I prefer to keep it away from the domain unless some app requires the GI to be in the domain.

I prefer it to join it to the domain. It's easier for you to do some tests with domain user without you have to deploy it to an instant/linked clone pool first.

Also if you have some compuer gpo's, they will sometimes not be applied on the instant clone pool because there is no reboot. So it's good if they will be applied on the master image already.

We've never put our gold images on the domain and have the pool take care of adding each of the deployed VM's with quickprep.

i used to join to domain for sake of better login time and to apply group policy in advance , but a lot of issues have been discovered related to AD and group policy some times is not applied probably and temp profile ,

the solution was to not join to domain

and if some application installation require domain , i join it to install the app but before the provisioning i disjoin

I prefer that the master vm is not a part of the domain, in the past i see some strange things about trust relations between desktop and domain.

After reverting the vm to a pervious state, we got some problems with the machine password age.

Hi Kevin,

yes I know this issue. But there is a simple workaround - Disable machine account password change.

You can read more about it on this blog --> https://www.vladan.fr/trust-relationship-workstation-domain-fails-fix-without-double-reboot/

in some cases we have encountered a strange behavior related group policy , one of the cases 2-5 users wouldn't get there profile because of group policy is not  applied including the folder redirection

removing the gold Image from domain solve the issue

Hey,

Thanks for that, we solved this problem months ago by defining the following policy's GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options ( as in the blog )

Thanks for sharing the blog

It is not mandatory to put golden image into domain.

When the master is non-domain and using Instant-Clone I found that that we had to setup a local startup script to perform a gpupdate /target:Computer to get the computer gpo

This means your script is getting pushed even before instant clones are added to domain. How are you pushing startup script? If you want to run any script , run as post sync script during pool creation.

It's a startup scheduled task that calls a local powershell script.  The script does two verification's prior to executing the gpupate.  First it checks for a valid IP address then it checks that the computer name is a valid domain name.

Would you be willing to share the script, and the steps you took to put it in place, high level steps?  Having a problem with machine policies coming down and i'm thinking this could help us.

Hi,

It depend on you if you want to join the master image to domain or want to keep it out of domain.

What I observed, whenever we keep master image in domain the domain GPO policies forcefully updated on master images and there might be some policies which can failed your desktop creation and updating next time. 

So without joining domain you can create and update desktop pools easily. I have tried lot with joining domain I was always failed to update master image with latest windows patching or any changes on it.

In this case most of times we don't know which policies are rejecting VDI creation or pool updating. Even windows admin will not help us to troubleshoot this.

Better to keep golden image out of domain.

Hi,

could you please forward me the any web link for deploy Desktop without putting golden image in Domain. As While doing so I am not able to deploy, it is asking for Domain as mandatory field while deploying desktop using golden image.