PENDING Domain Join Service Account Not Working

[czorn]

hello,

in my task sequence I can not get my join domain service account to work. I have had it work using the Domain Administrator account. I have applied the delegate control at the root of the domain, and have verified my domain join account cm_djoin propagates to all OU's in the domain. below is the %windir%\debug\netsetup.log. Based on fact domain administrator account works I feel confident this is a rights / permissions issue with my service account.

09/19/2025 13:35:09:379 NetpDoDomainJoin
09/19/2025 13:35:09:379 NetpDoDomainJoin: using new computer names
09/19/2025 13:35:09:379 NetpDoDomainJoin: NetpGetNewMachineName returned 0x0
09/19/2025 13:35:09:379 NetpDoDomainJoin: NetpGetNewHostName returned 0x0
09/19/2025 13:35:09:379 NetpMachineValidToJoin: 'WORKSTATION1'
09/19/2025 13:35:09:379 OS Version: 10.0
09/19/2025 13:35:09:379 Build number: 26100 (26100.ge_release.240331-1435)
09/19/2025 13:35:09:392 SKU: Windows 11 Enterprise
09/19/2025 13:35:09:393 Architecture: 64-bit (AMD64)
09/19/2025 13:35:09:394 NetpMachineValidToJoin: status: 0x0
09/19/2025 13:35:09:394 NetpJoinDomain
09/19/2025 13:35:09:394 HostName: WORKSTATION1
09/19/2025 13:35:09:394 NetbiosName: WORKSTATION1
09/19/2025 13:35:09:394 Domain: contoso.com\DC2.contoso.com
09/19/2025 13:35:09:394 MachineAccountOU: (NULL)
09/19/2025 13:35:09:394 Account: CONTOSO\CM_DJOIN
09/19/2025 13:35:09:394 Options: 0x23
09/19/2025 13:35:09:394 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled
09/19/2025 13:35:09:394 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
09/19/2025 13:35:11:710 NetUseAdd to \\DC2.contoso.com\IPC$ returned 1326
09/19/2025 13:35:11:710 NetpJoinDomainOnDs: status of connecting to dc '\\DC2.contoso.com': 0x52e
09/19/2025 13:35:11:710 NetpJoinDomainOnDs: Function exits with status of: 0x52e
09/19/2025 13:35:11:710 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
09/19/2025 13:35:11:710 NetpDoDomainJoin: status: 0x52e

 

[ksmey]

If the computer objects already exist in AD, have you set the domain join account as owner of the objects? Or is it not joining even if the object doesn't exist or even if the account is the owner of the object?

 

[Prajwal Desai]

This could also be happening due to DNS issues. The message "NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled" indicates a DNS resolution failure during a Windows domain join operation, where the client cannot find the necessary Domain Name System (DNS) records to resolve the domain's name. To resolve this, you must ensure the client is configured with the correct DNS server IP address and has network connectivity to that server so that it can resolve the target domain's DNS name and join successfully.

 

[czorn]

If the computer objects already exist in AD, have you set the domain join account as owner of the objects? Or is it not joining even if the object doesn't exist or even if the account is the owner of the object?

I didn't set the account to be an owner of the objects, but I did follow the guide in the link below on the permissions the service account should have. Manually using the service account I can join a computer to the domain, but not when automated in the task sequence.

 

[czorn]

This could also be happening due to DNS issues. The message "NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled" indicates a DNS resolution failure during a Windows domain join operation, where the client cannot find the necessary Domain Name System (DNS) records to resolve the domain's name. To resolve this, you must ensure the client is configured with the correct DNS server IP address and has network connectivity to that server so that it can resolve the target domain's DNS name and join successfully.

Hi Prajwal, I saw that line as well. Within the task sequence I specified the DNS server IP addresses. We use Umbrella, and an Umbrella VA. Our DHCP hands out a DNS that points to the Umbrella VA, which proxies the request to internal DNS server.


However, when I use THE domain Administrator account, the join domain process works, AND in the NetSetup log I still have the entries "NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled"

 

[Prajwal Desai]

Hi Prajwal, I saw that line as well. Within the task sequence I specified the DNS server IP addresses. We use Umbrella, and an Umbrella VA. Our DHCP hands out a DNS that points to the Umbrella VA, which proxies the request to internal DNS server.


However, when I use THE domain Administrator account, the join domain process works, AND in the NetSetup log I still have the entries "NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled"

That's unusual. It seems to be an account issue—either the account you're using to join the domain isn't functioning properly, or it lacks the necessary permissions to place the computer in the OU specified in the TS during the OSD process.