RE: [mssms] Domain join via Add-Computer or WMI

[Andrew Hurst]

If you do it offline you can use djoin.

How to here: 
https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step%28v=ws.10%29.aspx


Andrew Hurst
Systems Engineer
Mourant Ozannes

BVI | CAYMAN ISLANDS | GUERNSEY | HONG KONG | JERSEY | LONDON

D +44 1534 676 772 | T +44 1534 676 000 | F +44 1534 676 333
mourantozannes.com<http://www.mourantozannes.com/>


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of elsalvoz
Sent: 14 April 2015 12:32
To: ms...@lists.myitforum.com
Subject: Re: [mssms] Domain join via Add-Computer or WMI


What Daniel is referring to local to the system,  once a system disjoint a 
domain,  domain accounts do not have local permission.

You need to use system local administration or an account with local 
administration privilege during the rejoin.

This is the process to manually rejoin a system to a domain but I have never 
done offline join before.

Cesar A
On Apr 14, 2015 3:51 AM, "David O'Brien" 
<obrien.da...@outlook.com<mailto:obrien.da...@outlook.com>> wrote:
I've got three users.

User A: Domain Admin in Domain A
User B: Domain Admin in Domain B
User C: Local Admin on computer that is being migrated (this user creates the 
elevated session)

I do the following:

$script:session = New-PSSession -Credential $credUserC -ComputerName localhost
Invoke-Command -Session $session -ScriptBlock { Add-Computer -ComputerName 
localhost -Credential $args[0] -DomainName $args[1] -UnjoinDomainCredential 
$args[2] } -ArgumentList $credUserB, $DomainName, $credUserA

This doesn't work.

Strange issue.

From: Daniel Ratliff
Reply-To: <ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>>
Date: Tuesday, 14 April 2015 8:16 pm
To: "'ms...@lists.myitforum.com<mailto:'ms...@lists.myitforum.com>'", 
"'ms...@lists.myitforum.com<mailto:'ms...@lists.myitforum.com>'"
Subject: RE: [mssms] Domain join via Add-Computer or WMI

Didn't read through all the logs, but is user a DA in domain a? Once you 
disjoin domain a, wouldn't they lose all admin? You need a local account to 
join domain b?

-----Original Message-----
From: David O'Brien [obrien.da...@outlook.com<mailto:obrien.da...@outlook.com>]
Sent: Tuesday, April 14, 2015 04:01 AM Eastern Standard Time
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: [mssms] Domain join via Add-Computer or WMI
Hi,

Slightly OT, but maybe someone has seen this before.

I have to "migrate" a computer from Domain A to Domain B, trigger for that is a 
User logging in, so we are executing this from a Logon script.
The issue I'm seeing is that in my tests now the unjoin from Domain A works 
fine (which implies that all local permissions are ok and elevation of the 
script works, logged on user does not have permissions in this case, hence we 
need elevation), but the join fails with this.
PSFTW\adobrien is the user used for elevation and is now a member of Domain 
Admins and Local Admins.

Seen this before? Why is it mentioning "Offline Domain Join"? Why did it fail 
to load the registry hive?

