This is a quick post about a problem I saw in my lab today, basically computers were failing to join the domain, and to find out why, I manually attempted domain join using the account specified in the SCCM Task Sequence. When doing so I got the following error:
On the client computer that failed to join the Domain, you can browse the netsetup.log in C:\Windows\Debug folder, and you should see something similar to the text below.
12/20/2019 02:43:30:112 NetpMapGetLdapExtendedError: Parsed [0x216d] from server extended error string: 0000216D: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0 12/20/2019 02:43:30:112 NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d 12/20/2019 02:43:30:112 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d 12/20/2019 02:43:30:112 NetpProvisionComputerAccount: LDAP creation failed: 0x216d 12/20/2019 02:43:30:112 NetpProvisionComputerAccount: Retrying downlevel per options 12/20/2019 02:43:30:112 NetpManageMachineAccountWithSid: NetUserAdd on 'DC01.windowsnoob.lab.local' for 'MININT-1K4R0PO$' failed: 0x216d 12/20/2019 02:43:30:112 NetpProvisionComputerAccount: retry status of creating account: 0x216d 12/20/2019 02:43:30:112 ldap_unbind status: 0x0 12/20/2019 02:43:30:112 NetpJoinCreatePackagePart: status:0x216d. 12/20/2019 02:43:30:112 NetpJoinDomainOnDs: Function exits with status of: 0x216d 12/20/2019 02:43:30:112 NetpJoinDomainOnDs: status of disconnecting from '\\DC01.windowsnoob.lab.local': 0x0 12/20/2019 02:43:30:112 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0 12/20/2019 02:43:30:112 NetpDoDomainJoin: status: 0x216d
The fix involves changing a value in an Active Directory attribute.
ms-DS-MachineAccountQuota
To fix this, on the domain controller, start up adsiedit.msc and browse to the DC=… of your domain. Select it and right click, choose Properties.
Note: If you cannot find DS-MachineAccountQuota when you select Properties, then ensure that you have connected to the Default naming context in ADSI Edit (and not some other context such as Schema, RootDSE or Configuration. To change the context, select ADSI Edit in the left pane, then click on Action, and then Connect to.
Select Default Naming Context.
Once done, you’ll be able to find the ms-DS-MachineAccountQuota attribute by selecting Properties.
Scroll down to ms-DS-MachineAccountQuota, notice that the default value is 10.
and change it to something larger, like 1000.
Job done !
itsw working fine after changes done like above
Can we ‘Exceeded the Maximum Number of Computer Accounts Allowed to Create in this Domain’ only for one user ?
good question,
check this (via https://superuser.com/questions/433599/how-can-i-increase-the-number-of-pcs-a-specific-user-can-join-to-a-domain)
Grant the “Create Computer Objects” and “Delete Computer Objects” Access Control Entries (ACEs) to the User
From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.
Right-click the Computers container, and then click Properties.
On the Security tab, click Advanced.
On the Permissions tab, located the user object(s) you want to give the permissions to, and then click View/Edit.
Make sure the This object and all child objects option is displayed in the Apply onto box.
From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.