I really think setting DNS to allow secure and non-secure dynamic updates made the difference.
Since a base image isn't domain joined, and clone prep joins the domain, its logical to assume that the clone requests an IP before joining the domain, hence allowing non-secure updates...