cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DEPRECATED: Using Powershell to domain join Windows 10 Azure Lab Service VMs
By
RogerBestMSFT
Published Aug 04 2020 11:22 AM 14K Views
RogerBestMSFT
Microsoft
‎Aug 04 2020 11:22 AM

DEPRECATED: Using Powershell to domain join Windows 10 Azure Lab Service VMs

‎Aug 04 2020 11:22 AM

DEPRECATED:  We no longer recommend that lab VMs be AAD registered, AAD joined, Hybrid AAD joined, or AD domain joined due to known product limitations.  As a result, the content provided in this post is no longer supported.  This applies to both the version of Azure Lab Services that uses Lab Accounts, and the newer version that uses Lab Plans.  For more information, please read the following blog post: Use labs without registering/joining to AD/AAD

 

--------------------------------------------------------------------------------------------------------------------------------------------

 

There are many benefits of having domain joined lab VMs in Azure Lab Services, including allowing the students to connect to the VM using their domain credentials.  Each VM can be joined to the domain manually, but this is tedious and doesn’t scale when domain joining multiple VMs.  To help with this, we have put together some Windows 10 Powershell scripts that a lab owner can execute on the so that every VM started in the lab is automatically joined to the domain and the student is added as a Remote Desktop user.

 

The scripts use Windows’ task scheduler to automatically run a script when the student VM starts up. The first script, which the lab owner executes on the template VM, registers a scheduled task that will run another script at VM start up. The script then publishes the template VM to create the students’ lab VMs. When a student’s lab VM is started the first time, the script that executes the domain join will automatically run. I would recommend that the VM start and domain join occur before the students need to login as this may take several minutes. If you increase the lab capacity later, those VMs will use the same configuration from the template VM and will be domain joined when they are started the first time. However, if you change the template VM, such as by adding more software or changing the configuration, the first script will need to be run again to set up the scheduled tasks.

 

The script will need a user, with password, that has permissions to join the domain, you may need to work with your IT department to get the necessary information.

 

The Azure Lab Service team will be building this functionality directly into the product, in the meantime these scripts will allow you to move forward with Lab Services.

 

Environments

These scripts work on the following configurations:

  • On-premise Active Directory domain
  • Hybrid Active Directory domain - An on-premise AD which is connected to an Azure Active Directory through Azure AD Connect.  AD Domain Services is installed on an on-premise server, see the diagram below. Applies also to federated domains.azure-ad-hybrid-joined-als-device.png
  • Azure AD DS Domains - For full-cloud AD (Azure AD + Azure AD DS) or Hybrid AD with secondary Domain Services on Azure.

Lab account and Lab setup

This section focuses on configuring your lab account and lab so that it is connected to your on-premise domain controller.  You may need to work with your IT department to get the necessary information and permissions to get the configuration properly setup.

1.) Either option will work:

- Wire up your on-prem Domain Controller on-prem network to an Azure VNet, either with a site-to-site VPN gateway or ExpressRoute.

- Create a secondary managed domain on top of your on-prem one with Azure AD DS (PaaS).

2.) Peer the Lab Account with the connected Virtual Network (VNet).

   WARNING: The lab account must be peered to a virtual network before the lab is created.

3.) Create a new lab, with the option enabled to use the same password for all virtual machines.

 

Where are the scripts

The scripts are available on GitHub along with a readme that has all the details about running the scripts.  The scripts require a domain user that can add VMs to the domain, you may need to contact your IT department to get the necessary information.

The scripts are designed to be modular.  The first script that is run on the template VM is the Join-AzLabADTemplate. 

  • Join-AzLabADStudent_RenameVm which renames the VM to a unique name.
  • Join-AzLabADStudent_JoinVM which joins the VM to the appropriate domain to an optional organizational unit.
  • Join-AzLabADStudent_AddStudent which adds the student that the VM is registered to, to the Remote User group so they can login.  If the VM isn’t registered to a user the task is skipped.

 

Here are two additional scripts that aren’t part of the domain-join process that will help manage the VMs.

  • Set-AzLabCapacity, which allows you to change the capacity of the lab from the template VM.
  • Set-AzLabADVms, which starts all the VMs from the template VM.  This script can be run to get all the VMs domain-joined instead of having the domain-join occur when the students start the VM. 

If you have any questions, feel free to post them at the community forum.  For issues with the scripts, add an issue to the GitHub repository.

 

Thanks

Roger Best

13 Comments
Co-Authors
Version history
Last update:
‎Jul 21 2023 05:46 AM
Updated by:
Labels