Forum Discussion

experi18's avatar
experi18
Brass Contributor
Oct 04, 2023
Solved

Azure CLI to join a domain

Hi, wich parameters should I add into my script to create Azure VM (Via CLI) in order to automatically join my domain?
  • KennethML's avatar
    KennethML
    Apr 24, 2024

    experi18 

    It works the same way whether you use Bash (Az CLI) or Powershell. I don't use Az CLI a lot, so I don't know the commands and parameters.

     

    The OUPath parameter is doing exactly that.

KennethML's avatar
KennethML
MCT
Apr 23, 2024
Hi again.
If you deploy using template (ARM/Bicep/Terraform) the VM will be domain joined when the deployment is done.

If you add the extension to the VM using PowerShell or CLI, you will need to run the command after VM is created.

Hope it makes sense.
experi18's avatar
experi18
Brass Contributor
Apr 24, 2024

KennethML

Thanks for the response my friend.
I still have some questions:

 

1 - Do you haver an example of code or something using (ARM/Bicep/Terraform) that joins the VM automatically to a domain?
2 - Is it possible for me to do it, but just using PowerShell Scripts in order to create VMs? That's the way I'm doing it right now.
3 - When I'm creating a VM on advanced tab, extensions. Is it possible for me to add a Machine into the Domain, over there?

 

 

  • KennethML's avatar
    KennethML
    MCT
    Apr 24, 2024

    Hi experi18 

    2: If you use Powershell script to create the VM, like New-AzVm, you can add the Set-AzVMADDomainExtension cmdlet to the script (https://learn.microsoft.com/en-us/powershell/module/az.compute/set-azvmaddomainextension?view=azps-11.5.0). You need to add a credential object that has the ability to join a computer to the domain, I often use a service account with a secret in a Key Vault, which I can use from deployment API, you can also get the secret from a Key Vault with Powershell and use that.

     

    1: ARM template for domain joining a VM named "vm-name" is this:

     

    {
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-08-01",
  "name": "[concat('vm-name', '/joindomain')]",
  "location": "[resourceGroup().location]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', 'vm-name')]"
  ],
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "autoUpgradeMinorVersion": true,
    "settings": {
      "Name": "[parameters('domainToJoin')]", // contoso.com
      "OUPath": "[parameters('ouPath')]", // OU=servers,DC=contoso,DC=com
      "User": "[concat(parameters('domainToJoin'),'\\',parameters('adminUsername'))]", // contoso.com\\svc-vm-ad-join-account
      "Restart": "true",
      "Options": "3"
    },
    "protectedSettings": {
      "Password": "[parameters('adminPassword')]"
    }
  }
}

     

    3: It doesn't seem to be possible to add the AdDomainJoin extension from the portal.       
     
    Hope it makes sense.
     
    • experi18's avatar
      experi18
      Brass Contributor
      Apr 24, 2024
      Hi Kenneth, thanks a lot for your time and help on this. Actually, I create the VM with the command "az vm create -g xxx -n xxx"

      Do you think this will work the same?

      I'll take a look at the link you provided to me to better understand, but that's basically what I need.
      And yes, I would use a service account with the password on a KeyVault.

      I have another question for you (if I may)

      Is there a way as well to as soon as the machine is created / joined into the domain, it is moved to the correct OU (organizational unit) as well?
      • KennethML's avatar
        KennethML
        MCT
        Apr 24, 2024

        experi18 

        It works the same way whether you use Bash (Az CLI) or Powershell. I don't use Az CLI a lot, so I don't know the commands and parameters.

         

        The OUPath parameter is doing exactly that.

Resources