We are building a PoC, and have gotten most of the things we want configured. We are now getting an AD join issue with rebuilding hosts and only when rebuilding. I can delete and recreate and all works as expected. The service account is the owner of the computer account, I have also given the service account full permissions to the computer account and it still fails. I have also reviewed GPO and ensured that the service account is included in the policy for "Domain controller: Allow computer account re-use during domain join" Below is what we are seeing in the logs any help would be appreciated. [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:48 - Started getting computer account 'SVR1' description [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:48 - Description 'FarmGUID:888EA1B7-C900-4AE7-B79A-7570D788BED2, SiteID:1' was found for computer account 'SVR1' [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:48 - Started checking if computer account 'SVR1' is in OU=Servers,OU=PRAS - Session Hosts,OU=TS - Parallels RAS,DC=domain,DC=local [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:48 - Computer account 'SVR1' is in OU=Servers,OU=PRAS - Session Hosts,OU=TS - Parallels RAS,DC=domain,DC=local [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:48 - Started creating computer account for 'SVR1' [I 06/00000060/T1AC0/P0F08] 02-02-26 08:42:49 - [Create AD account] Failed to create 'SVR1' with NetProvisionComputerAccount using DC: 'dc.domain.local' (An account with the same name exists in Active Directory. Re-using the account was blocked by security policy. [0x00000aac]) [E 06/00000060/T1AC0/P0F08] 02-02-26 08:42:49 - Failed to create computer account for 'SVR1'.
It looks like you're running into a classic Active Directory permissions conflict, likely while deploying a Parallels RAS (Remote Application Server) session host or a similar VDI solution. The core of the issue is the error code 0x00000aac. This indicates that the system found an existing account for SVR1, but a security hardening measure is preventing the installer from "taking over" or re-using that account. Why this is happening In 2022, Microsoft introduced a security change (see KB5020276) to prevent unprivileged users from reclaiming computer accounts created by others. Essentially, if the account attempting to join SVR1 to the domain is not the original creator of the SVR1 object, or if it doesn't have explicit "Full Control" over that specific object, the join will fail even if the account has general "Create Computer Objects" permissions for the OU. Recommended Solutions Option 1 Delete the Object Delete the existing SVR1 computer object from Active Directory. This allows the process to create a fresh one from scratch. Option 2 Reset & Re-own If you can't delete it, Reset the account in AD Users & Computers and ensure the service account performing the join has Full Control permissions on the object. Option 3 Pre-stage Account Manually create the account in the target OU and ensure the user/service account you are using is set as the owner in the Security tab.
