Azure-docs: Domain join extension in virtual machine scale set

Created on 20 Mar 2019 · 12Comments · Source: MicrosoftDocs/azure-docs

Hi, trying to add the domain join extension to the existing vm scale set. VM Scale set do support the extension, as per the document https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#extensions. When i try to add script for existing VM scale set im getting parser error. When add the domain manually it does work.

Error details

2019-03-20T00:55:40.3689418Z [Error]: Failed to deserialize JSON string. Exception: Newtonsoft.Json.JsonReaderException: Error reading string. Unexpected token: StartObject. Path 'Password', line 1, position 13.
at Newtonsoft.Json.JsonReader.ReadAsStringInternal()
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.ReadForType(JsonReader reader, JsonContract contract, Boolean hasConverter)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
at Newtonsoft.Json.JsonConvert.DeserializeObjectT
at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.JsonSerialization.JsonSerializationHelpers.DeserializeJsonStringT
2019-03-20T00:55:40.3689418Z [Error]: Failed to retrieve protected settings with the following error: Error reading string. Unexpected token: StartObject. Path 'Password', line 1, position 13.
2019-03-20T00:55:40.3689418Z [Info]: Extension settings retrieval completed.

Code

    $Settings = @{
        "Name" = "domain";
        "User" = "domain\user";
        "Restart" = "true";
        "Options" = 3;
        "OUPath" = ""
    }

    $password = ConvertTo-SecureString -String 'Ej#7Au(4Bv-0C' -AsPlainText -Force

    $ProtectedSettings =  @{
            "Password" = $password
    }

    $rgName = "myrgname"
    $scaleSetName = "scalesetname"

    # Get information about the scale set
    $vmss = Get-AzureRmVmss -ResourceGroupName $rgName -VMScaleSetName $scaleSetName

    # Add the jsonADDomain extension
    $vmss = Add-AzureRmVmssExtension -VirtualMachineScaleSet $vmss -Publisher "Microsoft.Compute" -Type "JsonADDomainExtension"  -TypeHandlerVersion 1.3  -Name "joindomain" -Setting $Settings -ProtectedSetting $ProtectedSettings -AutoUpgradeMinorVersion $true

   # Update the scale set and apply the extension to the VM instances
    Update-AzureRmVmss -ResourceGroupName $rgName  -Verbose -Name $scaleSetName -VirtualMachineScaleSet $vmss

Please can anyone help me to figure out this issue? thanks in advance!

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: b94c5948-acb1-e3aa-7148-6aa2278bcdef
Version Independent ID: 9ada224f-5a76-bcde-2dc0-928a29c4323f
Content: Azure virtual machine scale sets FAQs
Content Source: articles/virtual-machine-scale-sets/virtual-machine-scale-sets-faq.md
Service: virtual-machine-scale-sets
GitHub Login: @mayanknayar
Microsoft Alias: manayar

cxp in-progress product-question triaged virtual-machine-scale-setsvc

Source

vinothinidharmaraj

All 12 comments

@vinothinidharmaraj Thanks for your feedback! We will investigate and update as appropriate.

SaurabhSharma-MSFT on 20 Mar 2019

In my opinion the simplest way to achieve this is via JSON as mentioned in the FAQ you opened this issue on

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-join-a-virtual-machine-scale-set-to-an-active-directory-domain

Else, another good option is DSC as asked and explained here

https://stackoverflow.com/questions/47761362/join-vmss-vms-to-domain

Also, check this MSDN thread of a user trying the same

https://social.msdn.microsoft.com/Forums/en-US/9ffabef7-dc2f-4546-bdc6-d524ae806854/joining-virtual-machines-in-a-scale-set-to-a-domain

Based on the error you are getting, it seems there is a issue with the password. Have you tried hard coding the password to see if it helps?

mimckitt on 20 Mar 2019

Hey thanks for the reply.
I tried with DSC configuration, that works but the i want to use VM scale set extension when there is option to do so.

