If you are installing the server into your existing Active Directory domain, there are several tests which are run automatically on your existing domain's group policies when you run the Join-Domain script.
If there are any issues detected with your existing group policies an error message will be displayed in the Join-Domain script output. On your existing domain controller, you need to identify the group policy shown in the error message, and set it to be unconfigured. Below are the possible error messages, and where you can find them in group policy. (These settings need to be configured in this way so that the system's managed auto-update capabilities work as intended).
1) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Specify Intranet Microsoft update service location.
- 2003 location: Computer Configuration > Administrative Templates > Windows Components > Windows Updates
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Updates
2) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Do not connect to any Windows Update Internet locations
- 2003 location: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Updates
3) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Enable client-side targeting
- 2003 location: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Updates
4) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Configure Automatic Updates
- 2003 location: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Updates
5) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Always automatically restart at the scheduled time
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Updates
6) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Allow Automatic Updates immediate installation
- 2003 location: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- 2008/2012 location: Computer Configuration > Policies >Administrative Templates > Windows Components > Windows Updates
7) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Allow Basic authentication
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
8) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Allow remote server management through WinRM
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
9) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Disallow Kerberos authentication
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
10) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Disallow Negotiate authentication
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
11) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Turn on Script Execution
- 2003 location: n/a
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
12) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Prevent IIS installation
- 2003 location: Computer Configuration > Administrative templates > Windows Components > Internet Information Services
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Information Services
13) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Prevent Task Run or End
- 2003 location: Computer Configuration > Administrative templates > windows components > Task Scheduler
- 2008/2012 location:
14) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Prohibit New Task Creation
- 2003 location: Computer Configuration > Administrative templates > windows components > Task Scheduler
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Task Scheduler
15) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Prohibit Task Deletion
- 2003 location: Computer Configuration > Administrative templates > windows components > Task Scheduler
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates > Windows Components > Task Scheduler
16) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Specify site name
- 2003 location: Computer Configuration > Administrative templates > System > Netlogon
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates >System > Netlogon
17) The following group policy administrative template must be set to unconfigured: [Group Policy name] [Folder Name] Restrict Internet communication
- 2003 location: Computer Configuration > Administrative templates > system > Internet Communication Management
- 2008/2012 location: Computer Configuration > Policies > Administrative Templates >System > Netlogon
18) [Default Domain Controllers policy] BUILTIN\Administrators missing from 'Log on as a service' security policy
On your existing domain controller, open Group Policy and go to Computer Configuration > Windows Settings > Security Settings > User Rights Assignment > Log on as a service
Add the administrators group to this policy
Note: The installation process will flag issues with the above settings if it detects them for manual resolution - it will not automatically update the Default Domain Policy and Default Domain Controllers Policy. However, other non-default GPO objects that might apply to EC200a managed VMs and user/service accounts may automatically be updated with an Explicit Deny permission to ensure they do not apply. Since security filtering is used to achieve this, and the groups used for filtering are new explicitly defined groups for managed computer and account objects, there will be no change in resultant policies applied to existing domain objects.