able to join the domain without a pre-staged computer object - Even when FOG has the domain administrator’s credentials to join the domain.

Wayne Workman

@VincentJ I can assure you that the fog client can join a host if there is not a pre-existing object. I do it all the time, other techs at work do it all the time.

I would suspect the Administrators group is somehow limited in what it can do regarding joining hosts. This could be an obscure permission that was set previously somewhere.

I think Google would be a good place to start researching. I guess it could be OU delegation issues, too. Or maybe even remote domain trust issues.

Wayne Workman

Code 87 threads. I glanced through these, most are configuration issues - people not re-assigning settings to the individual hosts.

https://forums.fogproject.org/topic/3846/domain-join-not-working-since-moving-to-v1-2-0-error-87/4

https://forums.fogproject.org/topic/8341/the-parameter-is-incorrect-code-87

https://forums.fogproject.org/topic/1937/help-with-domain-joing

https://forums.fogproject.org/topic/5812/samba-domain-integration/61

https://forums.fogproject.org/topic/6879/i-can-t-join-machines-on-domain

https://forums.fogproject.org/topic/7126/hosts-unable-to-join-domain

https://forums.fogproject.org/topic/3140/domain-join-is-not-working-fog-server-1-1-1