VMware Cloud Community
Manupa
Enthusiast
Enthusiast

vCO 5.1 Domain Join

Hi all,

we have some trouble with our depolyment workflow while joining a domain when the vm does its sysprep. In version 4.2 everything worked great while syspreping, after the updagrade to 5.1 this part of the sysprep was broken and did not work. We spend a lot of time to find this issue's cause. The problem is that vCO handles the credentials wrong, so we cant join the domain because of bad credentials. in addition to that vCO locks the used account, because the vm tries to join several times.

Has anybody the same problem with vCO 5.1? In our opionien this is a bug, we cant solve.

Of course we had to solve it quickly and tried to join the domain by using a command line attached to the sysprep.

greetz

Manuel

20 Replies
Burke-
VMware Employee
VMware Employee

Please give more specifics as to your issue.. IE- are you using one of the Library workflows as a base/starting point, or perhaps calling one of the clone/customize. I have not done any Clone/Customize with vCenter based workflows for many months so I have not yet tried in vCO 5.1. Give some more details so we can see if we can replicate the issue.

Thanks.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
Manupa
Enthusiast
Enthusiast

we use this workflow for customization and cloning:

     >>Clone, Windows with multiple NICs and credential

For deployments we use a preinstalled template which is part of a workgroup, and has never seen a domain before.

when this wf starts we hand over the domain name, user credentials and all the other attributes which are required.

Reply
0 Kudos
Manupa
Enthusiast
Enthusiast

i forget to say that joining via command line works instantly

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee

Please file an SR with VMware. I have duplicated this in my lab as well. In vCenter, I can clone/customize and My Windows 2008 R2 x64 joins the domain as specified, but when I run the vCO workflow, the customized name takes effect, but the vm does NOT join the domain. In both cases, I DO have DHCP running on the target network - in some cases not having DHCP running can cause this issue ...

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Manupa
Enthusiast
Enthusiast

thank you for reproducing this issue. SR with vmware is opened, hope they will fix it soon.

Only workarround I found is to run a command line with netdom and attach it to your sysprep.

thanks so far

Manuel

Reply
0 Kudos
AlexMITS
Contributor
Contributor

I have the same issue - I have added temporarily run on guest workflow to run netdom as well…

This is only with vCenter Orchestrator 5.1 clone workflow - sysprep does not join to domain / there issue have to be somewhere in sysprep actions

Our vCO 5.1 is runnining against vCenter 5.0 not vCenter 5.1

Reply
0 Kudos
Manupa
Enthusiast
Enthusiast

Hi,

I am still waiting for vmware supports answer. but I guess vco does not transmit the right user password to the sysprep file. I had a look to the local sysprep file on my target machine, everything was right, instead of the password which were hidden in this file.

Does vco locks your account too, while trying to join the domain??

Manuel

Reply
0 Kudos
AlexMITS
Contributor
Contributor

I have 3 domain that are part of deployment workflow. On one I have the issue that account use to join to domain gets locked - but this is more due to netdom than orchestrator itself. Im investigating it now...

I think i will open a case to if im not able to figure sysprep action.

Reply
0 Kudos
AlexMITS
Contributor
Contributor

Actually it is being locked when specified in orchestrator "domainAdmin" - I have saw account getting locked before netdom was even issued.

I have changed the domainAdmin to fake non existing account and it does not get locked anymore - Im still joining with netdom

There is also sysprep with Unattended.txt

I'm testing the clone workflow with Sysprep workflow changed

Reply
0 Kudos
axelsche
Contributor
Contributor

Hi,

are there any news regarding that topic?

We have opened a SR yesterday.

We had no problems with joining to our domain with vCO 5.1 until we installed the MS AD Plugin.

After that we experienced the same problems you have described above.

Reply
0 Kudos
Manupa
Enthusiast
Enthusiast

Hi,

from my site there are no new information. We are still waiting for our SR.

But if the join works in your environment, which version of the ad plugin did you install?

in my opionion the plugin is not neccessary to join the domain while syspreping, or preparing the customization spec. This is because vCO does not join the domain, it only provides the answer file for the target machine. So I couldnt explain why the installation of the plugin helps you.

Reply
0 Kudos
axelsche
Contributor
Contributor

Hi,

I know you don't need the AD Plugin to join a domain.

But we wanted to move the newly deployed VM to another OU after the deployment and that was why we started to use the AD Plugin.

Without the Plugin the Join worked fine with the Plugin not anymore.....

The Plugin Version was Active Directory 1.0.2.656.

Reply
0 Kudos
ictvmwaresuppor
Contributor
Contributor

Did you manage to resolve this problem?

Reply
0 Kudos
Manupa
Enthusiast
Enthusiast

hi,

I did not resolve this issue. It is a bug of the plugin, hope they will fix it in their next stable release.

Reply
0 Kudos
bmorbach
Enthusiast
Enthusiast

I have a quick fix for this problem. It appears that the plugin indicates to pass the password in plain text but actually passes an encrypted password.

Make a copy of workflow "Clone, Windows with single NIC and credential".

Between steps getCloneSpec and cloneVM insert a scripted task.

The scripted task needs an IN and OUT binding to workflow attribute "spec".


In the task scripting section enter:

     spec.customization.identity.identification.domainAdminPassword.value = "MyPasswordInPlainText";

That did the trick in my case.

Bernd

cdecanini_
VMware Employee
VMware Employee

Have you guys tested with 5.1 U1 ? If I recall well the fix was to be released in this version

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
Reply
0 Kudos
rubberduck70
Contributor
Contributor

Gents - just a bump on this thread

I've tried this workaround and it seems to work well:

In the task scripting section enter:

     spec.customization.identity.identification.domainAdminPassword.value = "MyPasswordInPlainText";

I do however want to confirm, using this method only allows you to join the domain using one single account? As you "fix" the password in a string basically? How can I amend it / use a different method if I want to use any NT account as appose to a fixed one?

thanks

Reply
0 Kudos
igaydajiev
VMware Employee
VMware Employee

As mentioned by cdecanini issue got resolved and fix is available in latest 5.1 U2

Reply
0 Kudos
rubberduck70
Contributor
Contributor

Hmm ok....well we using 5.5.0 and still see the issue. I'm thinking when the workflows were developed, the source code stemmed from the 5.1 version

Reply
0 Kudos