VMware Horizon Community
TomHowarth
Leadership
Leadership
‎10-14-2008 02:52 AM
Jump to solution

VC Guest Customisation

VC guest customisation does not allow for the specification of MachineOU when joiing a guest to a domain.

As it is VDM best practice to create an OU in AD for the placement of VDM Guests, my question is How are you deploying your guests to automatically place them in the correct OU?

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
1 Solution

Accepted Solutions
Huw_Michael
Contributor
Contributor
‎10-15-2008 10:13 AM
Jump to solution

We do the following if it's of any help:

Create a Customization Specification in VI / ESX and set the following (among other things):

  • Define the guest computer name to be the VM name i.e. under section "Computer Name" choose: "Use the virtual machine name"

  • Set an administrator password and configure the guest to autologon once as administrator - section "administrator password" of Customization Specification

  • Join a workgroup called something like VDIBUILD - section "workstation or domain" of Customization Specification"

  • In RunOnce call a bat file which uses netdom to join the domain

  • Bat file has the following line: "netdom join /d:netbiosdomainname /ou:ou=vdi,dc=corp,dc=local /userD:username /passwordD:password"

  • Followed by "shutdown -r -f -t 60"

When you create a pool of desktops in VDM you provide a name for the VM via the "prefix" label. VDM takes care of the uniqueness of naming for you by incrementing digits after the prefix. These are then used to set the windows OS name by the above process since you would call the customization specification as part of the desktop pool creation.

Caveat with netdom - your OU name or the name of any parent OU must not contain spaces.

Concern - leaving a bat file with credentials to join domain lingering on a PC. We mitigate this by scheduling a couple of reboots and automating the deletion of the joindomain bat file - can provide details if you're interested.

View solution in original post

0 Kudos
14 Replies
Troy_Clavell
Immortal
Immortal
‎10-14-2008 07:06 AM
Jump to solution

our VM's get placed in their OU's as part of the run once script in the customization specs within VC.

sbeaver
Leadership
Leadership
‎10-14-2008 07:44 AM
Jump to solution

Care to share you runonce. I have been looking to do something like that just had other tasks on my plate, I have been pre-staging the VM's first in AD

Steve Beaver

VMware Communities User Moderator

Orlando Area VMware User Group Leader

====

Co-Author of "VMware ESX Essentials in the Virtual Data Center"

(ISBN:1420070274) from Auerbach

*Virtualization is a journey, not a project.*

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
Troy_Clavell
Immortal
Immortal
‎10-14-2008 07:54 AM
Jump to solution

I didn't write it and it's an encoded script file. I can share it, but I don't know how much you can get out of it.

0 Kudos
TomHowarth
Leadership
Leadership
‎10-14-2008 07:59 AM
Jump to solution

I take that you are using NETDOM to join the machine to the domain and adding the Machine OU with the /OU switch

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
sbeaver
Leadership
Leadership
‎10-14-2008 08:02 AM
Jump to solution

If you have an un-encoded version that is striped of anything specific that would be great. If not no big

Steve Beaver

VMware Communities User Moderator

Orlando Area VMware User Group Leader

====

Co-Author of "VMware ESX Essentials in the Virtual Data Center"

(ISBN:1420070274) from Auerbach

*Virtualization is a journey, not a project.*

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
Troy_Clavell
Immortal
Immortal
‎10-14-2008 08:04 AM
Jump to solution

we only join our VDI machines to the domain because they are running on a DHCP segment, and they are joined to the domain as part of the customization process built into VC. Now if it uses NETDOM, then yes, but other than calling a batch file that calls the accountmove.vbe script as part of the run once, we don't do anything special

0 Kudos
Troy_Clavell
Immortal
Immortal
‎10-14-2008 08:05 AM
Jump to solution

If you have an un-encoded version that is striped of anything specific that would be great. If not no big

let me see what I can find

0 Kudos
TomHowarth
Leadership
Leadership
‎10-14-2008 10:07 AM
Jump to solution

ahh, it acutally looks like you user the default domain join in the VC Customisation script and the use a Runonce command to move. thank you for that info.

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
Troy_Clavell
Immortal
Immortal
‎10-15-2008 07:03 AM
Jump to solution

sorry guys, I haven't had success in getting the script de-crypted. If I do, I'll post the contents back here.

0 Kudos
Huw_Michael
Contributor
Contributor
‎10-15-2008 10:13 AM
Jump to solution

We do the following if it's of any help:

Create a Customization Specification in VI / ESX and set the following (among other things):

  • Define the guest computer name to be the VM name i.e. under section "Computer Name" choose: "Use the virtual machine name"

  • Set an administrator password and configure the guest to autologon once as administrator - section "administrator password" of Customization Specification

  • Join a workgroup called something like VDIBUILD - section "workstation or domain" of Customization Specification"

  • In RunOnce call a bat file which uses netdom to join the domain

  • Bat file has the following line: "netdom join /d:netbiosdomainname /ou:ou=vdi,dc=corp,dc=local /userD:username /passwordD:password"

  • Followed by "shutdown -r -f -t 60"

When you create a pool of desktops in VDM you provide a name for the VM via the "prefix" label. VDM takes care of the uniqueness of naming for you by incrementing digits after the prefix. These are then used to set the windows OS name by the above process since you would call the customization specification as part of the desktop pool creation.

Caveat with netdom - your OU name or the name of any parent OU must not contain spaces.

Concern - leaving a bat file with credentials to join domain lingering on a PC. We mitigate this by scheduling a couple of reboots and automating the deletion of the joindomain bat file - can provide details if you're interested.

0 Kudos
bister
Expert
Expert
‎10-15-2008 10:45 AM
Jump to solution

We run a sheduled task (so credentials are encrypted) on any member server and move the customized clients (special naming convention) from the default builtin CN=Computers to the appropriate OU. The tasks runs every minute (sic) and looks for new objects in CN=Computers and if name matches then the object is moved. Since then no problem, as there is enough time between computer-object creation and last reboot to pull policies.

Regards,

Christian

TomHowarth
Leadership
Leadership
‎10-15-2008 01:50 PM
Jump to solution

Huw,

Welcome to the forums, if this response is an indication of the standard of your input, then you will be a welcome addition, have 10 points for your thoughtful response and the first promotion up the ladder,

You are no longer a lurker but now deemed a Novice.

Just one small point Netdom does accept OU's and DC's with spaces you just have to enclose them with Quotes i.e OU="my ou with spaces", DC="my domain with spaces",DC=local

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
Phil_Helmling
VMware Employee
VMware Employee
‎12-13-2008 02:23 AM
Jump to solution

Tom et all,

I too don't like having credentials in batch files or scripts so I borrowed a base script and modified it to suit. Feel free to use if you like.

Usage:

  1. create a customisation spec as mentioned above

  2. add a run once with something similar to:

    1. cscript.exe C:\Windows\JoinDomainOU1.1.vbs -u UserName -p PasSWorD -d NetBiosDOMAIN -o OU=VDI,O=Workstation

  3. copy the script to C:\Windows\JoinDomainOU1.1.vbs

Benefit of this approach is the credentials stay in vCenter, not in the template so its safer and its easy to modify! You can also have the same base template for many pools all going to different OUs.

Phil

JoinDomainOU1.1.vbs
MartijnLo
Enthusiast
Enthusiast
‎01-16-2009 06:53 AM
Jump to solution

Thanks a lot Phil. Of all the solutions this seems like the most robust one.

This could solve some issues for me Smiley Happy

0 Kudos