Thanks,
David

04/14/2015 17:40:31:908 NetpDoDomainJoin
04/14/2015 17:40:31:908 NetpMachineValidToJoin: 'WIN7002'
04/14/2015 17:40:31:908 OS Version: 6.1
04/14/2015 17:40:31:908 Build number: 7601 (7601.win7sp1_ldr.130828-1532)
04/14/2015 17:40:31:908 ServicePack: Service Pack 1
04/14/2015 17:40:31:908 SKU: Windows 7 Enterprise
04/14/2015 17:40:31:908 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 
0x0
04/14/2015 17:40:31:908 NetpGetLsaPrimaryDomain: status: 0x0
04/14/2015 17:40:31:908 NetpMachineValidToJoin: status: 0x0
04/14/2015 17:40:31:908 NetpJoinDomain
04/14/2015 17:40:31:908 Machine: WIN7002
04/14/2015 17:40:31:908 Domain: psftw.local
04/14/2015 17:40:31:908 MachineAccountOU: (NULL)
04/14/2015 17:40:31:908 Account: psftw\adobrien
04/14/2015 17:40:31:908 Options: 0x17
04/14/2015 17:40:31:908 NetpLoadParameters: loading registry parameters...
04/14/2015 17:40:31:908 NetpLoadParameters: DNSNameResolutionRequired not 
found, defaulting to '1' 0x2
04/14/2015 17:40:31:908 NetpLoadParameters: DomainCompatibilityMode not found, 
defaulting to '0' 0x2
04/14/2015 17:40:31:908 NetpLoadParameters: status: 0x2
04/14/2015 17:40:31:908 NetpValidateName: checking to see if 'psftw.local' is 
valid as type 3 name
04/14/2015 17:40:32:033 NetpCheckDomainNameIsValid [ Exists ] for 'psftw.local' 
returned 0x0
04/14/2015 17:40:32:033 NetpValidateName: name 'psftw.local' is valid for type 3
04/14/2015 17:40:32:033 NetpDsGetDcName: trying to find DC in domain 
'psftw.local', flags: 0x40001010
04/14/2015 17:40:32:143 NetpLoadParameters: loading registry parameters...
04/14/2015 17:40:32:143 NetpLoadParameters: DNSNameResolutionRequired not 
found, defaulting to '1' 0x2
04/14/2015 17:40:32:143 NetpLoadParameters: DomainCompatibilityMode not found, 
defaulting to '0' 0x2
04/14/2015 17:40:32:143 NetpLoadParameters: status: 0x2
04/14/2015 17:40:32:143 NetpDsGetDcName: status of verifying DNS A record name 
resolution for 'adds.psftw.local': 0x0
04/14/2015 17:40:32:143 NetpDsGetDcName: found DC '\\adds.psftw.local' in the 
specified domain
04/14/2015 17:40:32:143 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/14/2015 17:40:32:205 NetpJoinDomain: status of connecting to dc 
'\\adds.psftw.local': 0x0
04/14/2015 17:40:32:205 NetpProvisionComputerAccount:
04/14/2015 17:40:32:205 lpDomain: psftw.local
04/14/2015 17:40:32:205 lpMachineName: WIN7002
04/14/2015 17:40:32:205 lpMachineAccountOU: (NULL)
04/14/2015 17:40:32:205 lpDcName: adds.psftw.local
04/14/2015 17:40:32:205 lpDnsHostName: (NULL)
04/14/2015 17:40:32:205 lpMachinePassword: (null)
04/14/2015 17:40:32:205 lpAccount: psftw\adobrien
04/14/2015 17:40:32:205 lpPassword: (non-null)
04/14/2015 17:40:32:205 dwJoinOptions: 0x17
04/14/2015 17:40:32:205 dwOptions: 0x40000003
04/14/2015 17:40:32:252 NetpLdapBind: Verified minimum encryption strength on 
adds.psftw.local: 0x0
04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: reading domain data
04/14/2015 17:40:32:252 NetpGetNCData: Reading NC data
04/14/2015 17:40:32:252 NetpGetDomainData: Lookup domain data for: 
DC=psftw,DC=local
04/14/2015 17:40:32:252 NetpGetDomainData: Lookup crossref data for: 
CN=Partitions,CN=Configuration,DC=psftw,DC=local
04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: result of retrieving 
domain data: 0x0
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking DNS domain name 
psftw.local/ into Netbios on \\adds.psftw.local<file:///\\adds.psftw.local>
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: name = PSFTW\
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking account name 
