Recently I’ve had to troubleshoot WHY the Active Directory domain join stopped working for a customer’s Windows 10 SCCM OS deployment task sequence that worked the previous week. In this blog post, I highlight the experience I had getting the Domain Join Failure Error NetpDoDomainJoin Status 0x8bf and what the root cause was in this case. There are many other domain join errors but this is the first time I’ve seen this specific error code in C:\Windows\Debug\NetSetup.LOG.
The behavior during the SCCM Win10 OSD deployment process is the “Getting Ready” message that typically takes 1-2 minutes was taking 15 minutes! In addition, the PC was in WORKGROUP which is not expected behavior. This behavior can happen for several reasons, incorrect OU path, incorrect domain join service account permissions, incorrect or missing network drivers and more.
The error in C:\Windows\Debug\NetSetup.LOG was consistently occurring and the PC failed to join the AD domain that was working the previous week. The domain join process during mini-setup tried for 15 minutes. See log Netsetup.LOG linked here on my GitHub repository. Again, the expected behavior for a domain join to an OU is 1-2 minutes max.
Log errors repeatedly occuring for 15 minutes:
NetpJoinDomainOnDs: Function exits with status of: 0x8bf
NetpJoinDomainOnDs: NetpResetIDNEncoding on ‘(null)’: 0x0
NetpDoDomainJoin: status: 0x8bf
Other Domain Join Error Codes
You may experience other error codes in the Netsetup.LOG file for other reasons.
DsGetDCName failed: 0x54b – check your fully qualified domain name
NetJoinDomain attempt failed: 0x89a – check your domain join credentials
NetJoinDomain attempt failed 0x2 – check your OU specification
After troubleshooting for 2 days, I noticed the Domain Join Service Account was set to EXPIRE on Sunday, September 1st, 2019. On Tuesday it was noticed the domain join process was failing. Once noticing the domain join account was set to expire and the date had passed, I promptly asked the customer to set the service account to NEVER EXPIRE. If it’s required to expire service accounts, be sure to add a calendar notification or your existing OS deployments will fail.
Simply put the first action should be to double-check the Domain Join Service account in AD Users and Computers. Just because something worked the previous week does not mean it will continue to work.
IT Pro Tips
- NEVER add a domain join service account to Domain Admin, Enterprise Admin. This account also should be single purpose, domain Join only and not used for other services.
- Limit the AD permissions scope to ONLY workstations and not domain-wide or server-wide.
- Create a separate domain join service account for Workstations and Servers.
- Set Domain Join Service account to NEVER EXPIRE.
- Set the Domain Join Service account PASSWORD to never expire.
- Set the Domain Join Service account to “User cannot change password”.
- If the account expires is required, be sure to add a reminder to extend the account at least 3-5 days before it expires.
- Double-check the Domain Join Service Account OU permissions are correct and the OU path is valid.
- Doube-check that the Domain Join Service Account is NOT locked.
That completes this blog post highlighting the Domain Join Failure Error NetpDoDomainJoin Status 0x8bf and the workaround. Always confirm the domain join service account is not locked or set to expire as the first step.