Deployment Solution

We are in the process of moving to a new Domain/Domain server (2008) from a 2000/2003 domain server.  We are using DS 6.9 SP2.  In the old domain, 2003, we were able to use a configure job (a job with a Modify Configuration tast) on a computer to put it in a specified OU.  For our initial deployment we put computers in the Computer Deployment OU so that only computers with the correct name would go into the Computers OU.  (Quick background, we have it set to name computers to their serial number on deployment then we add a prefix for their location later.)  Now when trying to do this in the new domain it keeps giving us an error: "Unable to configure Windows Domain information" and the computer is not added to the domain at all.  The account I am using can add computers to the domain, but not directly to that OU.  I have given the account full control of the OU and still can't get it to work correctly. 

Any ideas or suggestions is much appreciated.  The whole reason we want these computers initially added to the Computer Deployment OU is to try to keep AD clean, and having these computers in a different OU originally will help us easily distinguish between computers with incorrect names and deployed computers.  Also eventually we want to add the computers directly to their correct OU for their location.

I've seen this happen if AClient isn't at the same version as the server.

I agree with the comment above but want to add that this may be an issue of rights propagation.

If you just assigned the rights you have to wait for AD replication. This can take up to 48 hours in a slow environment so forcing AD replication might be a consideration if you have a slow environment.

Additionally, if you are trying to move the PC to the new OU after unsuccessfully moving it you may need to reboot the machine to force it to grab the new rights from the AD.

Give these a shot and let me know what happens.

You can force the computer to update it's connection (provided the DC it is authenticating on has been replicated) by running "gpupdate /force" from the command line.  Depending on your group policies, a reboot may not be necessary. 

The Aclient is the most recent version and the user I am using the modify configuration task on has full domain admin rights.  Its not that I am trying to move it to an OU but that I am trying to add the computer directly to that OU.  As for the reboots, a Modify Configuration task automatically reboots the computer when adding it to the domain or changing the name.  What I think it actually does, is removes it from the domain reboots, adds it to the domain and reboots again, as it always seams to reboot twice.

We have the exact same problem. The configuration tasks directly into target OUs worked fine in DS6.8SP2 but with 6.9SP1 & 6.9SP2 we have had problems of various degree. Typically when specified target OU path the configuration job will fail altogether.

I did a bit of testing & confirmed that just a basic AD domain user with no special security groups but rights to create & delete computer objects in target OUs isn’t sufficient to manage even basic (no target OU specified) domain joining in one of our two domains. Perhaps it is depending where in the AD tree the computer account already is or if it is but requires more testing. Anyway up to this point for many years we have used certain domain accounts that have administrative rights on the target machines as well but these don’t work anymore.

As the last option I decided to change a domain admin level account to the domain accounts tab & finally things started to fly without an issue!

Perhaps this is about updated AD security or something but I’m positive 6.8SP2 can do it with less rights…

How did you change the domain admin level in the domain accounts tab?  I am guessing you mean in the DS under Tools-Options.  I do have a user with domain admin rights in there for both the basic domain name and the fully qualified domain name.

You’re right. Currently I’m only using one with fully qualified name.

Thats the only one we were able to get the modify configuration to work when we moved to using a domain that was on server 2008 was using the fqn.  You still didn't answer my question, how did you change the "Domain admin level account"?  Also what version of AD are you using (ie Server 2003, server 2008...?

Ok, I feel really stupid for this one.  I was using the wrong slashes.  So instead of location\Computers, I use location/computers and it worked.  Thanks everyoen for the help anyways.

It was requested for the information on how I did this.  Just create a Modify Configuration job and go to the Microsft Networking tab.  Select the Domain radio button and for the domain enter "Domain/folder/subfolder".  For example.  Your domain is Altiris, and within your Altiris domain you have subfolders for sites and then under that seperate out users and computers.  Now we use the fully qualified domain so it would be Altiris.local.  So the domain would look something like this: Altiris.local/North Carolina/Computers.  That is how you use the Modify configuration job to add a computer to the domain and directly into an OU.  Just make sure you have the domain account entered for your  fully qualified domain and it should work.