Issue Moving OU's

Apr 25, 2012 at 3:14 PM
Edited Apr 25, 2012 at 3:16 PM

I'm trying to stage computers in one OU and move them to another once deployment has finished.  However, after the deployment is complete the computer has not been joined to the domain, and obviously there is not computer account to move.  Here's the config in my CS.ini:


[Settings]
Priority= Default
Properties=StagingOU
[Default]
JoinDomain=company.com
DomainAdmin=company.com\SuperAwesomeAccount
DomainAdminPassword=LikeIWouldPostThatHere
MachineObjectOU=OU=MigrationTEST,OU=COMPANYCORP,DC=company,DC=com
StagingOU=OU=MigrationTEST,OU=COMPANYCORP,DC=company,DC=com
[MoveComputerToOU]
Parameters=OSDComputerName,MachineObjectOU
OSDComputerName=ComputerName
MachineObjectOU=CN=Computers,DC=company,DC=com

I am able to use IE to get to the web service and browse to the MoveComputerToOU portion of the AD web service.  The path is a little different than in the CS.ini, but I have no idea what I'm doing so here's the path that I browse to in IE: http://company-storage/mdtwebservice/ad.asmx?op=MoveComputerToOU  If I try manually to enter the computer name and the OU to move it to I get this:
 <?xml version="1.0" encoding="utf-8" ?>
 <boolean xmlns="http://maikkoster.com/Deployment">false</boolean>

I have the three scripts: Z_MoveComputer_TargetOU.wsf, Z_MoveComputer_StagingOU.wsf, Z_MoveComputer_SwapOUValues.wsf  in my scripts folder.  If I remove the StagingOU and the [MoveComputerToOU] the computer joins the domain and the account is created in my staging OU.  My question is, what have I screwed up that makes it unable to join the domain and move to the destination OU?
Coordinator
Apr 25, 2012 at 3:45 PM


A couple things to mention.

1. A computer account can only be moved if it exists. So if the computer hasn't joined the domain, it can't be moved.

2. MachineObjectOU requires the path to an OU. specifying CN=Computers, even if that's the default container will cause the domain join to fail. Check the netsetup.log file on the computer that fails to join the domain. It should give you more information

If you can't move a computer account by calling the functions directly, something isn't working as supposed. Most common issue are either typos (make sure Computer name and Target OU name are correct) or permission issues (the Application pool account requires the appropriate permission for this or you need to configure an account with appropriate permissions in the web.config).

The webservice will write pretty extensive log files to troubleshoot such cases. Please see http://mdtcustomizations.codeplex.com/wikipage?title=Webservice%20Troubleshooting  for some information on how to enable this.

The basic idea behind the StagingOU and the supplied scripts is as follows:

- Define MachineObjectOU and StagingOU in cs.ini. Either static and/or dynamic
- Z_MoveComputer_StagingOU.wsf will move an existing account to the StagingOU (only applies to re-fresh). Then it will switch the Values of StagingOU and MachineObjectOU. By this, the value of StagingOU (which is now stored in MachineObjectOU) will be written to the installation files
- Computer joins the domain into the OU specified in StagingOU
- At the end, switch StagingOU and MachineObjectOU back to its original values. And move it to the MachineObjectOU which now contains the correct value.

Hope that helps

Regards

Maik

 

Apr 25, 2012 at 7:42 PM
Edited Apr 25, 2012 at 7:48 PM

Thanks!  I am able to get it joined to the domain in the staging OU now.  That logging is invaluable.  I am still having trouble getting it to move the computer to the destination OU.  I tested moving the computer account from the destination OU to the staging using the first script, that works, the second script succeeds at changing the OU from staging to the target OU.  I get the following error:

 

ZTI ERROR - Non-zero return code by Z_MoveComputer_TargetOU, rc=1

Litetouch deployment failed, Return Code = -2147467259 0x8004005

Failed to run the action: Move Computer To Target OU.

Incorrect function. (Error: 00000001; Source: Windows)

 

I found that error in the SMSTS.LOG.

Any ideas?

 

Edit:

BTW my new CS.ini looks like this (I left out stuff that doesn't pertain):

 

[Settings]

Priority=Default

Properties=StagingOU

 

[Default]

MachineObjectOU=OU=MigrationTEST,OU=COMPANYCORP,DC=companycorp,DC=com

StagingOU=OU=MigrationTEST,OU=COMPANYCORP,DC=companycorp,DC=com

 

[MoveComputerToOU]

WebService=http://company-storage/mdtwebservice/ad.asmx/MoveComputerToOU

Parameters=OSDComputerName,MachineObjectOU

OSDComputerName=ComputerName

MachineObjectOU=OUPath

Apr 25, 2012 at 8:01 PM

Reading my CS.ini made me think that it doesn't make any sense to have the MachineObjectOU and the StagingOU the same.  I'm testing now with a different MachineObjectOU.

Apr 26, 2012 at 1:18 PM

Not sure what I was thinking, but that last comment didn't make any sense.  I'm still having the "Incorrect Function" error.

