SOLVED

JoinDomain VMExtensionProvisioningError when deploying WVD

%3CLINGO-SUB%20id%3D%22lingo-sub-918716%22%20slang%3D%22en-US%22%3EJoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918716%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%3C%2FP%3E%3CP%3EWhen%20I'm%20trying%20to%20deploy%20a%20Windows%20Virtual%20Desktop%20environment%2C%20I%20get%20this%20error%20message%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%20%22id%22%3A%20%22%2Fsubscriptions%2Fxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%2FresourceGroups%2FWVDResourceGroup%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Frds.wvd-provision-host-pool-20191018100922%2Foperations%2FF7935445F31FE2F2%22%2C%20%22operationId%22%3A%20%22xxxxxxxxxxxxxxxx%22%2C%20%22properties%22%3A%20%7B%20%22provisioningOperation%22%3A%20%22Create%22%2C%20%22provisioningState%22%3A%20%22Failed%22%2C%20%22timestamp%22%3A%20%222019-10-18T08%3A15%3A24.3354336Z%22%2C%20%22duration%22%3A%20%22PT3M11.2589953S%22%2C%20%22trackingId%22%3A%20%22xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%22%2C%20%22statusCode%22%3A%20%22Conflict%22%2C%20%22statusMessage%22%3A%20%7B%20%22status%22%3A%20%22Failed%22%2C%20%22error%22%3A%20%7B%20%22code%22%3A%20%22ResourceDeploymentFailure%22%2C%20%22message%22%3A%20%22The%20resource%20operation%20completed%20with%20terminal%20provisioning%20state%20'Failed'.%22%2C%20%22details%22%3A%20%5B%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'orbid365.be'%5C%22.%22%20%7D%20%5D%20%7D%20%7D%2C%20%22targetResource%22%3A%20%7B%20%22id%22%3A%20%22%2Fsubscriptions%2Fxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%2FresourceGroups%2FWVDResourceGroup%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2Fwvdtest-0%2Fextensions%2Fjoindomain%22%2C%20%22resourceType%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2Fextensions%22%2C%20%22resourceName%22%3A%20%22wvdtest-0%2Fjoindomain%22%20%7D%20%7D%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20like%20my%20VM%20isn't%20able%20to%20join%20my%20domain%20which%20is%20configured%20with%20Azure%20Active%20Directory%20Domain%20Services.%3C%2FP%3E%3CP%3EThe%20setup%20I'm%20using%20to%20get%20this%20working%20is%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EAADDS%20synced%20with%20Azure%20AD%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EVirtual%20Network%20with%202%20subnets%3C%2FSPAN%3E%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CSPAN%3E1%20subnet%20for%20AADDS%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E1%20subnet%20for%20the%20virtual%20machines%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20trying%20to%20deploy%2C%20I%20also%20tried%20to%20use%20UPN%20and%20Service%20principal%20but%20both%20don't%20work%20either.%3C%2FP%3E%3CP%3EWhen%20deployment%20fails%2C%20the%20VM%20has%20been%20created%20but%20I'm%20not%20able%20to%20connect%20with%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20the%20solution%20for%20this%3F%20Have%20been%20looking%20through%20the%20other%20posts%20but%20they%20all%20don't%20seem%20to%20help%20for%20my%20setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-925051%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-925051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418672%22%20target%3D%22_blank%22%3E%40Luis_Farinango%3C%2FA%3E%26nbsp%3B%3A%20By%20default%2C%20we%20do%20not%20create%20a%20Public%20IP%20address%20for%20the%20VM%20since%20we%20want%20it%20to%20remain%20locked%20down.%20However%2C%20you%20can%20manually%20add%20a%20Public%20IP%20address%20to%20the%20VM%2C%20then%20connect%20to%20it%20that%20way.%20Then%2C%20you%20should%20be%20able%20to%20follow%20the%20various%20troubleshooting%20steps%20here%20to%20see%20what%20the%20error%20was%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-vm-configuration%23vms-are-not-joined-to-the-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-vm-configuration%23vms-are-not-joined-to-the-domain%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-926405%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926405%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20another%20error%20when%20trying%20to%20do%20this%20again%20and%20eventually%20I%20was%20adviced%20to%20deploy%20the%20host%20pool%20manually%20with%20the%20virtual%20machines.%20This%20workaround%20can%20be%20found%20under%20this%20post%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FValidation-failed-upon-creating-the-host-pool%2Fm-p%2F924184%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FValidation-failed-upon-creating-the-host-pool%2Fm-p%2F924184%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230253%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230253%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EWhen%20I%20used%20an%20external%20email%20account%20with%20activated%20azure%20benefit%20by%20my%20MS%20FTE%20account%20to%20sign%20in%20Azure%2C%20and%20it%20will%20generate%20a%20domain%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashley_Yang_0-1584351730581.