Domain Join Error while deploying HostPool

Copper Contributor

Hi Team,

 

We are getting error while deploying HostPool for Windows Azure Virtual Desktop.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'joindomain'. Error message: \\\"Exception(s) occured while joining Domain 'pratikmishra4739gmail.onmicrosoft.com'\\\"\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot \"\r\n }\r\n ]\r\n }\r\n}"}]}

 

Trouble all the possibilities but none where helpful. 

26 Replies

@Pratik_Mishra 

The VM's in the host pool must be Standard domain-joined or Hybrid AD-joined. Virtual machines can't be Azure AD-joined (in the future, AAD joined will be supported).  You will need to either deploy or use an existing Domain Controller, or leverage the Azure Active Directory Domain Services (AADDS, not to be confused with AAD) in order to do a Standard domain-join.

 

Please review the requirements for WVD:

https://docs.microsoft.com/en-us/azure/virtual-desktop/overview#requirements

 

To learn more about the different identity solutions used with WVD:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions

 

-Jeff

 

@Jeff_Bryant,

 

Sometimes its working fine as i tried to deployed it yesterday and it got executed successfully, But again i am getting the same error related to domain join. Is there any restriction for the azure test account which is causing the issue. 

 

Regards,

Pratik

Attaching error for you reference once again.

 

Error: Code="VMExtensionProvisioningError" Message="VM has reported a failure when processing extension 'testext'. Error message: \"Exception(s) occured while joining Domain 'rupni.onmicrosoft.com'\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot "

on virtual_machine_extensions.tf line 1, in resource "azurerm_virtual_machine_extension" "domainJoin":
1: resource "azurerm_virtual_machine_extension" "domainJoin" {

@Pratik_Mishra I have the same issue. 

I'm running an hybrid environment with AAD Connect. 

This is my first VM on my Azure subscription. 

It seems to work randomly. I have deployed with the same settings the Host Pool last week and I haven't received any error. 

Since, I'm testing it. I have delete the previous deployment and started again. I have done following the https://docs.microsoft.com/en-gb/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-... 

 

My error at the moment is : 

 

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "Conflict",
      "message": "{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"VMExtensionProvisioningError\",\r\n        \"message\": \"VM has reported a failure when processing extension 'joindomain'. Error message: \\\"Exception(s) occured while joining Domain 'cipd.onmicrosoft.com'\\\"\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot \"\r\n      }\r\n    ]\r\n  }\r\n}"
    }
  ]
}

@Pratik_Mishra 

1. Did you deploy AADDS or did you create a VM to be your DC?

2. Are you specifying the domain name and/or OU in the host pool template?  This is an optional step, but if the information entered is not correct, the domain join extension can fail even though you have confirmed the user account and password is correct.

3.  Is the host pool VM on the same subnet as where the ADDS/DC is running?

3. Are you able to join a VM to the domain manually? (create a VM, RDP to VM, join to domain from system properties)

4.  The link in the error message below has some good steps to follow, including a review of the domain join logs which are on the VM.

 

I would focus on making sure you can join a VM to the domain manually and consistently before trying to troubleshoot the domain join extension.  This will confirm that there are no networking related issues between the VM and the DC as well as confirm we are entering the correct domain name, username/password.

@Jeff_Bryant I don't have any VM in Azure at the moment and no VPN with the AD on-prem.

1) None of them. Can I deploy AADDS without having issue with my on prem AD and AAD Connect?

2)Yes I did

3)New Vnet and new subnet no

 

What do you suggest ? AADDS or replicate a DC into Azure on a new VM? 

@GR_C1pD 

WVD requires both Azure AD (AAD) and Windows Active Directory (AD).  This means you will need to either deploy the Domain Controller role on a VM running in Azure, or use an existing DC on-prem.  Since you already have a DC on-prem with AAD connect, it would be ideal if you could connect your Azure VNET and your on-prem network together (S2S VPN, Express Route), that way, VM's in Azure could join your Windows AD domain on-prem.  If you had the network setup between them, you could also extend Windows AD into Azure by creating a VM in Azure and adding another DC to the domain and that is the best recommendation.

