Moving Computers in Active Directory during MDT Deployments – Step by Step
In a former article I explained in quite detail how to move computers in Active Directory using a webservice. As I got a couple requests for an updated and more condensed Step by Step guide I also took the opportunity and rewrote the sample scripts to fit to the new MDT 2010 script templates. If you have used this scripts already before, you just need to be aware, that they got renamed so you might want to check your Task Sequence steps if they call the right script.
Set up the webservice
The scripts are using the Deployment webservice that is available on CodePlex for free (http://mdtcustomizations.codeplex.com/). It contains a full bunch of functions commonly required during OS Deployments and also during other administrative tasks. If you would like to write and use your own, see the above mentioned posts for detailed information on how you could do this.
There is an Installation Guide available on CodePlex that will guide you through the setup of the webservice. There are just a few easy steps necessary so I will skip them here to keep it short. Make sure the webservice is working before implementing it to your deployment. If the webservice isn’t working I can assure you that the scripts won’t be able to fix this 😉 The easiest way is to open the “http://localhost/MDTWS/ad.asmx” file locally from the webserver and call the “MoveComputerToOU” function by hand. Just supply a valid(!) Computername and Target OU. If the webservice returns “true” the computer should have been moved to the specified OU. If not, see the “Webservice Troubleshooting” section in the Installation Guide of the Webservice.
Get the scripts
To get this working, three sample scripts have been provided on CodePlex (http://mdtcustomizations.codeplex.com/releases/view/32093). Just download the appropriate version (the differ between MDT 2008 and MDT 2010) and extract the three scripts to your “Scripts” folder on the Deployment Share (or your MDT Package in SCCM). If you would like to have them available on all new Deployment Shares on default, just drop them to the “{MDTInstallationDirectory}TemplatesDistributionScripts” folder too.
The process
This example is using the idea of a separate Staging OU used for all computer throughout the whole deployment process to avoid any side effects by e.g. GPOs and at the end of the process move them to the configured Target OU. So what we need to do is
- Create a staging OU in Active Directory and note the path to this OU
- Create a new custom Property called “StagingOU” in the customsettings.ini and set it to the path of this staging OU (The download contains a sample cs.ini with the necessary changes)
- Make sure that the MDT property MachineObjectOU is set during the deployment by either setting it to a fixed value or dynamically by database or webservice calls
- Copy the “MoveComputerToOU” section from the sample cs.ini to your cs.ini and update the webservice reference according to your environment.
- Add a step to your Task Sequence that calls the “Z_MoveComputer_StagingOU.wsf” script. I recommend adding it in the PostInstall phase after the “Apply Network Settings” step.
- Add a step to your Task Sequence that calls the “Z_MoveComputer_SwapOUValues.wsf” script. I recommend it close to the end of the “State Restore” phase
- Add another step right after the before mentioned that calls the “Z_MoveComputer_TargetOU.wsf” script.
That’s it. If you now run your Task Sequence your computers should be in the staging OU during the deployment and end up in the OU you have defined in the MachineObjectOU property. Be aware that the webservice will do this on a Domain Controller local to the computer requesting this move to avoid any problems due to replication of the domain controllers in distributed environments. If you don’t want to use a staging OU just skip the first two scripts. The third script “Z_MoveComputer_TargetOU.wsf” will simply move the computer to the OU defined in MachineObjectOU.
This guide, the scripts and the webservice are provided AS IS without express or implied warranty of any kind. As with everything be sure to test it before putting this into production.
Will this still work in MDT 2012? Also, is there a simpler way to just delete the existing computer account before re-binding? Seems like that should be an easy thing for MDT to do since it already has binding ability.