Terraform: provider/azurerm: Join a VM to domain

Hi @gangadhar01a

Yes it does - both in the AzureRM Provider and the older Azure (Service Management) provider - although they're slightly different.

In the AzureRM Provider the recommended way to do this is to use a azurerm_virtual_machine_extension - which is run on the machine once it's running. This blog post defines a VM Extension which will join machines to the Domain - I've replicated this into Terraform config below:

resource "azurerm_virtual_machine_extension" "test" {
  name                 = "join-domain"
  location             = "West US"
  resource_group_name  = "${azurerm_resource_group.test.name}"
  virtual_machine_name = "${azurerm_virtual_machine.test.name}"
  publisher            = "Microsoft.Compute"
  type                 = "JsonADDomainExtension"
  type_handler_version = "1.0"

  settings = <<SETTINGS
    {
        "Name": "domain.local",
        "OUPath": "",
        "User": "domain\\username",
        "Restart": "true",
        "Options": "3"
    }
SETTINGS

  protected_settings = <<PROTECTED_SETTINGS
    {
        "Password": "P@55w0rd"
    }
PROTECTED_SETTINGS
}

Thinking about it, given the azurerm_virtual_machine_extension is pretty generic - it's probably worth adding this adding to the documentation as an example.

Within the older Azure (Service Management) provider - there are variables on the azure_instance resource which can be set (however bear in mind Azure is actively recommending people use AzureRM instead)

resource "azure_instance" "web" {
  ...
  domain_name          = "contoso.com"
  domain_ou            = "OU=Servers,DC=contoso.com,DC=Contoso,DC=com"
  domain_username      = "Administrator"
  domain_password      = "Pa$$word123"
  ...
}

Would it be possible to confirm if one of those options works? :)

Thanks!

@tombuildsstuff Thanks Tom. I will confirm once I tried two options which you have mentioned. I assume I can use the above extension for "Resource Manager" deployment model.

@gangadhar01a indeed, the azurerm_virtual_machine_extension is a Resource Manager resource - so I believe this should work :)

Hi @tombuildsstuff

Azure extension to join VM into domain working as expected. I have one more requirement, I would like to run few powershell commands once I joined the VM to domain. I know we have resources (remote-exec) to run commands on VM, but I specifically want to run the commands after VM joined the domain.

@tombuildsstuff Never mind. I have used the available azure extension

"resource "azurerm_virtual_machine_extension" "customscript" {
name = "hostname"
location = "West US"
resource_group_name = "EnterpriseApps-Platform-PoC"
virtual_machine_name = "${azurerm_virtual_machine.transfer.name}"
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.8"

settings = < {
"commandToExecute": "powershell.exe puppet agent -t"
}
SETTINGS

tags {
environment = "Production"
}
}"

However, the execution of above extension resulted in following error, which is misleading

• azurerm_virtual_machine_extension.customscript: compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=200 -- Original Error: Long running operation terminated with status 'Failed': Code="VMExtensionProvisioningError" Message="VM has reported a failure when processing extension 'puppet'. Error message: \"Finished executing command\"."

Does this means the execution has been successfully done or not?

Hi @gangadhar01a

[..] Azure extension to join VM into domain working as expected. [..]

Great, thanks for confirming that - I'll add this to the documentation too.

[..] Does this means the execution has been successfully done or not?

In this case, the Extension has executed on the VM but failed due to the command being run, so I would suggest checking that. Perhaps you may be able run puppet agent -t without invoking PowerShell?

Information on how to debug the VM Extensions can be found here - the Logs will be on the VM itself, and some basic information is in the Azure Portal (from memory, the Portal doesn't contain the logs, so I'd probably check on the VM itself) :)

Given the original issue here has been resolved - I'm going to close this issue for the moment :)

Thanks!

Hi @tombuildsstuff

Please refer the article
https://azure.microsoft.com/en-us/blog/automating-sql-server-vm-configuration-using-custom-script-extension/
[However, we can’t directly hand this script to Custom Script Extension yet. Custom Script Extension uses NTAUTHORITY\SYSTEM account to execute scripts, but the account doesn’t have necessary privileges to execute the SQL configuration commands. To work around this, we’ll create a separate bootstrap script, which impersonates an administrator account before invokes the script.]