PSFTW\WIN7002$ on \\adds.psftw.local<file:///\\adds.psftw.local>
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: (Account 
already exists) DN = CN=WIN7002,OU=Servers,DC=psftw,DC=local
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Initial attribute values:
04/14/2015 17:40:32:283 objectClass  =  Computer
04/14/2015 17:40:32:283 SamAccountName  =  WIN7002$
04/14/2015 17:40:32:283 userAccountControl  =  0x1000
04/14/2015 17:40:32:283 DnsHostName  =  WIN7002.psftw.local
04/14/2015 17:40:32:283 ServicePrincipalName  =  HOST/WIN7002.psftw.local  
RestrictedKrbHost/WIN7002.psftw.local  HOST/WIN7002  RestrictedKrbHost/WIN7002
04/14/2015 17:40:32:283 unicodePwd  =  <SomePassword>
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Computer Object already 
exists in OU:
04/14/2015 17:40:32:283 objectClass  =  top  person  organizationalPerson  user 
 computer
04/14/2015 17:40:32:283 SamAccountName  =  WIN7002$
04/14/2015 17:40:32:283 userAccountControl  =  0x1000
04/14/2015 17:40:32:283 DnsHostName  =  WIN7002.psftw.local
04/14/2015 17:40:32:283 ServicePrincipalName  =  WSMAN/WIN7002  
WSMAN/WIN7002.psftw.local  RestrictedKrbHost/WIN7002  HOST/WIN7002  
RestrictedKrbHost/WIN7002.psftw.local  HOST/WIN7002.psftw.local
04/14/2015 17:40:32:283 unicodePwd  =  Account exists, resetting password: 
<SomePassword>
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Attribute values to set:
04/14/2015 17:40:32:283 unicodePwd  =  <SomePassword>
04/14/2015 17:40:32:424 NetpModifyComputerObjectInDs: Toggled 
UserAccountControl successfully
04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: Encoding provisioning data
04/14/2015 17:40:32:424 NetpInitBlobWin7: Constructing blob...
04/14/2015 17:40:32:424 Blob version: 1
04/14/2015 17:40:32:424 lpDomain: psftw.local
04/14/2015 17:40:32:424 lpMachineName: WIN7002
04/14/2015 17:40:32:424 lpMachinePassword: <omitted from log>
04/14/2015 17:40:32:424    DomainDnsPolicy:
04/14/2015 17:40:32:424     Name: PSFTW
04/14/2015 17:40:32:424     DnsDomainName: psftw.local
04/14/2015 17:40:32:424     DnsForestName: psftw.local
04/14/2015 17:40:32:424     DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:424     Sid: S-1-5-21-1080266623-2751979810-671634313
04/14/2015 17:40:32:424    DcInfo:
04/14/2015 17:40:32:424     DomainControllerName: 
\\adds.psftw.local<file:///\\adds.psftw.local>
04/14/2015 17:40:32:424     DomainControllerAddress: 
\\192.168.1.9<file:///\\192.168.1.9>
04/14/2015 17:40:32:424     DomainControllerAddressType: 1
04/14/2015 17:40:32:424     DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:424     DomainName: psftw.local
04/14/2015 17:40:32:424     DnsForestName: psftw.local
04/14/2015 17:40:32:424     Flags: 0xe000f3fd
04/14/2015 17:40:32:424     DcSiteName: Default-First-Site-Name
04/14/2015 17:40:32:424     ClientSiteName: Default-First-Site-Name
04/14/2015 17:40:32:424 Options: 0x40000003
04/14/2015 17:40:32:424 NetpInitBlobWin7: Blob pickling result: 0
04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: result: 0x0
04/14/2015 17:40:32:424 ldap_unbind status: 0x0
04/14/2015 17:40:32:440 NetpRequestOfflineDomainJoin:
04/14/2015 17:40:32:440 dwProvisionBinDataSize: 912
04/14/2015 17:40:32:440 JoinOptions: 0x17
04/14/2015 17:40:32:440 Options: 0x40000003
04/14/2015 17:40:32:440 lpWindowsPath: C:\WINDOWS
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Unpickling provisioning 
blob with size 912 bytes
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Searching 1 blobs for 
supported ODJ blob, highest supported version: 1
