SOLVED
Home

Unable to join domain - 5 out of 10 times

%3CLINGO-SUB%20id%3D%22lingo-sub-560894%22%20slang%3D%22en-US%22%3EUnable%20to%20join%20domain%20-%205%20out%20of%2010%20times%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-560894%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20anyone%20encountered%20this%20error%3F%26nbsp%3B%20I've%20recreated%20the%20VDI%2FRDS%20environment%20multiple%20time%2C%20each%20with%20the%20same%20result.%26nbsp%3B%20Out%20of%20the%2015%20we%20are%20spinning%20up%2C%205%20always%20fail.%26nbsp%3B%20It's%20seeming%20random%20which%205%20do%20not%20join%20(i.e.%3A%20It%20isn't%20the%20first%205%20or%20last%20or%20in%20sequential%20order).%26nbsp%3B%20In%20this%20dev%20subscription%2C%20we%20have%2010E5%20and%205E3%20O365%20licenses%20-%20this%20is%20the%20only%20clue%20I%20have%3B%20however%2C%20those%20licenses%20are%20all%20eligible%20for%20WDS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20error%3A%3C%2FP%3E%3CP%3E%7B%20%22id%22%3A%20%22%2Fsubscriptions%2Fxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx%2FresourceGroups%2FCirrus-Dev-RG-VDI%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Frds.wvd-provision-host-pool-20190511025908%2Foperations%2F10260C9AEE5979E4%22%2C%20%22operationId%22%3A%20%2210260C9AEE5979E4%22%2C%20%22properties%22%3A%20%7B%20%22provisioningOperation%22%3A%20%22Create%22%2C%20%22provisioningState%22%3A%20%22Failed%22%2C%20%22timestamp%22%3A%20%222019-05-11T07%3A10%3A55.6608661Z%22%2C%20%22duration%22%3A%20%22PT3M41.0234978S%22%2C%20%22trackingId%22%3A%20%22xxxxxxxx-xxxx-xxxx-xxxx-27d92fcecaa0%22%2C%20%22serviceRequestId%22%3A%20%22xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43%22%2C%20%22statusCode%22%3A%20%22Conflict%22%2C%20%22statusMessage%22%3A%20%7B%20%22status%22%3A%20%22Failed%22%2C%20%22error%22%3A%20%7B%20%22code%22%3A%20%22ResourceDeploymentFailure%22%2C%20%22message%22%3A%20%22The%20resource%20operation%20completed%20with%20terminal%20provisioning%20state%20'Failed'.%22%2C%20%22details%22%3A%20%5B%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'cumulus-nexus.com'%5C%22.%22%20%7D%20%5D%20%7D%20%7D%2C%20%22targetResource%22%3A%20%7B%20%22id%22%3A%20%22%2Fsubscriptions%2Fxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx%2FresourceGroups%2FCirrus-Dev-RG-VDI%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FCirrus-VDI-7%2Fextensions%2Fjoindomain%22%2C%20%22resourceType%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2Fextensions%22%2C%20%22resourceName%22%3A%20%22xxxxxx-VDI-7%2Fjoindomain%22%20%7D%2C%20%22request%22%3A%20%7B%20%22content%22%3A%20%7B%20%22location%22%3A%20%22eastus%22%2C%20%22properties%22%3A%20%7B%20%22publisher%22%3A%20%22Microsoft.Compute%22%2C%20%22type%22%3A%20%22JsonADDomainExtension%22%2C%20%22typeHandlerVersion%22%3A%20%221.3%22%2C%20%22autoUpgradeMinorVersion%22%3A%20true%2C%20%22settings%22%3A%20%7B%20%22name%22%3A%20%22cumulus-nexus.com%22%2C%20%22ouPath%22%3A%20%22%22%2C%20%22user%22%3A%20%22xxxx.xxxxx%40xxxxx-nexus.com%22%2C%20%22restart%22%3A%20%22true%22%2C%20%22options%22%3A%20%223%22%20%7D%2C%20%22protectedSettings%22%3A%20%7B%20%22password%22%3A%20%22xxxxxxxxx%22%20%7D%20%7D%20%7D%20%7D%2C%20%22response%22%3A%20%7B%20%22content%22%3A%20%7B%20%22startTime%22%3A%20%222019-05-11T07%3A07%3A16.1918493%2B00%3A00%22%2C%20%22endTime%22%3A%20%222019-05-11T07%3A10%3A55.1293833%2B00%3A00%22%2C%20%22status%22%3A%20%22Failed%22%2C%20%22error%22%3A%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'cumulus-nexus.com'%5C%22.%22%20%7D%2C%20%22name%22%3A%20%22xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43%22%20%7D%20%7D%20%7D%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-560917%22%20slang%3D%22en-US%22%3ERE%3A%20Unable%20to%20join%20domain%20-%205%20out%20of%2010%20times%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-560917%22%20slang%3D%22en-US%22%3EUPDATE%3A%20If%20we%20spin%20up%20only%2010%20..%203%20of%20them%20fail.%20So%20it%20in't%20a%20license%20count%20issue.%20~1%2F3%20of%20the%20deployments%20fail%20in%20the%20%22%2Fjoindomain%22%20resource%20with%20status%20%22conflict%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564634%22%20slang%3D%22en-US%22%3ERE%3A%20Unable%20to%20join%20domain%20-%205%20out%20of%2010%20times%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564634%22%20slang%3D%22en-US%22%3EUPDATE%20(Solved)%20Issue%20was%20with%20AAD%20DS%20domain%20join%20limit.%20Even%20though%20the%20user%20account%20was%20a%20%22Global%20Admin%22%2C%20it%20was%20missing%20the%20permission%20%22AAD%20DS%20Administrator%22.%20Incidentally%2C%20this%20is%20not%20the%20%22Device%20Limit%22%20in%20the%20devices%20blade%20of%20users.%20This%20is%20the%20%22%20ms-DS-MachineAccountQuota%22%20in%20ADUC%2C%20which%20MS%20hardcoded%20to%2010%20device%20joins.%20The%20%22AAD%20DS%20Administrator%22%20permission%20overrides%20that%20limit%20(obvi).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-569821%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Unable%20to%20join%20domain%20-%205%20out%20of%2010%20times%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-569821%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F340599%22%20target%3D%22_blank%22%3E%40cbamford%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20the%20update.%20We'll%20look%20to%20include%20this%20guidance%20in%20our%20documentation%20when%20using%20Azure%20AD%20Domain%20Services.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-727906%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Unable%20to%20join%20domain%20-%205%20out%20of%2010%20times%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-727906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F340599%22%20target%3D%22_blank%22%3E%40cbamford%3C%2FA%3EI%20have%20the%20same%20error%2C%20but%20my%20user%20is%20full%20global%20admin%2C%20AAD%20DS%20Admin%2C%20TenantCreator%E2%80%A6%20No%20cigar%20so%20far%20%3A%5C%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

