Scenario 1:

When using a "Configure Computer" or "Apply System Configuration" task to join client computers to an Active Directory (AD), they do not correctly join when specifying one or more Organizational Units (OUs).

Symantec Agent Logs will show a failure with little or no additional information in the NetSetup.LOG (default location: C:\Windows\debug\)

Scenario 2:

In 8.5 RU2 the task fails then crashes Symantec Management Agent (SMA), then SMA restarts, the task re-runs and completes successfully.

Starting from 8.5 RU3 the task fails and stops. The computer joins the Domain but doesn't move to the specified OU. After re-running the task, it completes successfully and the selected computer gets moved to the specified OU.

Deployment Solution 8.x

For Scenario 1:

A specific syntax must be used when client machines are added to an OU.

For Scenario 2:

Also, DS uses an obsolete version of the config.dll, and there were some attempts made in the past to use the latest DLL but they failed because the config.dll kept crashing while the task was running. What happened is that the changes made to GSS during the last couple of years have fixed quite a few problems and config.dll does not crash anymore in this scenario.

Regarding Scenario 1:

Detailed below are a few example cases that show how to use the "Apply System Configuration" task with domain and/or OU joins in the Active Directory. For each of these cases, we will be using an Active Directory with the following structure:

domain.environment.local
└ OU 1
   └ OU 2
          └ OU 3
└ OU A

Case 1 - Joining a client machine to the root of the domain*

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box with the domain in the following format: domain.environment.local
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain
• Click "OK"

Case 2 - Joining a client machine to an OU that is one level deep 

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box next to "Domain:" with the domain in the following format: domain.environment.local
• Populate the text box next to "Organizational unit:" with the OU in the following format: OU 1
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain and specific organizational unit
• Click "OK"

Case 3 - Joining a client machine to an OU that multiple levels deep

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box next to "Domain:" with the domain in the following format: domain.environment.local
• Populate the text box next to "Organizational unit:" with the OU in the following format: OU 1/OU 2/OU 3
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain and specific organizational unit
• Click "OK"

* This can only be done to client machines that are not presently in the domain. If the client is already joined to the domain and in an organizational unit, it cannot be moved to the root of the domain again. It will instead be moved to the lowest-level organizational unit in its current path, e.g., if the client were in OU 3, it would be moved to OU 1.

For Scenario 2:

There is a fix for this issue with the task fails already scheduledthat was available for the DS 8.6 RU1 release.

There are 2 workarounds that help with this: