Post

Automatic Domain Join with Microsoft Deployment Toolkit!

Posted Updated
Preview Image
By Marc Mylemans 6 min read

Configuring Active Directory for MDT Deployment

Introduction

In a typical Windows deployment scenario using Microsoft Deployment Toolkit (MDT), you may want to automate the process of domain joining for computers during the deployment process.

To achieve this with non-admin users, you need to make adjustments to the ‘ms-DS-MachineAccountQuota’ attribute in Active Directory. By default, this attribute allows for only 10 domain joins.

In this guide, we’ll walk you through the necessary steps to increase this limit, create a service account, and set up Organizational Units (OUs) for a more efficient MDT deployment.

Previous guides:

Setting up a Microsoft Deployment Server!

Customizing the Microsoft Deployment Server!

Adding Drivers to the Microsoft Deployment Server!

Adding Applications and Application Bundles in Microsoft Deployment Toolkit!

Adjust ‘ms-DS-MachineAccountQuota’ Value

To allow for an unlimited number of domain joins for normal domain users, you need to adjust the ‘ms-DS-MachineAccountQuota’ attribute. Follow these steps:

1) Open Active Directory Service Interfaces Editor (ADSIEdit) on a Windows Server or a computer with Remote Server Administration Tools (RSAT) installed.

2) Navigate to the following path:

CN=Directory Service,CN=Windows 
NT,CN=Services,CN=Configuration,DC=contoso,DC=com

3) Locate the ‘ms-DS-MachineAccountQuota’ attribute and double-click it.

4) Change the value to a large number or set it to -1 to allow an unlimited number of domain joins.

5) Click ‘OK’ to save the changes.

Create a Service Account

To use a non-admin user as a service account for domain joins during MDT deployment, create a new domain user account, not that we don’t use a domain admin. This account will be used to join computers to the domain.

Configure CustomSettings.ini

Modify your CustomSettings.ini file to auto-populate the credentials and domain during MDT deployment. Add the following lines to your CustomSettings.ini under your [Default] section:

1
2
3
4
5
6

[Default]

JoinDomain=YourDomainName  ; Replace YourDomainName with the actual domain name
DomainAdmin=YourDomainAdmin  ; Replace YourDomainAdmin with the domain admin username
DomainAdminDomain=YourDomainName  ; Replace YourDomainName with the actual domain name
DomainAdminPassword=YourDomainAdminPassword  ; Replace YourDomainAdminPassword with the domain admin password

If you have been following along with our previous guides, you may have set the ‘SkipDomainMembership=YES’ in your CustomSettings.ini file to skip the domain joining step. To make use of the changes made in this guide, it is essential to adjust the ‘SkipDomainMembership=NO’ in your CustomSettings.ini. This change will prevent skipping the domain joining step during the MDT deployment process. Make sure to verify and update your CustomSettings.ini file accordingly.

Create Organizational Units (OUs)

To create Organizational Units (OUs) for organizing your computers, follow these steps:

1) Open Active Directory Users and Computers: On a Windows Server or a computer with Remote Server Administration Tools (RSAT) installed, open “Active Directory Users and Computers.”

2) Connect to your Active Directory: In the left pane, right-click on “Active Directory Users and Computers” and choose “Change Domain Controller.” Select your domain controller.

3) Create OUs: In the left pane, right-click on your domain name, and choose “New” > “Organizational Unit.” Give your OU a meaningful name, such as “Laptops,” “Desktops,” or “Servers.”

4) Get the ‘MachineObjectOU’ Value: To find the value for the MachineObjectOU attribute, right-click on the OU you’ve just created, select “Properties,” and navigate to the “Attribute Editor” tab. Look for the distinguishedName attribute, which contains the value you need.

  • For example, if you created an OU named “Laptops” within the “Contoso” domain, the MachineObjectOU value might be: OU=Laptops,OU=Contoso,DC=contoso,DC=com.

5) Repeat for Other OUs: Create additional OUs as needed, and take note of their distinguishedName values.

By following these steps, you’ll have organized your computers into the appropriate OUs and retrieved the necessary MachineObjectOU values for your CustomSettings.ini configuration.

Create DomainOUList.xml

To facilitate the selection of OUs during deployment, create a file named DomainOUList.xml in the scripts folder under your deploymentshare. This file will be used to create a dropdown list. Here’s a template for your DomainOUList.xml:

1
2
3
4
5
6
7
8
9

<DomainOUs>
  <DomainOU>
    OU=Laptops,OU=Contoso,DC=contoso,DC=com
  </DomainOU>
  <DomainOU>
    OU=Desktops,OU=Contoso,DC=contoso,DC=com
  </DomainOU>
  <!-- Add more DomainOU entries as needed -->
</DomainOUs>

You’ll notice that the OU values in the DomainOUList.xml template match the MachineObjectOU values you retrieved in the previous step. Replace the OUs and distinguished names with the values you obtained in that step.

By following these steps, you’ll have created a DomainOUList.xml file that aligns with your Active Directory structure and the MachineObjectOU values you gathered earlier. This file will be used to generate a dropdown list for selecting OUs during the MDT deployment.

Configure ‘MachineObjectOU’ Based on Device Type

In MDT, you can dynamically set the MachineObjectOU property based on the device type (laptop or desktop). This allows you to place devices in different OUs automatically. Follow these steps to achieve this:

1) Open your CustomSettings.ini file.

2) Modify the [Default] section to look like this:

1
2
3
4
5
6
7

[Default]
MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com
JoinDomain=YourDomainName  ; Replace YourDomainName with the actual domain name
DomainAdmin=YourDomainAdmin  ; Replace YourDomainAdmin with the domain admin username
DomainAdminDomain=YourDomainName  ; Replace YourDomainName with the actual domain name
DomainAdminPassword=YourDomainAdminPassword  ; Replace YourDomainAdminPassword with the domain admin password
SkipDomainMembership=NO

3) Now, create two additional sections for ‘Laptop’ and ‘Desktop’ under [ByLaptopType] like this:

1
2
3
4
5
6

[Laptop-True]
MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com

[Desktop-True]
MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com

4) Save your CustomSettings.ini file.

Conclusion

Configuring your Active Directory and Microsoft Deployment Toolkit (MDT) for streamlined deployments can significantly improve the efficiency of your IT management tasks. In this guide, we walked you through several key steps to prepare your environment for MDT deployments, focusing on enabling non-admin users to join devices to the domain, creating Organizational Units (OUs) for organization, and setting up dynamic OU selection based on the device type.

By adjusting the ‘ms-DS-MachineAccountQuota’ attribute in Active Directory, you’ve ensured that non-admin users can perform domain joins seamlessly during MDT deployments. Creating a dedicated service account and customizing the CustomSettings.ini file simplifies the process further. Additionally, you’ve organized your domain into OUs for better management and deployed a DomainOUList.xml file for user-friendly OU selection during deployment.

To top it all off, we’ve shown you how to set up the MachineObjectOU value dynamically based on device type, allowing for automatic placement of devices in the correct OUs.

With these steps in place, you’re now well-prepared to enhance the efficiency of your MDT deployment process, reduce administrative overhead, and ensure a smoother experience for your IT team and end users. By following these best practices, you’ll be better equipped to handle deployments at scale with confidence.

Thank you for following along with this guide, and we hope it helps you streamline your MDT deployments and improve your overall IT management processes.

Windows Server
server microsoft deployment toolkit mdt part4
This post is licensed under CC BY 4.0 by the author.