I've been searching the net for days trying to find out if it's possible to add a newly created vm to our domain but I'm running into a few problems. I'm not even sure if this is possible. I have an admin account that I'm running this script under but that doesn't really matter since the template vm's aren't actually a member of the domain so the account doesn't have any privledges. Here's the scrip that I'm using:
$domain = "xxxx"
$domainpw = "xxxxxx"
$username = "xxxxxxx"
function JoinDomain {
$domain = "domain.net"
$domainpw = "localadminpassword"
$username = "localadminusername"
$servers = (Get-Content servers.txt)
$servers | ForEach-Object $_ {
$DomainUser = $Domain + "\" + $Username
$OU = $null
$ComputerSystem = gwmi Win32_ComputerSystem -ComputerName 10.2.4.205 -Credential localadminusername
Write-Host $ComputerSystem
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$domainpw,$username)
}
}
JoinDomain
So, like I said, I tried running this with my domain admin account and run into an access denied error. So I changed the -Credential to a local username on the newly created vm and entered the password for the account when prompted. However, I still run into access denied error. Any ideas on this? Is it even possible or am I wasting my time?
this works for me:
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domain + "\" + $Domainusername,$null,$FJoinOptions)
Just some questions to make sure I understand the question correctly.
You are running the script on another system then the new guest ?
Is your new guest reachable over the network ?
And you are providing a domain administrator account in the $username variable ?
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yeah the script is being run on my system as opposed to locally on the new guest system. The guest is reachable by IP address. I am providing a domain administrator account in the $username variable. The reason we've got to join each system to the domain is because we run NewSID. So I've got to login, run NewSID, reboot and join the system to the domain by logging in through console. This gets old after you run NewSID and join 15 servers to the domain.
I tried to make the script a bit more universal, so I made the next function:
function Join-DomainOrWorkGroup { param([string] $Computer, [string] $Domain, [string] $DomainPassword, [string] $DomainUsername, [string] $AccountOU, $LocalCredential, [int] $FJoinOptions = 3) $ComputerSystem = Get-WmiObject Win32_ComputerSystem -ComputerName $Computer -Credential $LocalCredential $ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions) }
If I run it like this:
$LocalCredential = Get-Credential Join-DomainOrWorkGroup -Computer MyComputer -Domain Mydomain -DomainPassword Mypassword -DomainUsername Myaccount -AccountOU MyOU -LocalCredential $LocalCredential -FJoinOptions 3
I get the next error (in Dutch):
Exception calling "JoinDomainOrWorkgroup" : "De clientverbinding met WINMGMT moet voor deze bewerking worden versleuteld. Pas de instellingen voor de IWbemServices-proxy aan en probeer het opnieuw. " At line:4 char:40 + $ComputerSystem.JoinDomainOrWorkGroup <<<< ($Domain,$DomainPassword,$Domainusername,$FJoinOptions) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WMIMethodException
In English this will be something like (translation by Google translate):
Exception calling JoinDomainOrWorkgroup ":" The client connects to winmgmt this operation must be encrypted.Adjust the IWbemServices proxy and try again. " At line: 4 char: 40 + $ ComputerSystem.JoinDomainOrWorkGroup <<<<($ Domain, $ Password Domain, Domain $ Username, $ FJoinOptions) + Category Info: NotSpecified: (:) [] MethodInvocationException + FullyQualifiedErrorId: WMIMethodException
I don't know how to get rid of this error. But if someone does, then I think we haved solved this question.
Regards, Robert
I use the procedure given in the Join Domain securely post.
It uses an external file to store the securestring account/password.
Then it uses the JoinDomainOrWorkGroup method to perform the actual join.
Note that you need to have the authentication level set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY when passing the username and password as parameters to avoid the WBEM_E_ENCRYPTED_CONNECTION_REQUIRED error.
This means that you need to use the -Authentication and -Impersonation parameter like this
... $ComputerSystem = gwmi Win32_ComputerSystem -ComputerName 10.2.4.205 -Credential localadminusername -Authentication 6 -Impersonation Impersonate ...
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD would you mind posting the script that you use and how you call it?
I will try to rebuild the scrpit you guys have posted for my situation and see how it goes. I'll let you know.
Here's what I've done:
function Join-DomainOrWorkGroup {
$username = "localusername"
$Domain = "domain"
$DomainPassword = "password"
$Domainusername = "username"
$FJoinOptions = "3"
$ComputerSystem = gwmi Win32_ComputerSystem -ComputerName 10.2.4.207 -Credential $username -Authentication 6 -Impersonation Impersonate
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)
}
Join-DomainOrWorkGroup
I've logged into the console and noticed that the system is now joined to the workgroup named $domain. If my domain was test.com the workgroup is test.com. It's not actually joining the domain. Why would that be?
Try
$fJoinOptions = 3
instead of
$fJoinOptions = "3"
The join options parameter should be integer, not string
I changed it to an integer and also logged into the system and changed the workgroup to something else. I re-ran the script and it joined the workgroup named $domain again.
What happens if you change
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)
to
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$null,$FJoinOptions)
What happens if you change
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)to
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$null,$FJoinOptions)
Nothing happens. Workgroup doesn't change and domain doesn't change.
this works for me:
$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domain + "\" + $Domainusername,$null,$FJoinOptions)
this works for me:
> $ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domain + "\" + $Domainusername,$null,$FJoinOptions) >
This works. I had no idea you had to put the + "\" + in there. I didn't see that documented anywhere. Thanks for your help!
Still I am unable to join windows VMs to domain. I am trying to join computers remotely. This script I have tried from local VM also. it didnt work. I am not getting any errors except the below output.
__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ReturnValue : 2202
any help is greatly appreciated.
Error 2202 (0x89a) indicates that the machine couldn't reach the AD domain controller.
There must be something wrong with the network setup or the network connection is not yet established.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LuCd. But I dont think we have any Network connectivity issues. I am able to join the same VM to Domain manually. Win RM and PS remoting also enabled. any other specific ports needs to be opened to connect the DC from powershell?
Perhaps I didn't explain it correctly, but I suspect that the guest can't reach the DC at the moment when the join domain is executed.
Remember that the guest OS is running sysprep at that time.
Once sysprep is finished the network connectivity is probably ok.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks for the quick reply. I am sure that sysprep is not running at this time. I think there should be something else that needs to be checked. I am just pasting my script below. Please suggest if you find any mistakes..
$computer = read-host "Enter Comp Name"
$localuser = "TestVM1\administrator"
$credential = get-credential
$Domain = "test"
$usr = $credential.UserName
$pss = $credential.Password
$ComputerSystem = get-wmiobject Win32_ComputerSystem -ComputerName $computer -Credential $localuser -Authentication 6 -Impersonation Impersonate
$ComputerSystem.JoinDomainOrWorkGroup($Domain, $pss, $Domain + "\" + $usr, $null, 3)
Thanks..
I got it:)
If I send my Domain admin Password in plain text its working fine. But due to security concerns I should not do that. Any idea how can we make it through secure string.
You can prompt for the account and password with Get-Credential.
And then you convert to cleartext which allows you to pass it to the function
$cred = Get-Credential
$user = $cred.GetNetworkCredential().UserName
$pswd = $cred.GetNetworkCredential().Password$pswd
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference