How to see all the changes before creating/updating the AWS CloudFormation stack
April 3, 2018
AWS cli installation Procedure on MacOS
May 3, 2018

PowerShell to join the computer to domain

PowerShell we can add the computer to AD domains using powershell which is very important while doing automation in a windows environment.

The Add-Computer cmdlet used to add the local or remote computer to a domain.

It also can be used to add to a workgroup or to move it from one domain to another. Also, it creates a domain account if the computer is added to the domain without an account.

1: Add a computer to a domain

PS C:\> Add-Computer -DomainName "company.example.com" -Restart

Above command add the local computer to domain company.example.com and restarts the computer.

2: Add a computer to a workgroup

PS C:\> Add-Computer -WorkGroupName "Example-WORKGROUP"

3: Add a computer to a domain using credentials

PS C:\> Add-Computer -ComputerName "web01" -LocalCredential "web01\Admin" -DomainName "company.example.com" -Credential Domain\Admin -Restart -Force -Verbose

Above command adds the web01 computer to the company.example.com domain.

LocalCredential – parameter to specify a user account that has permission to connect to the web01 computer.

Credential – parameter to specify a user account that has permission to join computers to the domain.

Restart – used to restart the computer after joining the domain to take effect

Force – To suppress the use confirmations (needed when the script called in automation tasks)

Verbose – used to print the logs in a verbose manner

Complete PowerShell script to join the computer to the domain

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]
    $DomainName,

    [Parameter(Mandatory=$true)]
    [string]
    $UserName,

    [Parameter(Mandatory=$true)]
    [string]
    $Password
)

try {
    Start-Transcript -Path C:\log\Join-Domain.log -Append
    $pass = ConvertTo-SecureString $Password -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName,$pass
    Add-Computer -DomainName $DomainName -Credential $cred -Restart -Force
}
catch {
    $error[0]|format-list -force  #print more detail reason for failure   
}

Troubleshooting:

1 ) ERROR NO SUCH DOMAIN (error code 1355)

The machine web01 attempted to join the domain but failed. The error code was 1355

OR 

Add-Computer : Computer ‘web01’ failed to join domain ‘company.example.com’ from its current workgroup ‘WORKGROUP’ with following error message: The specified domain either does not exist or could not be contacted.

 

The join process looks for a domain controller that already has a computer account for the computer that is currently being joined. If such a domain controller is not found, it tries to find another domain controller.

To troubleshoot the above error further, run nltest /dsgetdc:<domain-name> and examine the output. If you still receive errors, either the domain really does not exist or there is some network issue which is preventing the domain discovery. Also using Netdiag.exe and examining the output, you can determine the cause.

2) ERROR_ACESS_DENIED / ERROR_LOGON_FAILURE (error code 5 or 1326)

After a domain controller is found, an attempt is made to connect to it by using the credentials that are supplied. A “Failure to connect to a domain controller” message means that network errors or insufficient credentials.

To troubleshoot the issue, run a similar command from the command prompt to confirm the above analysis.

net use \\dcname\ipc$ /u:< domain\user > < password > 

3)  ERROR_ACCESS_DENIED / ERROR_USER_EXISTS (error code 5 or 2224)

If you receive the error “Failure to create a computer account,” it means that either the account already exists or there are insufficient access rights to the user who is trying to join.

Also in case of ERROR_USER_EXISTS, is not an error because the NetUserAdd operation fails with 0x8b0 (NERR_UserExists) because computer account already exists on that domain.

To troubleshoot further, you have to acquire the security descriptor and view the permissions on the computer account object. You can use either the Active Directory User and Computers MMC console or the Ldp tool.

Bitnami