Domain Join OU Configuration (Sysprep)

kalli · October 5, 2023, 1:12pm

Problem:
When deploying Windows VM using vSphere and sysprep, then I cannot specify machine OU and domain join cannot work

Expected outcome:
possibility to provide OU with domain join

Foreman and Proxy versions:
3.7
Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:

Hey,
we can join domain by using powershell script and this way also provide the OU when joining.
We need to specify the OU as each tenant has their own. we cannot allow one tenant deploy into OU of another.

In Foreman we also find usage of this. example in your windows default finish template:


powershell.exe -OutputFormat text -command Add-Computer -DomainName '<%= host_param('computerDomain') -%>' -Credential (New-Object -TypeName System.Management.Automation.PSCredential '<%= host_param('domainAdminAccount') -%>', (ConvertTo-SecureString -String '<%= host_param('domainAdminAccountPasswd') -%>' -AsPlainText -Force)) <% if host_param('computerOU').present? -%>-OUPath '<%= host_param('computerOU') -%>'<% end -%>

See how OU path is specified.
this powershell script is used in PXE provisioning, but we want to utilise VM clone with vSphere guest customization and sysprep.
Sysprep allows for this. see machineObjectOU in Identification | Microsoft Learn

I’ve tried that, but the moment I remove joinWorkGroup and add joinDomain, it errors that domainAdminAccount is also required:
identification->domainAdmin is required when using Sysprep identity and identification → joinDomain

i searched your github repo to find this error, but couldn’t but found exact reference to vsphere fog github

github.com

fog/fog-vsphere/blob/ddc5f494e72b15de375900d0c87afd9fdcde8b9c/lib/fog/vsphere/requests/compute/vm_clone.rb#L427


      
          # https://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.wssdk.apiref.doc/vim.vm.customization.Identification.html
          # Fields:
          #   * domainAdmin: string
          #   * domainAdminPassword: CustomizationPassword
          #   * joinDomain: string *If supplied domainAdmin and domainAdminPassword must be set
          #   * joinWorkgroup: string *If supplied, joinDomain, domainAdmin and domainAdminPassword will be ignored
          custom_identification = RbVmomi::VIM.CustomizationIdentification()
          if identity['Sysprep']['identification'].key?('joinWorkgroup')
            custom_identification.joinWorkgroup = identity['Sysprep']['identification']['joinWorkgroup']
          elsif identity['Sysprep']['identification'].key?('joinDomain')
            raise ArgumentError, 'identification->domainAdmin is required when using Sysprep identity and identification -> joinDomain' unless identity['Sysprep']['identification'].key?('domainAdmin')
            raise ArgumentError, 'identification->domainAdminPassword is required when using Sysprep identity and identification -> joinDomain' unless identity['Sysprep']['identification'].key?('domainAdmin')
            raise ArgumentError, 'identification->domainAdminPassword->plainText is required when using Sysprep identity and identification -> joinDomain' unless identity['Sysprep']['identification']['domainAdminPassword'].key?('plainText')
            raise ArgumentError, 'identification->domainAdminPassword->value is required when using Sysprep identity and identification -> joinDomain' unless identity['Sysprep']['identification']['domainAdminPassword'].key?('value')
            custom_identification.joinDomain = identity['Sysprep']['identification']['joinDomain']
            custom_identification.domainAdmin = identity['Sysprep']['identification']['domainAdmin']
            # https://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.wssdk.apiref.doc/vim.vm.customization.Password.html
            # Fields:
            #   * plainText: boolean **REQUIRED**
            #   * value: string **REQUIRED**
            custom_identification.domainAdminPassword = RbVmomi::VIM.CustomizationPassword(

it in one of the foreman packages I also found reference to fog, so it seems you utilise this.

I’ve then followed the instructions by reverse-engineering the code and configuring in user-data script

    identification:
      joinDomain: '<%= @host.domain %>'
      domainAdmin: <%= host_param('domain_user') %>
      domainAdminPassword:
        plainText: true
        value: <%= host_param('domain_password') %>

this allows me to provison the VM, but customization never ends, my feeling is that it is due to the fact nowhere I specified which OU to add it to

and looking at the fog vsphere there is no way.

any ideas? is there a different way other than to utilise webhook and pre-join the VM in OU with set machine password?

kalli · October 5, 2023, 5:00pm

another observation.
when I use domainJoin it fails to assign the IP address and therefore domainJoin times out after several minutes (as it cannot find domain controller)
When I change it back to joinWorkgroup, then IP is assigned. it seems broken

Has anyone ever successfully used this?

areyus · October 17, 2023, 7:23am

Hi,

we are using to provision Windows VMs and also join them to our AD domain.
The relevant parts of our user-data template are:

    identification:
      domainAdmin: <%= host_param('domain_join_account') %>
      domainAdminPassword:
        plainText: true
        value: <%= host_param('domain_join_password') %>
      joinDomain: <%= host_param('domain_name') %>

and

nicSettingMap:
<% @host.interfaces.each do |interface| %>
  - adapter:
      name: <%= interface.subnet.name %>
      ip: <%= interface.ip %>
      subnetMask: <%= interface.subnet.mask %>
      <% if interface.primary -%>gateway: [<%= interface.subnet.gateway %>]<% end %>
<% end %>

This will join the server to AD with the specified credentials and also set up the interfaces according to the NIC data in Foreman.