MDT & Joining the Domain
An important part to any OS deployment is joining the computer to the domain. The whole point of Microsoft’s Deployment Toolkit (MDT) is to automate as much of your deployment process as possible. So it is no surprise that MDT, when properly configured, can automagically join your newly deployed machine to the domain. It’s actually pretty easy to setup.
The first part of allowing MDT to join machines to the domain is to setup a unique service account specifically for the task of joining machines to the domain.
Microsoft has helped to make things easier for us and has created a PowerShell script that can be downloaded, placed on your Domain Controller, and run to set a service account up with all of the necessary account permissions to manage computer objects in a specified OU. The script and instructions can be found under ‘Step 1’ at this link: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
The second part is going to be adding the correct values into your CustomSettings.ini file. There are the four variables that we need to add to automate the domain join, and one recommended value to skip the corresponding Domain Membership page in the Task Sequence wizard;
- JoinDomain = The domain we are wanting to join.
- DomainAdmin = The username of the service account we created earlier.
- DomainAdminDomain = the domain that the service account resides. It’s typically going to be the same as the ‘JoinDomain’ value, but depending on how your AD Forest is configured, it is possible that it could be a different domain.
- DomainAdminPassword = The password to our service account.
- SkipDomainMembership = Yes/No. A ‘Yes’ value will skip the wizard page that asks about domain membership. A ‘No’ value will show the domain membership page.
Here is an example of how it would look when entered into the CustomSettings.ini file.
JoinDomain=MyDomain.tld DomainAdmin=MDT_DJ DomainAdminDomain=MyDomain.tld DomainAdminPassword=Abc123456&! SkipDomainMembership=YES
One additional item you may want to add to your CustomSettings.ini file is a value to specify which OU object you want the newly joined machine to be added to.
- MachineObjectOU = Active Directory OU object you want machines to added to. It’s where you would have specified when creating the service account and running MS’s PowerShell script.
Which would look like this in the CustomSettings.ini file.
You’ll want to make sure the OU is properly set for your domain. However, if you prefer to not specify an OU, your machines will all end up in the default ‘Computers’ OU of your domain, no harm there, you will just need to then manually move them into their correct OU.
Here’s what all the combined values I covered in this post would look like when added to the CustomSettings.ini .
JoinDomain=MyDomain.tld DomainAdmin=MDT_DJ DomainAdminDomain=MyDomain.tld DomainAdminPassword=Abc123456&! SkipDomainMembership=YES MachineObjectOU=OU=Workstations,OU=Computers,DC=MyDomain,DC=tld
With the service account setup and the values added to our CustomSettings.ini, your deployments should now have no problems getting joined to your domain. Congratulations! You’ve streamlined one more deployment task.