 

Since you already have Windows AD and AAD connect on-prem, you dont need AADDS.  AADDS is great for those who don't have any DC's running anywhere and are not familiar with setting up Windows AD because the VM's, the DC role and domain are deployed and managed for you as an Azure service.

 

Also, if you try setting up a new DC in Azure and create a new Windows AD domain and then try to sync to an existing AAD with AAD Connect, it is not supported.  Different Windows AD forests must be synced through a single AAD connect sync server.

 

If you just want to test WVD in a lab environment and have zero impact with your on-prem environment, I would create a new Azure AD domain, then create a VM in Azure to become a DC for a new Windows AD domain, then deploy AAD connect and sync.  From there, you should be able to manually domain join a VM to that Windows AD domain and if so, you should be able to proceed with WVD host pool creation.

 

-Jeff

I managed to create the VPN S2S On-prem - Azure.
I'm now going to create a VM in Azure and promote a DC as a new DC of my forest on-prem.
I believe this should allow me to join VM to the domain.

@GR_C1pD Yes, you are on the right path for it to work!  Dont forget to update the DNS server settings on the VNET once you promote the VM to a DC, if it will also contain the DNS role.  If you are leaving DNS on-prem, then update VNET DNS to point to that DNS server on prem.  Any other VM's you deploy on the VNET will get the DNS server settting automatically; you dont want to hardcode that into the IP properties of the VM.

 

-Jeff

@Jeff_Bryant Thanks a lot for your help.

I have managed to make it work. Primary DNS my new DC in Azure and secondary DNS DC on prem. 

Everything is working fine. 

 

Again much much appreciated.

 

Have a good dayt 

@Jeff_Bryant I'm getting this error in spite of having Azure Active Directory + Azure AD Domain Services deployed and peer networked with my vnet in which the host pool vms are being provisioned.  I verified classic domain join works by establishing a point-to-site vpn connection into the vnet, using virtual network gateway setup, and was able to join a localhost hyper-v windows 10 desktop setup that i have.  So not sure what to do in order to get wvd host pool template deployed vms to successfully join. 

 

q1. Is there a localhost user account you can connect to the host pool vms that fail to successfully join the domain so you can manually join them?

 

q2. Is there some permissions pre-provisioning that has to be done for the wvdadmin@myazureaddomain.com account which i specify for wvd host pool tenant group access given the default tenant group and host pool tenant group objects don't seem to exist in my azure ad environment or in my azure resource group before a wvd host pool deployment or after one that failed due to this vm domain join error?

@Jeff_Bryant 

wrt q1 .  i deployed aadds

wrt q2.   i'm specifying <domainname>.onmicrosoft.com should i just be specifying netbios<domainname> and not the fully qualified dns domain name?

wrt q3.   i'm deploying hostpool to a separate vnet that has peer to peer network connection with aadds_vnet

wrt q4.   i've successfully establishted a point to site vpn connection to vnet that wvd host pool vms are being deployed to and then successfully joined a localhost hyper-v hosted win10 install to that cloud aadds_vnet hosted azure ad domain services gc/dc pair using the sam vmjoiner@mydomain.onmicrosoft.com account i provided the wvd host pool template.

 

given all that not sure what i do differently next to get my first wvd host pool deployment to succeed past the vm domain join step.

@Jeff_Bryant@Pratik_Mishra , @GR_C1pD the fix in my case was to change the DNS setting in my virtual network that my wvd host pool was being deployed to from "Default" to Custom and in there i entered the aadds-vnet issued private ip addresses for the two serverless GC/DC setups.  Those GC/DC setups are present because i'm trying to create a wvd host pool without the existence of an on-premises AD environment or an azure set of diy VM GC/DC configurations.  

 

This issue and fix was detailed in the following . . . 

VM has reported a failure when processing extension 'joindomain'. Error message ->

https://techcommunity.microsoft.com/t5/windows-virtual-desktop/joindomain-conflict/m-p/727866 ->

https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-set-up-issues%C2%A0  -> "Cause 3: Your virtual network (VNET) DNS configuration is set to Default." defined fix.

