Event ID 525 — Active Directory Integration

Applies To: Windows Server 2008

Windows Deployment Services depends on Active Directory Domain Services for various functions. The Pre-Boot Execution Environment (PXE) provider creates machine accounts and service control points (SCPs) in Active Directory. An SCP is a child object under a Windows Deployment Services server account object, and it is used to store configuration data for the server. For example, an SCP can mark the server as a Windows Deployment Services server so that other Windows Deployment Services servers can find it.

Event Details

Product: Windows Operating System
ID: 525
Source: BINLSVC
Version: 6.0
Symbolic Name: E_BINL_DSLOOKUP_DEVICE_PRESTAGE_GENNAME_FAILED
Message: An error occurred while trying to create the machine account for the following device. Please ensure that the machine naming policy is valid and that the service has the proper permissions in Active Directory Domain Services to create machine accounts.

Machine Naming Policy: %1
Owner: %2
OU: %3
MAC Address: %4
GUID: %5

Error Information: %6

Resolve

Specify a different name or grant permissions

The Windows Deployment Services PXE provider must be able to create machine accounts in Active Directory Domain Services. To resolve this issue, do the following in the specified order:

  • Ensure that the computer name is valid
  • Ensure that the computer does not already exist in the same domain
  • Ensure that the server has the necessary permissions

Ensure that the computer name is valid

The computer name must meet the requirements for Active Directory Domain Services. To ensure that the name is valid, see "Naming conventions in Active Directory for computers, domains, sites, and OUs" at https://go.microsoft.com/fwlink/?LinkID=104982. If the name is valid, ensure the computer does not already exist using the procedure in the following section.

Ensure that the computer does not already exist in the same domain

To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.

To delete a duplicate account:

  1. On the server that contains Active Directory Domain Services, open Active Directory Users and Computers.
  2. Using the GUID that is specified in the event log message, search in Active Directory Users and Computers for the multiple accounts. To do this, you will first need to change the format of the GUID to a format that you can use in a Lightweight Directory Access Protocol (LDAP) query. For information about how to do this, see step 1 in the Workaround section at https://support.microsoft.com/kb/899663. Note: To find the event log message, open Event Viewer. expand Custom Views, expand Server Roles, click Windows Deployment Services, and then find BINLSVC event 519.
  3. Review the accounts, and select the one you want to keep.
  4. Delete the other accounts.

If there is not already a computer account, then ensure permissions using the following section.

Ensure that the server has the necessary permissions

To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.

To grant permissions:

  1. In Active Directory Users and Computers, locate the organizational unit that you are creating machine accounts in. The organizational unit is specified in the server properties for the Windows Deployment Services server.
  2. To view the organizational unit information, open the Windows Deployment Services MMC snap-in, right-click the server name, click Properties, and then click the Directory Services tab.
  3. Right-click the organizational unit, and then click Delegate Control to grant the Windows Deployment Services server Full permission to create and edit accounts.

Note: The computer that caused this issue is specified in the event message string. To view this information, open Event Viewer, expand Custom Views, expand Server Roles, click Windows Deployment Services, and then locate BINLSVC event 524 or 525.

Verify

To perform this procedure, you must either be a member of the local Domain Admins group or have been delegated the appropriate authority.

To ensure that there is a service control point (SCP) in Active Directory:

  1. Open Active Directory Users and Computers. (Click Start, click Administrative Tools, and click Active Directory Users and Computers)
  2. Browse to the computer account for the Windows Deployment Services server.
  3. Right-click the server, and then click Properties.
  4. Ensure that there is a Remote Install tab with the introductory sentence "You can manage this remote installation server."  The presence of this tab indicates that there is an SCP for this object.

Active Directory Integration

Windows Deployment Services