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Found ODJ blob version: 1
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1
04/14/2015 17:40:32:440 Blob version: 1
04/14/2015 17:40:32:440 lpDomain: psftw.local
04/14/2015 17:40:32:440 lpMachineName: WIN7002
04/14/2015 17:40:32:440 lpMachinePassword: <omitted from log>
04/14/2015 17:40:32:440    DomainDnsPolicy:
04/14/2015 17:40:32:440     Name: PSFTW
04/14/2015 17:40:32:440     DnsDomainName: psftw.local
04/14/2015 17:40:32:440     DnsForestName: psftw.local
04/14/2015 17:40:32:440     DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:440     Sid: S-1-5-21-1080266623-2751979810-671634313
04/14/2015 17:40:32:440    DcInfo:
04/14/2015 17:40:32:440     DomainControllerName: 
\\adds.psftw.local<file:///\\adds.psftw.local>
04/14/2015 17:40:32:440     DomainControllerAddress: 
\\192.168.1.9<file:///\\192.168.1.9>
04/14/2015 17:40:32:440     DomainControllerAddressType: 1
04/14/2015 17:40:32:440     DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:440     DomainName: psftw.local
04/14/2015 17:40:32:440     DnsForestName: psftw.local
04/14/2015 17:40:32:440     Flags: 0xe000f3fd
04/14/2015 17:40:32:440     DcSiteName: Default-First-Site-Name
04/14/2015 17:40:32:440     ClientSiteName: Default-First-Site-Name
04/14/2015 17:40:32:440 Options: 0x40000003
04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin
04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin: Setting backup/restore 
privileges
04/14/2015 17:40:32:440 NetpInitiateOfflineJoin
04/14/2015 17:40:32:440 lpLocalRegistryPath: C:\WINDOWS\system32\config\SYSTEM
04/14/2015 17:40:32:440 dwOptions: 0x40000003
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Translating provisioning 
data to internal format
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Selecting version 1
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: exiting: 0x0
04/14/2015 17:40:32:440 NetpInitiateOfflineJoin: RegLoadKeyW failed to load the 
hive C:\WINDOWS\system32\config\SYSTEM: 0x522
04/14/2015 17:40:32:440 NetpClearFullJoinState:  Removing cached state from the 
registry...
04/14/2015 17:40:32:440 NetpClearFullJoinState: Status of deleting join state 
key 0x6
04/14/2015 17:40:32:455 NetpDoInitiateOfflineDomainJoin: status: 0xa9d
04/14/2015 17:40:32:455 NetRequestOfflineDomainJoin: Failed to initiate the 
offline domain join 0xa9d
04/14/2015 17:40:32:455 NetpJoinDomainOnDs: Function exits with status of: 0xa9d
04/14/2015 17:40:32:455 NetpJoinDomainOnDs: status of disconnecting from 
'\\adds.psftw.local': 0x0
04/14/2015 17:40:32:455 NetpDoDomainJoin: status: 0xa9d



The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.



The information contained in this e-mail (and any attachments) is strictly 
confidential and may also be legally privileged.  If you are not the intended 
recipient of this e-mail please do not read, print, re-transmit, store, or act 
in reliance on it or any attachments. Instead, please notify the sender by 
return e-mail and then immediately permanently delete it from your system. We 
are not liable for any views or opinions expressed by the sender where this is 
a non-business e-mail.  We may monitor email communications in accordance with 
applicable law and regulations.

Mourant Ozannes is a Jersey partnership. A list of partners' names is open to 
inspection at 22 Grenville Street, St Helier, Jersey JE4 8PX, Channel Islands.  
Additional terms and conditions and information on other Mourant Ozannes 
network members are available on our website: www.mourantozannes.com