Domain join extension issue

Brass Contributor

Is anyone else having issues in using the domain join VM extension? It was working fine for me until a couple of days ago.


I was using it in an AVD environment and it suddenly stopped working. Same with script or adding AVD hosts in the portal (which uses the extension anyway). I started to trace through all the possible issues, DNS resolution and so on. I can always join manually by logging in to the VM and manually joining - that works. But when I use the extension it never works now.


I even created a brand new tenant with just a single vnet, and two VMs. Promoted one to a DC. DNS set on the vnet to be the IP of the domain controller. No public internet access to either VM, Bastion setup for accessing the VMs. Attempted to join the second to the domain, same error. On the non-joined VM I can ping the domain, ping the DC by name (I manually set the domain suffix on the adapter to - makes no difference)


I have tried with Azure CLI as well as Azure PowerShell. Here is my Azure CLI command:-


az vm extension set --name JsonADDomainExtension \
        --publisher Microsoft.Compute \
        --version 1.3 \
        --no-auto-upgrade \
        --vm-name vmtemp2 \
        --resource-group rg-sharedservices-ad-uksouth \
        --settings '{"Name":"mydomain.local","OUPath":"OU=EUC,DC=mydomain,DC=local","user":"avdjoin@mydomain.local","restart":"true","options":"3"}' \
        --protected-settings '{"password":"mysecretpassword"}'

This is what is in the extension log at C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.JsonADDomainExtension\1.3.6\ADDomainExtension.log


Current domain:  (), current workgroup: WORKGROUP, IsDomainJoin: True, Target Domain/Workgroup: mydomain.local.
2021-08-26T19:30:53.0794566Z	[Info]:	Domain Join Path.
2021-08-26T19:30:53.0794566Z	[Info]:	Current Domain name is empty/null. Try to get Local domain name.
2021-08-26T19:30:53.0794566Z	[Info]:	In AD Domain extension process, the local domain is: ''.
2021-08-26T19:30:53.0950819Z	[Info]:	Domain Join will be performed.
2021-08-26T19:30:53.8606579Z	[Error]:	Try join: domain='mydomain.local', ou='OU=EUC,DC=mydomain,DC=local', user='avdjoin@mydomain.local', option='NetSetupJoinDomain, NetSetupAcctCreate' (#3:User Specified), errCode='2'.
2021-08-26T19:30:53.8762845Z	[Error]:	Setting error code to 53 while joining domain
2021-08-26T19:30:54.4704048Z	[Error]:	Try join: domain='mydomain.local', ou='OU=EUC,DC=mydomain,DC=local', user='avdjoin@mydomain.local', option='NetSetupJoinDomain' (#1:User Specified without NetSetupAcctCreate), errCode='1332'.
2021-08-26T19:30:54.4704048Z	[Error]:	Setting error code to 53 while joining domain
2021-08-26T19:30:54.4704048Z	[Error]:	Computer failed to join domain 'mydomain.local' from workgroup 'WORKGROUP'.
2021-08-26T19:30:54.4704048Z	[Info]:	Retrying action after 15 seconds, at attempt 1 out of '10'.


Whatever I try - I get the errors above.


4 Replies

This seems to be happening because I have spaces in my OU Path value. If I create an OU without spaces in the name it works. Unfortunately the OU into which machines will be going pre-exists and I can't rename it.



Ran in to this today. We noticed this issue was related to the account. In essence for us it appeared to be a delegation issue. Perhaps when you changed OUs you had different delegated rights to new OU.


Or perhaps it is as you say but in our case it worked with spaces,in the OU, and a different delegated account.


Would suggest to isolate the issue by another user account, and under different OU

I realize this post is very old but it is coming up as #1 on Google at the moment for this error, so in case anyone else comes across this problem.  For our scenario, we have an AADDC environment and I had noticed the default domain policy expired passwords at 90 days, overriding our Azure AD policy of no expirations.


In testing a policy that would remove this at the domain level, we created a new policy to expire at 1 day so we could tell if it was working or not.  This pretty quickly expired all the passwords on the domain and then new host deployments failed because their users were not allowed to login due to expired passwords, so the domain joins failed with this error 53.


If you hit this error on managed AADDS, check if you have a password policy.  If you don't, you might be hitting the default 90 day expiration.  If you do have a policy, check the parameters, possibly your joining user just needs their password changed if it is out of alignment with your Azure AD password policy: