dgrinnell
Enthusiast
Enthusiast

Master Image - Domain or No Domain

Hey all,

Is it best practice or "better" w/ fewer issues to add a master image to the domain or leave it on a workgroup and let quick prep w/ a customization file add the computer to the domain according to the pool settings?

thanks!

0 Kudos
14 Replies
Magneet
Hot Shot
Hot Shot

I prefer to keep it away from the domain unless some app requires the GI to be in the domain.

0 Kudos
Erossman
Enthusiast
Enthusiast

I prefer it to join it to the domain. It's easier for you to do some tests with domain user without you have to deploy it to an instant/linked clone pool first.

Also if you have some compuer gpo's, they will sometimes not be applied on the instant clone pool because there is no reboot. So it's good if they will be applied on the master image already.

0 Kudos
tjbailey
Enthusiast
Enthusiast

We've never put our gold images on the domain and have the pool take care of adding each of the deployed VM's with quickprep.

0 Kudos
HussamRabaya
VMware Employee
VMware Employee

i used to join to domain for sake of better login time and to apply group policy in advance , but a lot of issues have been discovered related to AD and group policy some times is not applied probably and temp profile ,

the solution was to not join to domain

and if some application installation require domain , i join it to install the app but before the provisioning i disjoin

0 Kudos
kevinpower
Enthusiast
Enthusiast

I prefer that the master vm is not a part of the domain, in the past i see some strange things about trust relations between desktop and domain.

After reverting the vm to a pervious state, we got some problems with the machine password age.

0 Kudos
Erossman
Enthusiast
Enthusiast

Hi Kevin,

yes I know this issue. But there is a simple workaround - Disable machine account password change.

You can read more about it on this blog --> https://www.vladan.fr/trust-relationship-workstation-domain-fails-fix-without-double-reboot/

0 Kudos
HussamRabaya
VMware Employee
VMware Employee

in some cases we have encountered a strange behavior related group policy , one of the cases 2-5 users wouldn't get there profile because of group policy is not  applied including the folder redirection

removing the gold Image from domain solve the issue

0 Kudos
kevinpower
Enthusiast
Enthusiast

Hey,

Thanks for that, we solved this problem months ago by defining the following policy's GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options ( as in the blog )

Thanks for sharing the blog

0 Kudos
Shreyskar
VMware Employee
VMware Employee

It is not mandatory to put golden image into domain.

0 Kudos
touimet
Enthusiast
Enthusiast

When the master is non-domain and using Instant-Clone I found that that we had to setup a local startup script to perform a gpupdate /target:Computer to get the computer gpo

0 Kudos
Shreyskar
VMware Employee
VMware Employee

This means your script is getting pushed even before instant clones are added to domain. How are you pushing startup script? If you want to run any script , run as post sync script during pool creation.

0 Kudos
touimet
Enthusiast
Enthusiast

It's a startup scheduled task that calls a local powershell script.  The script does two verification's prior to executing the gpupate.  First it checks for a valid IP address then it checks that the computer name is a valid domain name.

0 Kudos
markjmast
Contributor
Contributor

Would you be willing to share the script, and the steps you took to put it in place, high level steps?  Having a problem with machine policies coming down and i'm thinking this could help us.

0 Kudos
milindng
Enthusiast
Enthusiast

Hi,

It depend on you if you want to join the master image to domain or want to keep it out of domain.

What I observed, whenever we keep master image in domain the domain GPO policies forcefully updated on master images and there might be some policies which can failed your desktop creation and updating next time. 

So without joining domain you can create and update desktop pools easily. I have tried lot with joining domain I was always failed to update master image with latest windows patching or any changes on it.

In this case most of times we don't know which policies are rejecting VDI creation or pool updating. Even windows admin will not help us to troubleshoot this.

Better to keep golden image out of domain.

0 Kudos