 

Now the wvd host pool template is failing at point with this message 

"VM has reported a failure when processing extension 'dscextension'. Error message: "DSC Configuration 'CreateHostPoolAndRegisterSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Test-TargetResource functionality with error message: Windows Virtual Desktop Authentication Failed . .  ."

@Rob Ob What version of WVD are you trying to deploy?  I would focus on the Spring Update because you don't need to deal with creating an SPN that is used by the DSC script to deploy the host pools and register the session hosts, which is likely why you are getting that error.

 

Go here to create a host pool

https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/overview

 

-Jeff

@Jeff_Bryant thanks for the followup. 

 

The wvd host pool wizard i was stepping through did allow me to specify a user principal [ / account ] as alternative to a service principal [ / aad application object id ] name/guid and client secret that i might expect can create more room for errors. 

 

The issue it turns out was addressed by the easy to follow steps covered in 

azure has no TenantCreator role -> https://docs.microsoft.com/en-us/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-... ->

where it covers what appears to be the one time requirement of creating "Windows Virtual Desktop" and "Windows Virtual Desktop Client" 1st party apps in ones azure ad tenant and then establishing the user used to provision the host pool to the TenantCreator role of the "Windows Virtual Desktop" app.  Once i followed those instructions the wvd host pool wizard succeeded giving me a host pool operating against a pure azure ad environment with no on-premises or vm based gc/dc setups, just the azure ad domain services serverless gc/dc pair and my vnet that the host pool wouild be provisioned in setup with peering to aadds-vnet and its dns settings configured to use the ip's of the serverless gc/dc pair.

 

Is the url you provided [ https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/overview ] going to step me through a different wvd hostpool creation wizard experience than the create a resource | windows virtual desktop - provision a host pool | create [ https://portal.azure.com/?microsoft_aad_iam=true#create/rds.wvd-provision-host-poolpreview ] wizard experience i used does?

@Jeff_Bryant I agree with you. I have used the pre Spring Update and. Now it seams easier to use the new version to create hostpool

@Rob Ob I used the second link (old way) and I don't see my host pool, which is working, listed under Windows Virtual Desktop | Host Pools. So I'm now going to implement a new one using the Spring Update but it seems you don't need to specify the SPN anymore . I'll let you know my experience once completed. 

 

GR_C1pD_0-1591775391993.png

 

@GR_C1pD just tried a new deployment for WVD ( Spring Update) and it's failing with this error 

 

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
  "details": [
    {
      "code": "Conflict",
      "message": "{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"DeploymentFailed\",\r\n        \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n        \"details\": [\r\n          {\r\n            \"code\": \"Conflict\",\r\n            \"message\": \"{\\r\\n  \\\"error\\\": {\\r\\n    \\\"code\\\": \\\"PropertyChangeNotAllowed\\\",\\r\\n    \\\"message\\\": \\\"Changing property 'availabilitySet.id' is not allowed.\\\",\\r\\n    \\\"target\\\": \\\"availabilitySet.id\\\"\\r\\n  }\\r\\n}\"\r\n          }\r\n        ]\r\n      }\r\n    ]\r\n  }\r\n}"
    }
  ]
}

 

Investigating now but I believe it's because I already have the VM Prefix assigned to the old pool and, since my host pool is not visible in the new WVD , it is trying to create a machine with the same name. 

 

@GR_C1pD i used the second link and i also don't see my working wvd host pool shown under that wvd host pools blade [ https://portal.azure.com/?microsoft_aad_iam=true#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/hostp... ] so i'm thinking that blade is for legacy setups.

 

Also using the second link to create my wvd host pool i was provided the option to define a user principal [ e.g. wvdadmin@mydomain.onmicrosoft.com ] or a service principal [ / application object id ] name where the user principal has azure ad "Windows Virtual Desktop" 1st party app TenantCreator role assignment.  So still not sure what the difference is between the two links being discussed for creating wvd host pools at this time.