Troubleshooting Domain Joined Failed Errors

These errors may occur when you join a template to an AD domain. They are given in no particular order.

Error Code 2

This indicates a DNS error, but can also be caused by spaces or other syntax problems in the “OU” string.

Error Code 8557

Error: Domain Join Failed with error (Error Code 8557) "Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you can create in this domain. Contact your system administrator to have this limit reset or increased.”  

Cause: Due to AD limits on an account’s machine account quota has been reached.  
  
Fix: Modify the service account to increase the number of domain joins allowed.  
  
Ref Articles

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain 

• https://www.techrepublic.com/blog/tr-dojo/increase-the-number-of-workstations-a-user-can-join-to-a-domain/#:~:text=Locate%20the%20ms%2DDS%2DMachineAccountQuota,value%20to%20remove%20the%20limit.  

Error Code 2732

Error: Desktop Pool VM, Domain join failed with [Error Code:2732] “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”  

Cause: This error is because of the additional protections introduced by MS to prevent domain join operations from reusing an existing computer account. For details, please refer to MS article KB5020276—Netjoin: Domain join hardening changes  

Fix: To fix the issue please create a new or existing group policy that applies to all domain controllers, add the join service account used in the Workspot template to a member of a trusted owner, under   

Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain Controller: Allow computer account re-use during domain join.  

Reference Links:  

• Advisory - Domain join hardening affecting VMs Provisioning.docx  

• https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 

Error Code 2224

Error: Domain Join failing with "Domain join failed with [Error Code: 2224] The account already exists."  

Cause: Incorrect Active Directory OU details in WorkspotConfig.xml file during template setup. In most cases we observed spaces in an OU path that caused the issue.  

Fix: Clone the existing Template and update the OU through WorkspotConfigEditor.exe, Publish the template, and re-provision the Failed VMs in the Pool.  

Error Code 87

Error: Desktop Pool VM, Domain join failed with [Error Code: 87] The parameter is incorrect.  

Cause: Workspotconfig.xml misconfiguration configuration in Template.  

Fix: Reconfigure the Workspotconfig.xml by running WorkspotConfigEditor on the Template and reprovision the Failed VMs in the Pool.  

Here are a few reference links to troubleshoot errors while joining a computer to the domain:  

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-errors-join-computer-to-domain 

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/active-directory-domain-join-troubleshooting-guidance