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177122i987298D1A69F07A8%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashley_Yang_0-1584351730581.png%22%20alt%3D%22Ashley_Yang_0-1584351730581.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EHowever%2C%20when%20I%20create%20a%20AAD%20Domain%20Service%2C%20the%20DNS%20domain%20name%20can't%20be%20set%20as%20the%20same%20above%2C%20since%20it%20told%20the%20%22yangjiajia325gmail%22%20is%20too%20long%2C%20it%20should%20be%2015%20char%20or%20less.%20So%20I%20create%20the%20ADD%20DS%20with%20a%20different%20DNS%20domain%20name.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20I%20want%20to%20create%20a%20WVD%20hostpopl%2C%20it%20failed%20in%20deployment%20with%20domain%20join%20conflict%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashley_Yang_1-1584351956965.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177123iB81B2D9ECB3E2F2B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashley_Yang_1-1584351956965.png%22%20alt%3D%22Ashley_Yang_1-1584351956965.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ashley_Yang_2-1584351980761.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177124i130EDE47FFBB121F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ashley_Yang_2-1584351980761.png%22%20alt%3D%22Ashley_Yang_2-1584351980761.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20any%20idea%20how%20can%20I%20solve%20this%20problem%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230891%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F582898%22%20target%3D%22_blank%22%3E%40Ashley_Yang%3C%2FA%3E%26nbsp%3B%3A%20You%20would%20need%20to%20use%20the%20user's%20UPN%20for%20the%20actual%20domain.%20What%20was%20the%20name%20of%20the%20Azure%20AD%20DS%20that%20got%20stood%20up%3F%20Make%20sure%20to%20use%26nbsp%3B%3CEM%3E%3CSTRONG%3Euser%40%3CAADDS-DOMAIN%3E%3C%2FAADDS-DOMAIN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%26gt%3B%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231798%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231798%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20name%20of%20the%20Azure%20AD%20DS%20is%20%22%3CSTRONG%3Eyangjiajiagmail.onmicrosoft.com%3C%2FSTRONG%3E%22%2C%20the%20automatically%20generated%20%22domain%22%20name%20is%20%22%3CSTRONG%3Eyangjiajia325gmail.onmicrosoft.com%3C%2FSTRONG%3E%22.%20Do%20you%20mean%20I%20should%20use%20the%20UPN%20like%20%3CSTRONG%3E%3CEM%3Euser%40yangjiajiagmail.onmicrosoft.com%3F%3C%2FEM%3E%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20yes%2C%20a%20little%20concern%20is%20the%20user%20account%20I%20created%20in%20AAD%20is%20%3CA%20href%3D%22mailto%3Ause%40yangjiajia325gmail.onmicrosoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euse%40yangjiajia325gmail.onmicrosoft.com%3C%2FA%3E.%20Why%20do%20I%20should%20do%20like%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1235696%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1235696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F582898%22%20target%3D%22_blank%22%3E%40Ashley_Yang%3C%2FA%3E%26nbsp%3B%3A%20You%20would%20need%20to%20put%20in%20a%20user%20that%20the%20Azure%20AD%20DS%20domain%20recognizes%2C%20so%20you%20would%20need%20to%20put%20in%26nbsp%3B%3CSTRONG%3E%3CEM%3E%3CA%20href%3D%22mailto%3Auser%40yangjiajiagmail.onmicrosoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser%40yangjiajiagmail.onmicrosoft.com%3C%2FA%3E%26nbsp%3B.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382173%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382173%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418672%22%20target%3D%22_blank%22%3E%40Luis_Farinango%3C%2FA%3E%26nbsp%3B%20Try%20to%20create%20a%20new%20user%20as%20GA%20and%20add%20the%20user%20to%20AADDC%20group%20and%20try%20again%20it%20will%20work%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389592%22%20slang%3D%22en-US%22%3ERe%3A%20JoinDomain%20VMExtensionProvisioningError%20when%20deploying%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389592%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418672%22%20target%3D%22_blank%22%3E%40Luis_Farinango%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CSPAN%3ETry%20to%20create%20a%20new%20global%20admin%26nbsp%3Buser%20and%20add%20the%20user%20to%20AADDC%20group%2C%20reset%20the%20password%20and%20provide%20these%20credentials%20for%20domain%20join%20only%20(As%20it%20need%20to%20sync%20with%20ADDS)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi guys

