cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DEPRECATED: Using Powershell to domain join Windows 10 Azure Lab Service VMs
By
RogerBestMSFT
Published Aug 04 2020 11:22 AM 14.1K Views
RogerBestMSFT
Microsoft
‎Aug 04 2020 11:22 AM

DEPRECATED: Using Powershell to domain join Windows 10 Azure Lab Service VMs

‎Aug 04 2020 11:22 AM

DEPRECATED:  We no longer recommend that lab VMs be AAD registered, AAD joined, Hybrid AAD joined, or AD domain joined due to known product limitations.  As a result, the content provided in this post is no longer supported.  This applies to both the version of Azure Lab Services that uses Lab Accounts, and the newer version that uses Lab Plans.  For more information, please read the following blog post: Use labs without registering/joining to AD/AAD

 

--------------------------------------------------------------------------------------------------------------------------------------------

 

There are many benefits of having domain joined lab VMs in Azure Lab Services, including allowing the students to connect to the VM using their domain credentials.  Each VM can be joined to the domain manually, but this is tedious and doesn’t scale when domain joining multiple VMs.  To help with this, we have put together some Windows 10 Powershell scripts that a lab owner can execute on the so that every VM started in the lab is automatically joined to the domain and the student is added as a Remote Desktop user.

 

The scripts use Windows’ task scheduler to automatically run a script when the student VM starts up. The first script, which the lab owner executes on the template VM, registers a scheduled task that will run another script at VM start up. The script then publishes the template VM to create the students’ lab VMs. When a student’s lab VM is started the first time, the script that executes the domain join will automatically run. I would recommend that the VM start and domain join occur before the students need to login as this may take several minutes. If you increase the lab capacity later, those VMs will use the same configuration from the template VM and will be domain joined when they are started the first time. However, if you change the template VM, such as by adding more software or changing the configuration, the first script will need to be run again to set up the scheduled tasks.

 

The script will need a user, with password, that has permissions to join the domain, you may need to work with your IT department to get the necessary information.

 

The Azure Lab Service team will be building this functionality directly into the product, in the meantime these scripts will allow you to move forward with Lab Services.

 

Environments

These scripts work on the following configurations:

  • On-premise Active Directory domain
  • Hybrid Active Directory domain - An on-premise AD which is connected to an Azure Active Directory through Azure AD Connect.  AD Domain Services is installed on an on-premise server, see the diagram below. Applies also to federated domains.azure-ad-hybrid-joined-als-device.png
  • Azure AD DS Domains - For full-cloud AD (Azure AD + Azure AD DS) or Hybrid AD with secondary Domain Services on Azure.

Lab account and Lab setup

This section focuses on configuring your lab account and lab so that it is connected to your on-premise domain controller.  You may need to work with your IT department to get the necessary information and permissions to get the configuration properly setup.

1.) Either option will work:

- Wire up your on-prem Domain Controller on-prem network to an Azure VNet, either with a site-to-site VPN gateway or ExpressRoute.

- Create a secondary managed domain on top of your on-prem one with Azure AD DS (PaaS).

2.) Peer the Lab Account with the connected Virtual Network (VNet).

   WARNING: The lab account must be peered to a virtual network before the lab is created.

3.) Create a new lab, with the option enabled to use the same password for all virtual machines.

 

Where are the scripts

The scripts are available on GitHub along with a readme that has all the details about running the scripts.  The scripts require a domain user that can add VMs to the domain, you may need to contact your IT department to get the necessary information.

The scripts are designed to be modular.  The first script that is run on the template VM is the Join-AzLabADTemplate. 

  • Join-AzLabADStudent_RenameVm which renames the VM to a unique name.
  • Join-AzLabADStudent_JoinVM which joins the VM to the appropriate domain to an optional organizational unit.
  • Join-AzLabADStudent_AddStudent which adds the student that the VM is registered to, to the Remote User group so they can login.  If the VM isn’t registered to a user the task is skipped.

 

Here are two additional scripts that aren’t part of the domain-join process that will help manage the VMs.

  • Set-AzLabCapacity, which allows you to change the capacity of the lab from the template VM.
  • Set-AzLabADVms, which starts all the VMs from the template VM.  This script can be run to get all the VMs domain-joined instead of having the domain-join occur when the students start the VM. 

If you have any questions, feel free to post them at the community forum.  For issues with the scripts, add an issue to the GitHub repository.

 

Thanks

Roger Best

13 Comments
James van den Berg
MVP
‎Aug 05 2020 12:11 AM
‎Aug 05 2020 12:11 AM

Thank you for Sharing with the Community, Awesome for Education :cool:

0 Likes
Like
Emanuel_Yu_Corella
Copper Contributor
‎Jan 07 2021 11:48 AM
‎Jan 07 2021 11:48 AM

Hello,

 

I tried to run the scripts but it not works, have you any tutorial or specific guide for how to add a Lab to Azure AD Domain Services?

 

Regards

0 Likes
Like
RogerBestMSFT
Microsoft
‎Jan 07 2021 03:24 PM
‎Jan 07 2021 03:24 PM

Hey Emanuel, 

On the student VMs, in the folder where the Powershell scripts are there are log files (plain text) created when the scripts are run.  Take a look at these files to see if there are any errors.  There will be a log file for every script.  Those will give you more detailed information to help pinpoint the problem.

