This sounds easy…but it’s not as straight forward as you may think so I put together a quick blog post:
Default MDT Behaviour:
By default, MDT will join a client to the domain via Windows Setup. This is driven by the Unattend.xml which MDT populates with the required settings. There is also another step (Recover from Domain) which can be used later in the deployment process (during State Restore) to re-try a Domain Join should the previous attempt have failed during OS setup.
Why does this cause an issue?
Joining the domain before the state restore phase can cause issues later in the deployment because the machine will start to process Group Policy during the build process itself. In most cases this is not an issue if:
- You pre-stage all your clients in a staging OU which has no GPO’s linked to it.
- Or you are confident there is nothing in your Group Policy which could break the imaging process.
In my case policy would break deployments (renaming/disabling admin accounts, legal notices etc..) and pre-staging was not an option so I needed to shift the Domain Join to later in the Task Sequence.
To move the Domain Join process to later in the deployment you need to update the Unattend.xml and the ZTIDomainJoin script. Here’s how you do it:
- Update Unattend.XML
The first thing we need to do is to stop MDT from performing the Domain Join during OS Setup. One way to achieve this is to remove the MDT Domain Join Task Sequence Variables in CustomSettings.ini and instead set these on the Task Sequence in the “State Restore” phase. But I generally prefer to set my variables in CustomSettings.ini so to make this work I have to remove the Domain Join Node from the unattend.xml.
This will prevent MDT from adding the Domain Join settings to the unattend.xml and OS Setup will therefore not join the machine to the domain.
- Update ZTIDomainJoin.wsf
An update to the ZTIDomainJoin.wsf script is required to prevent the script from rebooting the machine after joining the domain. I usually avoid editing built-in MDT scripts but if I have to, I prefer to make a custom subdirectory in the MDT scripts folder and edit a copy of the script in the subdirectory. This will ensure that any subsequent updates to MDT will not overwrite the script and break your Task Sequence (remember to update the relative path to ZTIUtility at the top of the script). The following TWO lines of the script need to be commented out to suppress the reboot:
oEnvironment.Item(“LTISuspend”) = “” ‘oEnvironment.Item(“SMSTSRetryRequested”) = “true” ‘oEnvironment.Item(“SMSTSRebootRequested”) = “true”
iRetVal = SUCCESS
- Add a Domain Join Step into the Task Sequence
Now add a new command line step into the Task Sequence to run the updated script:
- Set Domain Join Variables in CustomSettings.ini
Next, you need to set the following six variables in customsettings.ini for ZTIDomainJoin.wsf to work:
JoinDomain (Domain to join)
DomainAdmin (Account to be used to perform Domain Join)
DomainAdminDomain (Domain of Domain Join account)
DomainAdminPassword (Password for Domain Join account)
MachineObjectOU (OU in which machine object should be created)
DomainErrorRecovery (What to do on failure e.g FAIL)
- Update the Unattend.xml template (Optional)
This step is not essential but if you want to ensure that all new Task Sequences on the given Deployment Share always generate an unattend.xml without the Domain Join node you can update the template.To achieve this copy the unattend.xml for your OS (in my case Unattend_x64.xml) from:
%ProgramFiles%\Microsoft Deployment Toolkit\Templates
Into the Templates directory in the root of you Deployment share and then remove the Domain Join node from the file.
And that’s it..you are good to go 🙂