As you suggested, tried with Plain text password instead of converting to securestring it does work. I'm able to join the domain.

vinothinidharmaraj on 20 Mar 2019

But one of the instance got failed with the below error (that instance already joined the domain)
VM has reported a failure when processing extension 'joindomain'. Error message: "Join failed for Domain '@mydomain with the error: Failed to initiate system shutdown.".

When i look into the logs, it seems like it try to unjoin the domain and join again, but it doesnt give me more information.. How this extension works for, when we run the extension on vm scale sets which already joined the domain?

vinothinidharmaraj on 20 Mar 2019

@vinothinidharmaraj thanks for that. DSC is the ideal route for this as it will run the extension only on new VMs that are added to the domain during a scale out operation. So for production workloads I would suggest continuing down that path.

From my understanding, if the VM is already domain joined the extension would not work. @cynthn do you happen to know who owns this extension and could shed some more light into this?

mimckitt on 20 Mar 2019

@MicahMcKittrick-MSFT I've not worked with that extension before, but @roiyz-msft looks after the extensions and should know more about who owns it from the engineering side :)

cynthn on 20 Mar 2019

👍1

@MicahMcKittrick-MSFT as you said if we use the DSC extension, do i need to maintain the automation account instead of integrating with VSTS pipeline? ex. VSTS pipeline supports to deploy application using custom script from the VSTS to Azure VM Scale set.

vinothinidharmaraj on 20 Mar 2019

Thats a good question. I will let @roiyz-msft comment further or add the owner of that extension to clarify. I don't work with this extension that often so I would want to be sure before giving too much guidance :)

mimckitt on 20 Mar 2019

Hey, i have tried JsonADJoinDomain extension with combination of the below scenarios for the scale set with 2 instances,

2 instances not added to the domain --> it works
2 instances are already added to the domain --> it works
1 instance already added to the domain and another instance not added --> it works

Seems like the error which i got previously is probably random because of any network or something. i didnt get that error back.

But still i would like to know the integration between vsts and dsc, thanks in advance.

vinothinidharmaraj on 20 Mar 2019

👍1

Thanks for the update @vinothinidharmaraj glad to hear it is working now :)

As per the VSTS and DSC integration that is a bit outside of my knowledge base. I would suggest you reach out to the VSTS forums to get more information on this

https://developercommunity.visualstudio.com/topics/Azure+DevOps.html

Here you will find people who integrate the two items together and should be able to help you integrate it into your solution.

mimckitt on 22 Mar 2019

@vinothinidharmaraj I will close for now. If you post in the dev ops community feel free to share the link here so I can follow it as well.

mimckitt on 25 Mar 2019

@MicahMcKittrick-MSFT - I'm facing the same issue with the same error message as in the problem description, I did try adding the password in the plain text format but even that did not work and it threw an error . Reading through the MS documentation about the error code definition says "ERROR_WRONG_PASSWORD : Unable to update the password. The value provided as the current password is incorrect." I did try joining one of the VMSS instances manually into domain using the same account being used in the extension settings and it works without any issues, even the domain name to IP resolution works from VMSS instances so I'm unable to get through the issue.

Extension Logs :-

2019-04-23T13:48:42.0717655Z [Error]: Try join: domain='ONE.OFC.LOC', ou='', user='SRVGlobalJoin1', option='NetSetupJoinDomain, NetSetupAcctCreate' (#3:User Specified), errCode='1323'.

2019-04-23T13:48:57.7968319Z [Error]: Try join: domain='ONE.OFC.LOC', ou='', user='SRVGlobalJoin1', option='NetSetupJoinDomain' (#1:User Specified without NetSetupAcctCreate), errCode='1323'.

2019-04-23T13:48:57.7968319Z [Error]: Computer failed to join domain 'ONE.OFC.LOC' from workgroup 'WORKGROUP'.