SOLVED

JoinDomain VMExtensionProvisioningError when deploying WVD

Occasional Contributor

Hi guys

When I'm trying to deploy a Windows Virtual Desktop environment, I get this error message below:

 

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/WVDResourceGroup/providers/Microsoft.Resources/deployments/rds.wvd-provision-host-pool-20191018100922/operations/F7935445F31FE2F2", "operationId": "xxxxxxxxxxxxxxxx", "properties": { "provisioningOperation": "Create", "provisioningState": "Failed", "timestamp": "2019-10-18T08:15:24.3354336Z", "duration": "PT3M11.2589953S", "trackingId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "statusCode": "Conflict", "statusMessage": { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain 'orbid365.be'\"." } ] } }, "targetResource": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/WVDResourceGroup/providers/Microsoft.Compute/virtualMachines/wvdtest-0/extensions/joindomain", "resourceType": "Microsoft.Compute/virtualMachines/extensions", "resourceName": "wvdtest-0/joindomain" } }}

 

It seems like my VM isn't able to join my domain which is configured with Azure Active Directory Domain Services.

The setup I'm using to get this working is:

  • AADDS synced with Azure AD
  • Virtual Network with 2 subnets
    • 1 subnet for AADDS
    • 1 subnet for the virtual machines

 

When trying to deploy, I also tried to use UPN and Service principal but both don't work either.

When deployment fails, the VM has been created but I'm not able to connect with it.

 

Does anyone know the solution for this? Have been looking through the other posts but they all don't seem to help for my setup.

 

Thanks in advance

9 Replies

@Luis_Farinango : By default, we do not create a Public IP address for the VM since we want it to remain locked down. However, you can manually add a Public IP address to the VM, then connect to it that way. Then, you should be able to follow the various troubleshooting steps here to see what the error was: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-vm-configuration#vms-are-not-joi... .

best response confirmed by christianmontoya (Microsoft)
Solution

@christianmontoya 

Thank you for the reply.

 

I had another error when trying to do this again and eventually I was adviced to deploy the host pool manually with the virtual machines. This workaround can be found under this post: https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Validation-failed-upon-creating-the-h...

Hi @christianmontoya ,

When I used an external email account with activated azure benefit by my MS FTE account to sign in Azure, and it will generate a domain like this:

Ashley_Yang_0-1584351730581.png

However, when I create a AAD Domain Service, the DNS domain name can't be set as the same above, since it told the "yangjiajia325gmail" is too long, it should be 15 char or less. So I create the ADD DS with a different DNS domain name.

 

Then I want to create a WVD hostpopl, it failed in deployment with domain join conflict like this:

Ashley_Yang_1-1584351956965.pngAshley_Yang_2-1584351980761.png

Do you have any idea how can I solve this problem?

 

@Ashley_Yang : You would need to use the user's UPN for the actual domain. What was the name of the Azure AD DS that got stood up? Make sure to use user@<aadds-domain> .

@christianmontoya 

The name of the Azure AD DS is "yangjiajiagmail.onmicrosoft.com", the automatically generated "domain" name is "yangjiajia325gmail.onmicrosoft.com". Do you mean I should use the UPN like user@yangjiajiagmail.onmicrosoft.com? 

If yes, a little concern is the user account I created in AAD is use@yangjiajia325gmail.onmicrosoft.com. Why do I should do like that?

@Ashley_Yang : You would need to put in a user that the Azure AD DS domain recognizes, so you would need to put in user@yangjiajiagmail.onmicrosoft.com .

@Luis_Farinango  Try to create a new user as GA and add the user to AADDC group and try again it will work

@Luis_Farinango  Try to create a new global admin user and add the user to AADDC group, reset the password and provide these credentials for domain join only (As it need to sync with ADDS)

@Luis_Farinango"occured while joining Domain 'orbid365.be'"

1. First thing to validate is does the vnet that has your WVD have access to the vnet that has your ADDS?, you'll need to ensure that peering and the subsequent DNS change is completed so that vnetA (wvd vnet) can resolve names on vnetB (ADDS vnet).
2. Secondly validate if the domain admin account that you are using has the necessary permissions required to carry out a domainJoin task, typically the domain admin or any priviledge user should be able to. Remember the name should be username@localDomain.ext (IE' domainJoinerAdmin@dummyDomain.local)
3. As others have mentioned, keep in mind the character limit on the domain name on Azure.
4. Also what you can do, setup a testVm, place it on the same vnet as the WVD, try to do a standalone domainJoin, this will assisting testing the domain account permissions, vnet-vnet communication and help troubleshoot anything before deploying WVD, at least by then you will have tested the minor hurdles.

Refer to these articles:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domai...
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal