How to fix Domain Join Error during Windows Deployment

Posted on Christian By Christian No Comments on How to fix Domain Join Error during Windows Deployment
Zit Error

The message “ZtiDomainJoin has attempted to join to domain” comes from Microsoft Deployment Toolkit (MDT). This happens during an automated or Lite touch OS deployment as shown in the image below. Therefore, in this guide, we shall discuss How to fix Domain Join Error during Windows Deployment. Please see how to fix the following errors occurred attempting to join the domain: The specified domain either does not exist or could not be contacted, and “Integrate Hyper-V: Install System Center Virtual Machine Manager (post Windows Server setup section).

ZIT Domin Join Error

ZTIDomainJoin.wsf is the MDT script responsible for joining the deployed computer to an Active Directory domain. This step runs in the MDT Task Sequence after Windows installation and before finalizing setup. To confirm if it succeeded, check these MDT logs:

C:\MININT\SMSOSD\OSDLOGS\ZTIDomainJoin.log
C:\Windows\Temp\DeploymentLogs\ZTIDomainJoin.log
BDD.log

Also, see Domain Naming System: Enabling DNS over TLS in Windows 11, and Domain Name System: All you need to know about DNS.

Why was the error ‘ZtiDomainJoin has attempted to join to domain” prompted?

The reason for this error is simple. It is because an account with the same name already exists in Active Directory. Therefore, re-using the account was blocked by a security policy. See this guide on how to fix this issue “An account with the same name exists in Active Directory: Re-using the account was blocked by a security policy“.

Domin Join error

Microsoft released KB5020276 last month (October 2022). This modifies the domain join process and performs additional security checks before attempting to reuse existing computer accounts. You may also want to see “Active Directory domain join troubleshooting guidance“.

These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain with these exemptions.

  • Account reuse attempts will be permitted if the user attempting the operation is the creator of the existing account.
  • Account reuse attempts will be permitted if the account was created by a member of domain administrators.

Therefore, computer account reuse is only permitted in the following scenarios above

Please, see Implement Split-Brain DNS Policies in Active Directory, How to fix Synology NAS Quick Connect is not enabled issue, and Synology NAS Domain Join: The Importance of DNS Configuration

Fix Error “Check for existing Computer Object”

I am very okay with this hardening and will not be finding a way around it. I will simply proceed to Active Directory and have the computer account deleted. Then, I will proceed to have the device join the domain again.

Delete Computer Account

Please, see How to Install and Configure a Standalone DNS Server, Do not use Public DNS in Prod: Change DNS Server in Windows, and how to setup a Third-Party DNS Server on a Linux Server.

Other Workarounds

Review computer account provisioning workflows and understand if changes are required

  • Perform the join operation using the same account that created the computer account in the target domain.
  • If the existing account is stale (unused), delete it before attempting to join the domain again. This is exactly the action I took!
  • Rename the computer and join using a different account that doesn’t already exist. This is a possibility, but what if you really cannot use a different name? Then the next solution should work for you.
  • If the existing account is owned by a trusted security principal and the administrator wants to reuse the account. They might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.
PathHKLM\System\CurrentControlSet\Control\LSA
TypeREG_DWORD
NameNetJoinLegacyAccountReuse
Value1 “Other values are ignored”.

Note: Caution: If you choose to set this key to work around these protections. You will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate.

Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.

I hope you found this article on how to fix Domain Join Error during Windows Deployment very useful. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , , , , , , , , , , ,

Related Posts

More Related Articles

edge7 How to enable Adblocker on Microsoft Edge Windows
original Windows Deployment Services: WDSUTIL CommandLine Options on Windows Server 2019 Windows Server
what is saml e1690630549650 What is SAML – Security Assertion Markup Language Windows Server
update Client Visibility Issues: Fix WSUS Clients appear then disappear in the console Windows Server
How To Enable Single Sign On (SSO) For Windows Admin Center Setup Windows Admin Center Modern Gateway for Single Sign-On Windows Server
Screenshot 2020 09 19 at 02.22.42 Remove Windows 10 Apps with DISM: How to remove pre-provisioned apps from Windows Image Windows Server

Leave a Reply