 

Thanks

Roger

0 Likes
Like
Ryan Cooley
Brass Contributor
‎May 14 2021 07:34 AM
‎May 14 2021 07:34 AM

What about joining them to Azure AD? No DS, on-prem or in the cloud. We just want to join them to Azure AD so the students can log in that way.

0 Likes
Like
RogerBestMSFT
Microsoft
‎May 17 2021 09:57 AM
‎May 17 2021 09:57 AM

Hey Ryan,

This will not work for the Azure AD only scenario.  The article  Sign in to Windows virtual machine in Azure using Azure Active Directory | Microsoft Docs article has Azure CLI commands to enable the Azure AD extension to enable Azure AD login.  You may not need the PowerShell scripts, but be able to run this on the template VM to enable Azure AD login.  I haven't tried it yet.

0 Likes
Like
Masih17
Copper Contributor
‎Mar 14 2022 02:39 AM
‎Mar 14 2022 02:39 AM

Hello, 

 

My Lab is peered to a network where AAD DS is and I can reach it from my template machine.  

I imported the Az.LabService module and connected to my lab and chose the subscription. 

 

When I run the Join-AzLabADTemplate I get the following error. 

 

"The term '.\Utils.ps1' is not recognized as a name of a cmdlet..." 

 

Any idea what might be the issue? How to troubleshoot this? 

 

Thank you! 

0 Likes
Like
RogerBestMSFT
Microsoft
‎Mar 14 2022 09:38 AM
‎Mar 14 2022 09:38 AM

The Util.ps1 is a supporting utility script that should be in the same folder as the Join-AzLabADTemplate script.  It's located here azure-devtestlab/Utils.ps1 at master · Azure/azure-devtestlab (github.com)

0 Likes
Like
Masih17
Copper Contributor
‎Mar 23 2022 10:19 AM
‎Mar 23 2022 10:19 AM

Hi, 

 

I managed to run the domain join scripts and my template went to the updating stage. However, the students' VMs do not join the domain automatically.

 

The file Join-AzLabADTemplate.ps1_20220323 content is: 23/03/2022 15:54:49:141 PM - Schedule Script Task - 'Scheduled Task - Join-AzLabADStudent_RenameVm.ps1'

And the Register-AzLabADStudentTask_20220323 content is: 23/03/2022 15:54:49:141 PM - Schedule Script Task - 'Scheduled Task - Join-AzLabADStudent_RenameVm.ps1'

 

My template is Windows 10 Pro N. 

 

Any ideas what the problem might be? 

0 Likes
Like
RogerBestMSFT
Microsoft
‎Mar 23 2022 10:55 AM
‎Mar 23 2022 10:55 AM

@Masih17 Just to get me up to date.  You ran the Join-AzLabADTemplate.ps1 on the template vm, which published the template.  After it completed you started one of the student vms and connected to it.  Did you start the student vm and wait a little before connecting?  The reason I ask this is that these scripts are based on the startup tasks, so on startup the first script is run, then the vm is restarted, then the next script, etc.  We have seen issues where the startup scripts are cut off when a user connects (a weakness of these scripts).  Are there any other log files in the folder where the scripts are?  The first task is to rename the vm with a unique name (Join-AzLabADStudent_RenameVm.ps1) starting with "M" and a bunch of numbers?  (Utils\Get-UniqueStudentVmName).  From the lack of other logs this looks like this script is failing, you can debug this script on the student vm by running it in the ISE and passing in the parameters.  

0 Likes
Like
Masih17
Copper Contributor
‎Mar 24 2022 12:12 AM
‎Mar 24 2022 12:12 AM

@RogerBestMSFT Hi, I did all the steps except that I tried to login to the student VM immediately after the template was updated. 

No other Log files but those two. 

 

So, what is the remedy to this situation? I run the scripts on the template again and wait for a while before the login?

0 Likes
Like
RogerBestMSFT
Microsoft
‎Mar 24 2022 11:02 AM
‎Mar 24 2022 11:02 AM

@Masih17 Yeah, run the script again, turn on the student vm and wait 5 minutes.  This is a drawback on the PS scripts, we recommend that after the publish turn on all the student vms to let the scripts run before the students use them.  We are looking into better ways to do this but nothing in the near future.

Thanks

Roger

0 Likes
Like
Masih17
Copper Contributor
‎Mar 24 2022 12:08 PM
‎Mar 24 2022 12:08 PM

@RogerBestMSFTI did as you suggested but still no result. Same log files are created but nothing else. Could you please elaborate on the debugging process? Should I run each script one by one or just the Utils?

I ask this question in anther thread but since you are following this conversion I ask it here again. If I create a windows template that has backup or AD login or other azure vm-extension installed, will those extensions work once I use that template in Lab Services? If not, why?

 

Thank you for help!

Masih

0 Likes
Like
RogerBestMSFT
Microsoft
‎Mar 25 2022 10:26 AM
‎Mar 25 2022 10:26 AM

@Masih17 Yep, getting old school debugging by running each script individually.  The issue is that that the students vms aren't "newly created" vms but exact copies, the same vm name, ids, etc.  The first script renames, restarts the vm to get some uniqueness. If the template is joined then the student vms try to join using the same information AD doesn't like that.  This is why we need to run the scripts on the student vms.  We are definitely looking to this to find better ways of doing this.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Jul 21 2023 05:46 AM
Updated by: