ConfigMgr 2007: PC does not join the domain if the Computers container is specified as the Domain OU

ConfigMgr 2007: PC does not join the domain if the Computers container is specified as the Domain OU

  • Comments 2
  • Likes

Here's another cool OSD tip from Frank Rojas.  If your clients are joining the domain like you expect then maybe this is what you're running into:


Issue: A client does not join the domain if the Computers container is specified as the Domain OU in the "Apply Network Settings" task of a Task Sequence in SCCM 2007 OSD. No errors are seen in the SMSTS.log, but upon examining the NetSetup.log which is part of Windows setup, the following error will be logged:

NetpMachineValidToJoin: 'CONTAINER'
NetpGetLsaPrimaryDomain: status: 0x0
NetpMachineValidToJoin: status: 0x0
    Machine: CONTAINER
    Domain: <DOMAIN>
    MachineAccountOU: CN=Computers,DC=<DOMAIN>,DC=com
    Account: <DOMAIN>\<ACCOUNT>
    Options: 0x40001
    OS Version: 5.1
    Build number: 2600
    ServicePack: Service Pack 3
NetpValidateName: checking to see if '<DOMAIN>' is valid as type 3 name
NetpCheckDomainNameIsValid [ Exists ] for '<DOMAIN>' returned 0x0
NetpValidateName: name '<DOMAIN>' is valid for type 3
NetpDsGetDcName: trying to find DC in domain '<DOMAIN>', flags: 0x1020
NetpDsGetDcName: failed to find a DC having account 'CONTAINER$': 0x525
NetpDsGetDcName: found DC '\\<DC_SERVER>' in the specified domain
NetpJoinDomain: status of connecting to dc '\\<DC_SERVER>': 0x0
NetpGetLsaPrimaryDomain: status: 0x0
NetpGetDnsHostName: Read NV Hostname: Container
NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: <DOMAIN>.com
NetpLsaOpenSecret: status: 0xc0000034
SamLookupNamesInDomain on CONTAINER$ failed with 0xc0000073
NetpJoinDomain: status of setting machine password: 0x534
NetpJoinDomain: initiaing a rollback due to earlier errors
NetpLsaOpenSecret: status: 0x0
NetpJoinDomain: rollback: status of deleting secret: 0x0
NetpJoinDomain: status of disconnecting from '\\<DC_SERVER>': 0x0
NetpDoDomainJoin: status: 0x534

Cause: This problem happens because the Computers container in AD is a Container, and not an OU. For this reason, if you try to specify the Computers container as the OU that the PC should join in the "Apply Network Settings" of an SCCM 2007 OSD Task Sequence it will fail and the PC will not join the domain.

Resolution: To resolve the problem, if the user wants the PC to be part of the Computers container when joining the domain, leave the Domain OU field in the "Apply Network Settings" task blank. Since  PCs are automatically put into the Computers container by default if no Domain OU is specified when joining a domain, leaving the Domain OU field blank will cause the PC to join the domain and be put into the Computers container.

If you want the PC to join the Domain as part of a Domain OU, change the Domain OU field to specify a valid OU and not the Computers container.


Thanks Frank!

J.C. Hornbeck | Manageability Knowledge Engineer

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from

  • Old blog post, but answered my question and my situation exactly.  Works when I choose an OU, but when I pick the LDAP://CN=Computers,DC=DOMAIN,DC=COM it does not join the domain.  I wasn't sure what leaving it blank would do and I did not want to waste an hour running the task again and have it fail.  

    Thanks.  I'll give this a try.