search

plus3it / join-domain-formula

Salt formula to join systems to an Active Directory domain
Apache License 2.0
13 stars 19 forks source link

Removes windows computer object if found, unconditionally #183

Closed lorengordon closed 1 year ago

lorengordon commented 1 year ago

I think this test was keeping this function from removing a found computer object. At one point in time, that was fine, as the Add-Computer commandlet would go ahead and replace or reuse it, if needed. However, on domain controllers with a reasonably current set of patches, that is not allowed. It will fail with errors and a log similar to the below, in %windir%\debug\netsetup.log.

NetpCheckForDomainSIDCollision: returning 0x0(0).
NetpGetComputerObjectDn: Cracking DNS domain name ..../ into Netbios on \\....
NetpGetComputerObjectDn: Crack results:         name = ....\
NetpGetComputerObjectDn: Cracking account name ....$ on \\....
NetpGetComputerObjectDn: Crack results:         (Account already exists) DN = CN=....
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=....
NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty.
NetpGetNCData: Reading NC data
NetpReadAccountReuseModeFromAD: Searching '<WKGUID=....>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
NetpReadAccountReuseModeFromAD: Got 0 Entries.
Returning NetStatus: 0, ADReuseMode: 0
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: 0, NetStatus: 0
NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x0.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
NetpProvisionComputerAccount: Cannot retry downlevel, specifying OU is not supported
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
lorengordon commented 1 year ago

Ok, I think this is ready. We now have several fully clean runs with this patch, even when there are collisions with Windows computer names/objects.