Active Directory domain join failure 0xaac with pre-staged computer objects
search cancel

Active Directory domain join failure 0xaac with pre-staged computer objects

book

Article ID: 440792

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

When deploying virtual machines through VMware Aria Automation, the VM fail to join the Active Directory domain.

Additional symptoms include:

  • The computer object for the VM is pre-staged in Active Directory using the Aria Automation AD integration.

  • VMware vCenter may report that the customization and deployment completed successfully, but the VM remains in a Workgroup.

  • Post-build workflows in Aria Automation Orchestrator fail because the VM is not joined to the domain.

  • Analyzing the C:\Windows\Debug\netsetup.log on the provisioned VM reveals the following error codes:

    NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c00000bb, NetStatus: 32
NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
NetpCheckIfAccountShouldBeReused:Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x32 
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac

Environment

VMware Aria Automation 8.x

Cause

This issue is caused by Microsoft Active Directory hardening changes introduced in October 2022 (refer to CVE-2022-38042). These security protections intentionally prevent domain join operations from reusing an existing (pre-staged) computer account in the target domain unless the user attempting the operation is the original creator of the account or a member of the Domain Administrators group.

Resolution

To resolve this issue, you must ensure the deployment meets the ownership criteria required by the Active Directory hardening policy:

  1. Align the service accounts: Ensure the service account used in the Aria Automation AD integration to pre-stage the computer object is the same account configured in the VM Customization Specification in VMware vCenter.

  2. Elevate permissions: Ensure the service account used for the Active Directory integration is a member of the Domain Administrators group in the target domain.

If the issue persists after verifying the above conditions, please reach out to Microsoft Support for further assistance with Active Directory policy configuration.

Additional Information

Refer Microsoft Knowledge base article : KB5020276—Netjoin: Domain join hardening changes

Powered by Wolken Software