According to the above article the customscripts will result in exit code 1 due to permission issues (local admin), it's expecting to run the scripts using system account. I have no idea how I can do this through terraform.

However, the commands provided in customscript executed on the VM but with exit code 1 (not expected behavior). This result in the failure of Custom Script extension on Azure portal.

@tombuildsstuff - I am creating a couple of vms including a dc then promoting him to a domain controller. as the dc didn't spin up yet, the servers fail to join it.. if i wait for it to boot up correctly and re apply using terraform, they manage to join.. do you know of any way to wait for the domain to be ready? the only way i could think is running another CSE on the windows agent that checks the availability of the server and add a "depends_on" for the rest of the resources.

btw - there is version 1.3 for this extension for a long time :)

So if i understand correctly: We still cannot terraform an AD domain, we can only domain join. Correct???
Thanks

@minneapolis29 Exactly.. but this is azure related.. not terraform..

cheers

Hi there, I've tried to implement this extension into a terraform template. I cant seem to get this to go. The rest of the template works great (vm/vnet/subnet/security groups). I can even RDP and add the VM to the domain manually. But my template bombs out on the Join Domain.

Any Advice would be greatly appreciated !

resource "azurerm_virtual_machine_extension" "rsg" {
name = "join-domain"
location = "West US"
resource_group_name = "${azurerm_resource_group.rsg.name}"
virtual_machine_name = "${azurerm_virtual_machine.vm.name}"
publisher = "Microsoft.Compute"
type = "JsonADDomainExtension"
type_handler_version = "1.0"

settings = < {
"Name": "my.domain.com",
"OUPath": "CN=Windows Virtual Machine,CN=Acct-VMPOC2,OU=Utility,OU=Acct Servers,OU=Servers,OU=Domestic,DC=My,DC=Domain,DC=com",
"User": "acct\john",
"Restart": "true",
"Options": "3"
}
SETTINGS

protected_settings = < {
"Password": "myclearP@$$w0rd"
}
PROTECTED_SETTINGS
}

This is what worked for me friend:

resource "azurerm_virtual_machine_extension" "Hamza" {
name = "JoinDomain"
location = "East US"
resource_group_name = "${azurerm_resource_group.Hamza.name}"
virtual_machine_name = "${azurerm_virtual_machine.Hamza.name}"
publisher = "Microsoft.Compute"
type = "JsonADDomainExtension"
type_handler_version = "1.3"
#depends_on = ["module.Infrastructure.vm"]

settings = < {
"Name": "hamza.local",
"User": "[email protected]",
"OUPath": "OU=test,DC=hamza,DC=local",
"Restart": "true",
"Options": "3"
}
BASE_SETTINGS

protected_settings = < {
"Password": "kravmagaminneapolis"
}
PROTECTED_SETTINGS
}

what is the error message?

Hi this is what I see below. Everything else in the template works fine. I can RDP in and join the domain manually. My AD Join resource is in my mainvm.tf template (Not sure if that is the right way)

azurerm_virtual_machine_extension.rsg: Still creating... (1m0s elapsed)

Error: Error applying plan:

1 error(s) occurred:

• azurerm_virtual_machine_extension.rsg: 1 error(s) occurred:

• azurerm_virtual_machine_extension.rsg: Long running operation terminated with status 'Failed': Code="VMAgentStatusCommunicationError" Message="VM 'acct-vmpoc5' has not reported status for VM agent or extensions. Please verify the VM has a running VM agent, and can establish outbound connections to Azure storage."

@TheMoroccanBoss that worked perfectly. i think the only thing missing on my end was the OUpath. Great help guys. Keep up the great work and research. One of the best parts of being in IT is the community and teamwork. Wealth of resources. No one can know everything; its about leveraging resources and being to locate the help and documentation :)

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.