Hi,
I feel like after writing all this, there will be some simple, obvious and easy fix to this, but here goes ...
Our existing domain controllers (DC01 to 04) are 2008 R2 (with SP1). Recently (about 3 weeks ago) we deployed four new 2012 R2 domain controllers (DC05 to DC08) which are to replace the existing four (the plan was to deploy the new four, ensure everything works, migrate FSMO roles, then decommission the 2008 R2 ones). It has now come to light (as part of a large batch of re-imaging) that computers are failing to re-join to existing computer objects if they perform the join operation against one of the new DCs, but can join successfully if they use one of the existing DCs. If a computer is joined as a new object (i.e. there is no existing object in AD for it or joins as a new named object), then it works regardless of which DC it uses. The clients are all Windows 7 Enterprise (with SP1).
If the computer object does not exist, then we do not appear to have any issue with the computer being joined to the domain, it appears to only occur for existing computer objects. So if the existing computer object is deleted, and then we attempt to join the computer to the domain, it works, or alternatively if we rename the computer, and then join it to the domain then it will work.
The errors seen in the NetSetup.LOG are:
NetpMapGetLdapExtendedError: Parsed [0x1f] from server extended error string: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
And then later on:
NetpMapGetLdapExtendedError: Parsed [0x214d] from server extended error string: 0000214D: SvcErr: DSID-033E0FDC, problem 5001 (BUSY), data 87
(I’ll include the full output of NetSetup.LOG further down).
This is not related to the imaging process itself, it happens regardless of whether the join is performed during the SCCM task sequence, or if a computer is manually joined (either via System properties or using the Add-Computer PowerShell cmdlet). When using Add-Computer, the –Server parameter allows for specifying which domain controller to perform the join against. If the join is performed against one of the 2012 R2 DCs (DC05 to DC08), it will fail, but will succeed if it is against a 2008 R2 DC (DC01 to DC04). I have yet not tried using netdom, but giving the above two are failing, it seems unlikely netdom will have any more success, but I suppose it would be prudent to verify that so I will give that a go tomorrow.
The PowerShell command I tried was as follows:
Add-Computer -DomainName example.com -Server dc06.example.com –Verbose
Running the above then prompts for credentials, after which, it runs and displays the following error on screen (and the errors as mentioned earlier are logged in NetSetup.LOG):
VERBOSE: Performing the operation "Join in domain 'example.com\dc06.example.com'" on target "computer001". Add-Computer : Computer 'COMPUTER001' failed to join domain ''example.com\dc06.example.com ' from its current workgroup 'WORKGROUP' with following error message: The requested resource is in use. At line:1 char:1 + Add-Computer -DomainName example.com -Server dc06.example.com+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (COMPUTER001:String) [Add-Computer], InvalidOperationException + FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComputerCommand
There is a post on the Ask the Directory Services Team page (see here) that talks about an issue with having a mixed environment 2003 and 2012 R2 domain controllers. However, it does not quite sound like the same issue, and if it is related, the hot fix for it (KB2989971) is apparently included in the September 2014 update rollup (KB2984006) which we do have installed on the new DCs already; so as this relates to 2003 with 2012 R2 issue, rather than 2008 R2 with 2012 R2, and the fact that we have the fix installed anyway, and we have not been seeing the same errors, it seems unlikely that this is the issue.
KB979645 has a (partial) match to the error code we have experienced (problem 5003 (WILL_NOT_PERFORM)), but it relates to Windows 7 being added to a domain that is at the 2000 functional level, and was fixed in SP1 for Windows 7/2008 R2, so that is unlikely to be the issue either.
I’m stumped. Has anyone else experienced this issue or have any ideas? I appreciate any help. Thank you in advance.