Solution to: Failed to join domain: Computer 'castelblack' failed to join domain 'north.sevenkingdoms.local' from its current workgroup 'WORKGROUP' #437
Description
Ludus + ansible
How the Issue Was Discovered
When trying to provision the ad-child_domain.yml playbook to add the child domain controller (e.g., GOAD-DC02) to the existing forest, the process fails with the following error:
To better understand what was happening, I manually ran the exact PowerShell command on DC02 used by the Ansible playbook to promote the child domain controller.
Install-ADDSDomain -Credential $Cred -SkipPreChecks -NewDomainName $NewDomainName -NewDomainNetbiosName $NewDomainNetbiosName -ParentDomainName $ParentDomainName -ReplicationSourceDC $ReplicationSourceDC -DatabasePath "C:\Windows\NTDS" -SYSVOLPath "C:\Windows\SYSVOL" -LogPath "C:\Windows\Logs" -SafeModeAdministratorPassword $safePassword -Force -NoRebootOnCompletion
The error appeared immediately in the output:
The Security Account Manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the forest you want to join.
Solution:
-
Destroy and reinstall the entire lab.
-
Right after the provisioning starts, press Ctrl+C to stop the process as soon as you see the Ansible playbooks begin.
-
Manually execute only the following provisioning playbooks (in this exact order):
1. provision build.yml 2. provision ad-servers.yml 4. provision ad-parent_domain.yml -
Once the last playbook finishes, log into DC02, and execute:
C:\Windows\System32\Sysprep\sysprep.exewith this arguments:
-
When prompted for the Administrator password after reboot, use:
NgtI75cKV+Pu -
Once the machine finishes setup and reaches the desktop, re-run the following playbooks:
1. provision build.yml 2. provision ad-servers.yml -
Finally, continue provisioning by running the remaining playbooks:
provision_lab_from ad-child_domain.yml
By doing this, you'll regenerate a unique SID for DC02 and successfully create the NORTH domain without any SID conflicts.