As anyone encountered this error?  I've recreated the VDI/RDS environment multiple time, each with the same result.  Out of the 15 we are spinning up, 5 always fail.  It's seeming random which 5 do not join (i.e.: It isn't the first 5 or last or in sequential order).  In this dev subscription, we have 10E5 and 5E3 O365 licenses - this is the only clue I have; however, those licenses are all eligible for WDS.

 

Any help would be appreciated.

 

Here is the error:

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Cirrus-Dev-RG-VDI/providers/Microsoft.Resources/deployments/rds.wvd-provision-host-pool-20190511025908/operations/10260C9AEE5979E4", "operationId": "10260C9AEE5979E4", "properties": { "provisioningOperation": "Create", "provisioningState": "Failed", "timestamp": "2019-05-11T07:10:55.6608661Z", "duration": "PT3M41.0234978S", "trackingId": "xxxxxxxx-xxxx-xxxx-xxxx-27d92fcecaa0", "serviceRequestId": "xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43", "statusCode": "Conflict", "statusMessage": { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'cumulus-nexus.com'\"." } ] } }, "targetResource": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/Cirrus-Dev-RG-VDI/providers/Microsoft.Compute/virtualMachines/Cirrus-VDI-7/extensions/joindomain", "resourceType": "Microsoft.Compute/virtualMachines/extensions", "resourceName": "xxxxxx-VDI-7/joindomain" }, "request": { "content": { "location": "eastus", "properties": { "publisher": "Microsoft.Compute", "type": "JsonADDomainExtension", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true, "settings": { "name": "cumulus-nexus.com", "ouPath": "", "user": "xxxx.xxxxx@xxxxx-nexus.com", "restart": "true", "options": "3" }, "protectedSettings": { "password": "xxxxxxxxx" } } } }, "response": { "content": { "startTime": "2019-05-11T07:07:16.1918493+00:00", "endTime": "2019-05-11T07:10:55.1293833+00:00", "status": "Failed", "error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'cumulus-nexus.com'\"." }, "name": "xxxxxxxx-xxxx-xxxx-xxxx-37e830630e43" } } }}

4 Replies
UPDATE: If we spin up only 10 .. 3 of them fail. So it in't a license count issue. ~1/3 of the deployments fail in the "/joindomain" resource with status "conflict"
Solution
UPDATE (Solved) Issue was with AAD DS domain join limit. Even though the user account was a "Global Admin", it was missing the permission "AAD DS Administrator". Incidentally, this is not the "Device Limit" in the devices blade of users. This is the " ms-DS-MachineAccountQuota" in ADUC, which MS hardcoded to 10 device joins. The "AAD DS Administrator" permission overrides that limit (obvi).

@Deleted : Thanks for the update. We'll look to include this guidance in our documentation when using Azure AD Domain Services.

@DeletedI have the same error, but my user is full global admin, AAD DS Admin, TenantCreator… No cigar so far :\

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies