When a new VM is provisioned in the Nerdio Manager for MSP (desktop image or session host) it joins the AD domain (by default) using AD information provided during the initial installation process. The follow steps are performed by the new VM.
- New Azure VM is created and it obtained DNS server(s) specified on the vNet
- Using the AD domain name provided during installation (or on host pool properties), the VM looks up the domain controller (DC) using the DNS server it obtained when created
- DNS server provides the VM with a DC record
- VM tries to join the domain by connecting to the provided DC using the user credentials provided during installation (or on host pool properties)
- VM tries to create an AD compute object in the OU provided during installation (or on host pool properties)
A failure in any of the above steps will result in an AD Domain join error. Here are some suggestions to try and troubleshoot the problem.
- Review C:\WINDOWS\Debug\NetSetup.log on the VM that's failing to join the domain.
- There should be a custom DNS specified on the vNet. This custom DNS must be AD-aware. If DNS wasn't set properly and then correct, be sure to restart the VM.
- VM should be able to communicate with this DNS server.
- VM should be able to communicate with the domain controller responsible for domain join. This should ideally be a VM in Azure "close" to the VM.
- Ensure that the OU specified is in DN format and is present on the domain controller that's being used to join the domain. Make sure there are no domain replication problems.
- The user (service account) being used to join the domain should have ability to create (and disable) computer objects in the target OU. Try using a known working account to join the domain.
- Note: Standard user accounts (by default) have the ability to join up to 10 session hosts to the domain. We recommend using a service account with delegated permissions for joining and removing an unlimited number of computers in the domain.
- Ensure that the user account is specified in UPN (email@example.com) or domain\user format.
- Test the validity of the OU by leaving the field blank, which will create the computer objects in the default location (e.g. Computers container).
To attempt the domain join again without deleting and recreating the VM, simply click on the Resume next next to the TASK in error state in Nerdio Manager for MSP.