After a lot of Google Fu, I have finally found the source of the problem. When approving pending devices in WDS, I got access denied. The corresponding error in Event Viewer was Event 525, BINLSVC
An error occurred while trying to create the machine account for the
following device. Please ensure that the machine naming policy is valid
and that the service has the proper permissions in Active Directory
Domain Services to create machine accounts.
Turned out when adding permissions to the OU, I was trying to add the admin group instead of the WDS server object. Problem solved.