When I'm trying to deploy a Windows Virtual Desktop environment, I get this error message below:

 

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/WVDResourceGroup/providers/Microsoft.Resources/deployments/rds.wvd-provision-host-pool-20191018100922/operations/F7935445F31FE2F2", "operationId": "xxxxxxxxxxxxxxxx", "properties": { "provisioningOperation": "Create", "provisioningState": "Failed", "timestamp": "2019-10-18T08:15:24.3354336Z", "duration": "PT3M11.2589953S", "trackingId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "statusCode": "Conflict", "statusMessage": { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'orbid365.be'\"." } ] } }, "targetResource": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/WVDResourceGroup/providers/Microsoft.Compute/virtualMachines/wvdtest-0/extensions/joindomain", "resourceType": "Microsoft.Compute/virtualMachines/extensions", "resourceName": "wvdtest-0/joindomain" } }}

 

It seems like my VM isn't able to join my domain which is configured with Azure Active Directory Domain Services.

The setup I'm using to get this working is:

  • AADDS synced with Azure AD
  • Virtual Network with 2 subnets
    • 1 subnet for AADDS
    • 1 subnet for the virtual machines

 

When trying to deploy, I also tried to use UPN and Service principal but both don't work either.

When deployment fails, the VM has been created but I'm not able to connect with it.

 

Does anyone know the solution for this? Have been looking through the other posts but they all don't seem to help for my setup.

 

Thanks in advance

8 Replies
Highlighted

@Luis_Farinango : By default, we do not create a Public IP address for the VM since we want it to remain locked down. However, you can manually add a Public IP address to the VM, then connect to it that way. Then, you should be able to follow the various troubleshooting steps here to see what the error was: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-vm-configuration#vms-are-not-joi... .

Highlighted
Solution

@christianmontoya 

Thank you for the reply.

 

I had another error when trying to do this again and eventually I was adviced to deploy the host pool manually with the virtual machines. This workaround can be found under this post: https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Validation-failed-upon-creating-the-h...

Highlighted

Hi @christianmontoya ,

When I used an external email account with activated azure benefit by my MS FTE account to sign in Azure, and it will generate a domain like this:

Ashley_Yang_0-1584351730581.png

However, when I create a AAD Domain Service, the DNS domain name can't be set as the same above, since it told the "yangjiajia325gmail" is too long, it should be 15 char or less. So I create the ADD DS with a different DNS domain name.

 

Then I want to create a WVD hostpopl, it failed in deployment with domain join conflict like this:

Ashley_Yang_1-1584351956965.pngAshley_Yang_2-1584351980761.png

Do you have any idea how can I solve this problem?

 

Highlighted

@Ashley_Yang : You would need to use the user's UPN for the actual domain. What was the name of the Azure AD DS that got stood up? Make sure to use user@<aadds-domain> .

Highlighted

@christianmontoya 

The name of the Azure AD DS is "yangjiajiagmail.onmicrosoft.com", the automatically generated "domain" name is "yangjiajia325gmail.onmicrosoft.com". Do you mean I should use the UPN like user@yangjiajiagmail.onmicrosoft.com? 

If yes, a little concern is the user account I created in AAD is use@yangjiajia325gmail.onmicrosoft.com. Why do I should do like that?

Highlighted

@Ashley_Yang : You would need to put in a user that the Azure AD DS domain recognizes, so you would need to put in user@yangjiajiagmail.onmicrosoft.com .

Highlighted

@Luis_Farinango  Try to create a new user as GA and add the user to AADDC group and try again it will work

Highlighted

@Luis_Farinango  Try to create a new global admin user and add the user to AADDC group, reset the password and provide these credentials for domain join only (As it need to sync with ADDS)