How to fix Domain Join Error during Windows Deployment

Posted on IT Expert By IT Expert No Comments on How to fix Domain Join Error during Windows Deployment
Zit Error

The message “ZtiDomainJoin has attempted to join to domain” comes from Microsoft Deployment Toolkit (MDT). This happens during an automated or Lite touch OS deployment as shown in the image below. Therefore, in this guide, we shall discuss How to fix Domain Join Error during Windows Deployment. Please see how to fix the following errors occurred attempting to join the domain: The specified domain either does not exist or could not be contacted, and “Integrate Hyper-V: Install System Center Virtual Machine Manager (post Windows Server setup section).

ZIT Domin Join Error

ZTIDomainJoin.wsf is the MDT script responsible for joining the deployed computer to an Active Directory domain. This step runs in the MDT Task Sequence after Windows installation and before finalizing setup. To confirm if it succeeded, check these MDT logs:

C:\MININT\SMSOSD\OSDLOGS\ZTIDomainJoin.log
C:\Windows\Temp\DeploymentLogs\ZTIDomainJoin.log
BDD.log

Also, see Domain Naming System: Enabling DNS over TLS in Windows 11, and Domain Name System: All you need to know about DNS.

Why was the error ‘ZtiDomainJoin has attempted to join to domain” prompted?

The reason for this error is simple. It is because an account with the same name already exists in Active Directory. Therefore, re-using the account was blocked by a security policy. See this guide on how to fix this issue “An account with the same name exists in Active Directory: Re-using the account was blocked by a security policy“.

Domin Join error

Microsoft released KB5020276 last month (October 2022). This modifies the domain join process and performs additional security checks before attempting to reuse existing computer accounts. You may also want to see “Active Directory domain join troubleshooting guidance“.

These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain with these exemptions.

  • Account reuse attempts will be permitted if the user attempting the operation is the creator of the existing account.
  • Account reuse attempts will be permitted if the account was created by a member of domain administrators.

Therefore, computer account reuse is only permitted in the following scenarios above

Please, see Implement Split-Brain DNS Policies in Active Directory, How to fix Synology NAS Quick Connect is not enabled issue, and Synology NAS Domain Join: The Importance of DNS Configuration

Fix Error “Check for existing Computer Object”

I am very okay with this hardening and will not be finding a way around it. I will simply proceed to Active Directory and have the computer account deleted. Then, I will proceed to have the device join the domain again.

Delete Computer Account

Please, see How to Install and Configure a Standalone DNS Server, Do not use Public DNS in Prod: Change DNS Server in Windows, and how to setup a Third-Party DNS Server on a Linux Server.

Other Workarounds

Review computer account provisioning workflows and understand if changes are required

  • Perform the join operation using the same account that created the computer account in the target domain.
  • If the existing account is stale (unused), delete it before attempting to join the domain again. This is exactly the action I took!
  • Rename the computer and join using a different account that doesn’t already exist. This is a possibility, but what if you really cannot use a different name? Then the next solution should work for you.
  • If the existing account is owned by a trusted security principal and the administrator wants to reuse the account. They might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.
PathHKLM\System\CurrentControlSet\Control\LSA
TypeREG_DWORD
NameNetJoinLegacyAccountReuse
Value1 “Other values are ignored”.

Note: Caution: If you choose to set this key to work around these protections. You will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate.

Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.

I hope you found this article on how to fix Domain Join Error during Windows Deployment very useful. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , , , , , , , , , , ,

Related Posts

More Related Articles

1 WeXxkEX0JG3oB781HD8Hrg 3 Fix Access denied to the hard drive, and the security tab missing under properties Windows Server
article 1280x720.192a2586 Windows Deployment Services: How to setup and install WDS role Windows Server
1 kAUgwdVYmcVgUSXiwUkObw Error 0x801c001d – Automatic registration failed: Failed to look up the registration service from AD Windows Server
WDS An error occurred while trying to start the Windows deployment services error 0x906 Windows Server
VHDX resizing and veeam back Hyper V Disk allocation: Why Veeam reports full size after Shrinking Windows Server
Create Windows Defender Firewall Rule Fix Windows defender blocked incoming connection on Windows Network | Monitoring

Leave a Reply