Domain join Failed with vm Windows

orelops · July 8, 2024, 10:11am

Problem:
When deploying Windows VM using vSphere and sysprep, the vm being deployed cannot join the domain and remains stuck on “Getting ready”

Foreman and Proxy versions:
foreman-3.10.0-1.el8.noarch
foreman-proxy-3.10.0-1.el8.noarch

Distribution and version:
Rocky Linux release 8.9 (Green Obsidian)
Other relevant data:

---
identity:
  Sysprep:
    guiUnattended:
      autoLogon: true
      autoLogonCount: 1
      password:
        plainText: true
        value: 'XXXXXX'
      timeZone: 110
    identification:
      joinDomain: 'mydomain'
      domainAdmin: 'user@mydomain'
      domainAdminPassword:
        plainText: true
        value: 'xxxxxxxxxxxxxxxx'
    machineObjectOU: 'OU=XXX,OU=XXX,OU=XXXXX,OU=XXX,DC=XX,DC=XXXX,DC=XX'

areyus · July 8, 2024, 11:04am

Looking at your provided template (assuming this is not a copy-paste error) I assume this is a simple indentation problem.
In your snippet, machineObjectOU is on the same hierarchy level as identification, while it should (to my knowledge) be a sub-option to identification. So I would try to indent machineObjectOU two more spaces and assume it should work then.
We have a very similar setup (though we have the AD objects pre-created via another tool, so we do not use machineObjectOU) and everything else looks correct to me.

orelops · July 8, 2024, 11:58am

my bad, wrong copy/paste !

---
identity:
  Sysprep:
    guiUnattended:
      autoLogon: true
      autoLogonCount: 1
      password:
        plainText: true
        value: 'XXXXXX'
      timeZone: 110
    identification:
      joinDomain: 'mydomain'
      domainAdmin: 'user@mydomain'
      domainAdminPassword:
        plainText: true
        value: 'xxxxxxxxxxxxxxxx'
      machineObjectOU: 'OU=XXX,OU=XXX,OU=XXXXX,OU=XXX,DC=XX,DC=XXXX,DC=XX'

stuck on the same place !

areyus · July 8, 2024, 1:45pm

I am not a windows guy (mainly providing the infrastucture and a bit of help for the windows team), but from what I have seen, this usually means some kind of network issue. Are you sure that:
a) the server is getting/using the correct IP
b) the server is in the correct vSphere portgroup
c) no firewall or similar is blocking access to AD
d) routing is set up correctly the the host can reach the AD

For what it’s worth, here are the relevant parts from our userdata template to set up networking:

nicSettingMap:
<% @host.interfaces.each do |interface| %>
  - adapter:
      name: <%= interface.subnet.name %>
      ip: <%= interface.ip %>
      subnetMask: <%= interface.subnet.mask %>
      <% if interface.primary -%>gateway: [<%= interface.subnet.gateway %>]<% end %>
<% end %>
globalIPSettings:
  dnsServerList:
    - <%= @host.subnet.dns_primary %>
    - <%= @host.subnet.dns_secondary %>

If this does not help, I am out of ideas.

orelops · July 9, 2024, 2:56pm

I’m not familiar with windows either ;), from what I just saw in the logs, the machineObjectOU: part is not read.

07/09/2024 16:25:05:468 NetpJoinDomain
07/09/2024 16:25:05:468 	HostName: myvm
07/09/2024 16:25:05:468 	NetbiosName: MYVM
07/09/2024 16:25:05:468 	Domain: mydomain\xxxxxxxxxx
**07/09/2024 16:25:05:468 	MachineAccountOU: (NULL)**
07/09/2024 16:25:05:468 	Account: myuser@mydomain
07/09/2024 16:25:05:468 	Options: 0x23

when I run the command manually from the server, it works.