Is it best practice or "better" w/ fewer issues to add a master image to the domain or leave it on a workgroup and let quick prep w/ a customization file add the computer to the domain according to the pool settings?
I prefer it to join it to the domain. It's easier for you to do some tests with domain user without you have to deploy it to an instant/linked clone pool first.
Also if you have some compuer gpo's, they will sometimes not be applied on the instant clone pool because there is no reboot. So it's good if they will be applied on the master image already.
i used to join to domain for sake of better login time and to apply group policy in advance , but a lot of issues have been discovered related to AD and group policy some times is not applied probably and temp profile ,
the solution was to not join to domain
and if some application installation require domain , i join it to install the app but before the provisioning i disjoin
I prefer that the master vm is not a part of the domain, in the past i see some strange things about trust relations between desktop and domain.
After reverting the vm to a pervious state, we got some problems with the machine password age.
yes I know this issue. But there is a simple workaround - Disable machine account password change.
You can read more about it on this blog --> https://www.vladan.fr/trust-relationship-workstation-domain-fails-fix-without-double-reboot/
in some cases we have encountered a strange behavior related group policy , one of the cases 2-5 users wouldn't get there profile because of group policy is not applied including the folder redirection
removing the gold Image from domain solve the issue
Thanks for that, we solved this problem months ago by defining the following policy's GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options ( as in the blog )
Thanks for sharing the blog
This means your script is getting pushed even before instant clones are added to domain. How are you pushing startup script? If you want to run any script , run as post sync script during pool creation.
It's a startup scheduled task that calls a local powershell script. The script does two verification's prior to executing the gpupate. First it checks for a valid IP address then it checks that the computer name is a valid domain name.
Would you be willing to share the script, and the steps you took to put it in place, high level steps? Having a problem with machine policies coming down and i'm thinking this could help us.
It depend on you if you want to join the master image to domain or want to keep it out of domain.
What I observed, whenever we keep master image in domain the domain GPO policies forcefully updated on master images and there might be some policies which can failed your desktop creation and updating next time.
So without joining domain you can create and update desktop pools easily. I have tried lot with joining domain I was always failed to update master image with latest windows patching or any changes on it.
In this case most of times we don't know which policies are rejecting VDI creation or pool updating. Even windows admin will not help us to troubleshoot this.
Better to keep golden image out of domain.