Coordinator
Apr 26, 2012 at 1:57 PM

Well, the last comment did make sense. MachineObjectOU and StagingOU sthould be different.

Btw. What version of MDT do you use?

Apr 26, 2012 at 2:09 PM

Alright, I'm obviously confused as to how this works.  Here's how I understand it:

Z_MoveComputer_StagingOU will find the computer account if it exists in AD and move it to the staging OU specified in the CS.ini.

Z_MoveComputer_SwapOUValues sets the value of MachinObjectOU from the StagingOU value to the MachineObjectOU specified in the [MoveComputerToOU] section of the CS.ini

Z_MoveComputer_TargetOU will move the computer account from the Staging OU to the destination OU.

When does the "join domain" get swapped from what's specified in the [Default] section to the StagingOU setting?

 

I'm using MDT 2012.  I got forced into upgrading. :(

Apr 26, 2012 at 7:40 PM

Alright I know I'm all turned around with this stuff.  When I change the MachineObjectOU to anything but the StagingOU the computer doesn't get joined to the domain.  I've testing joining the computer to the domain to each of the two OU's separately and it works.  I've also moved the computer account to and from the OU's using that same account successfully.  However, when I add in the scripts it doesn't join the domain properly, thus there's not computer account to move.  It is able to perform the first move (from the destination OU to the Staging OU) just not the second one.

One question I do have is this:

In my CS.ini does this entry need to be this verbatim?

[MoveComputerToOU]

WebService=http://company-storage/mdtwebservice/ad.asmx/MoveComputerToOU

Parameters=OSDComputerName,MachineObjectOUOSD

ComputerName=ComputerName

MachineObjectOU=OUPath


Or like this:

[MoveComputerToOU]

WebService=http://company-storage/mdtwebservice/ad.asmx/MoveComputerToOU

Parameters=OSDComputerName,MachineObjectOUOSD

ComputerName=ComputerName

MachineObjectOU=OU=Computers,DC=companycorp,DC=com

Coordinator
Apr 26, 2012 at 8:22 PM

Ok, there seem to be different errors, so to really help you, i would need at least the following log files

- netsetup.log (Can be found in the windows\debug folder on Win7)

- BDD.Log

- CustomSettings.ini

Without this, most of it is guessing.

But to answer your last question: the first option is the right one. It just defines how to call the web service and how to do the mapping. The assignment of values for MachineObjectOU, StagingOu etc has to happen before.

And the orbit view of the process is as follows:

- Deployment starts

- Gather step evaluates the cs.ini and assigns the values to properties like MachineObjectOU, StagingOU, OSDComputerName etc.

- Z-MoveComputerToStagingOU is called. First it does is switching Values of StagingOU and MachineObjectOU. Then it calls the webservice to Move an existing Computer account. This will only work if there is an account. Doesn't matter if there isn't one. And its just calling the web service as specified above, so it wants to move the comptuer to "MachineObjectOU" which now contains the value of the StagingOU (we just switched the values, correct?)

- A bit later the Configure step updates the unattend.xml file. One of the values it will set is the MachineObjectOU (which still has the value of the StagingOU).

- The computer reboots and runs the rest of the Mini-Setup (PnP etc.) and as part of this joins the specified domain. If everything is working well, the computer shows up in the OU specified by StagingOU in the beginning (which is currently stored in MachineObjectOU)

- Task Sequence is almost done - Z_MoveComputer_SwapOUValues will now switch the values of StagingOU and MachineObjectOU back to their original values.

- Z_MoveComputer_TargetOU is called and just runs the web service again as specified above. But this time MachineObjectOU contains the original value and will move the computer to the appropriate place.

It might sound a bit complicated to do this by switchting those values back and forth. But it allows us to keep the rest of the mdt process untouched. They aren't even aware that we fiddle around with the OU. So normally this works like a charm.

If I would have to guess, I would assume there is a typo somewhere. But it's hard to tell without the log files.

Regards
Maik

Apr 26, 2012 at 9:05 PM

Ah, it all makes sense now, thank you!  Is there a better way to upload log files than copy and paste them?

Coordinator
Apr 26, 2012 at 9:15 PM

Well, you can just zip them and upload to one of those many one click hosters or just send it to my via email (Maik DOT Koster AT gmx DOT de)

Regards
Maik

Apr 26, 2012 at 10:11 PM

I found this article and it seems to have resolved the issue.

http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/c5d7476c-2b2b-4f4f-9d0e-d7b855309540/

I was trying to deploy to the root Computers OU, however that's not considered an actual OU I guess.  Once I created a subOU for the destination OU it cleared it right up.

Coordinator
Apr 27, 2012 at 7:09 AM

That's what I mentioned in my first post :

"2. MachineObjectOU requires the path to an OU. specifying CN=Computers, even if that's the default container will cause the domain join to fail. Check the netsetup.log file on the computer that fails to join the domain. It should give you more information"

;-) Computers is a container, not a real OU.

Apr 27, 2012 at 1:18 PM

Oh no!  I totally read that the wrong way!

Thank you so much for your help!  Also, thank you for the scripts and howto's it's awesome!!