Windows 2008 Sysprep – join domain issue

answer-file-computername

 

This week I’ve made a template for Windows 2008 Standard x86 for deployment of new VM’s to our ESX Servers. Sysprep is now done through an XML-file instead of the usual INF file.

To use it, you first have to install the Windows Automated Installation Kit and use the Windows System Image Manager. It’s more advanced than the good old sysprep.

 

What I wanted was a base install which could be created from the VMWare template, given a name an joined to a domain. Then you can change the IP-adress afterwards.

 

 

After creating a new VM, installed VMWare Tools and ran sysprep, I tested the startup. The VM booted, asked for language and computer name. Punched in a new computer name and got the logon prompt.

When I tried logging in as the domain administrator I got an error “the security database on the server does not have a computer account for this workstation trust relationship

 

After looking through the event log (security) I saw that there was a failure audit for Winlogon, and when I looked at the name logged it was different than the one I gave the machine during the mini-setup.

I found that the name I gave the machine was applied after the computer actually was joined to the domain, so it got an auto-generated name in Active Directory

 

 

win2008-autoname

 

Since I then tried to log on from a computer with a name changed only locally through OOBE there was a security mismatch.

I ran sysprep again and this time I checked what the machine name was in AD (you can find it in the Computers special container) and gave the same in the Welcome Wizard and voila! Success!

 

I’ve tried to find out why this happens, but it seems it’s meant to be this way. No way in the current version of WAIK to give the computer a name before it’s added to the domain, so I’m stuck with adding it to a workgroup and change the name/ join domain afterwards. Sorry Microsoft, but this is a step back…

 

According to some posts on the web, this is by design and you should use something like netdom or a script to change the computername and join the domain, but why the f… did they add the option to the Answer file?!?!?

 

[ad name=”ad-1″]

2 thoughts on “Windows 2008 Sysprep – join domain issue”

  1. we have exactly the same issue and are planning to take it up with microsoft. but it seems that this is a fundamental flaw in 2008 because of the order in which windows joins a domain. 2008 creates a computer account before it creates an account in the AD.

  2. The naming should be done before joining the domain. When you get the mini-setup in 2008 the computer is already given an automatic computername and joined to the domain, so whatever you punch in doesn’t add up with the security account in AD.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.