Recently I have been working on an ARM template to create a Windows Server 2012 R2 VM from a managed disk image and join it to a Windows domain. I used a VM extension called JsonADDomainExtension to perform the domain join task. However my first 3 attempts were in vain as the VM was not added to the domain and I see an error in the extension deployment.
I examined the ADDomainExtension log file which is available at C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.JsonADDomainExtension\1.0\ADDomainExtension.log and noticed below error.
2017-07-31T05:04:47.0833850Z [Info]: Joining Domain 'child.abc.net' 2017-07-31T05:04:47.0833850Z [Info]: Joining Domain 'child.abc.net' 2017-07-31T05:04:47.0833850Z [Info]: Get Domain/Workgroup Information 2017-07-31T05:04:48.0521988Z [Info]: Current domain: (), current workgroup: WORKGROUP, IsDomainJoin: True, Target Domain/Workgroup: child.abc.net. 2017-07-31T05:04:48.0521988Z [Info]: Domain Join Path. 2017-07-31T05:04:48.0521988Z [Info]: Current Domain name is empty/null. Try to get Local domain name. 2017-07-31T05:04:48.0521988Z [Info]: In AD Domain extension process, the local domain is: ''. 2017-07-31T05:04:48.0521988Z [Info]: Domain Join will be performed. 2017-07-31T05:05:06.1756824Z [Error]: Try join: domain='child.abc.net', ou='OU=Test Objects,DC=child,DC=abc,DC=net', user='abc\SVC_Azure_Srv_Joindom', option='NetSetupJoinDomain, NetSetupAcctCreate' (#3:User Specified), errCode='1326'. 2017-07-31T05:05:15.4067523Z [Error]: Try join: domain='child.abc.net', ou='OU=Test Objects,DC=child,DC=abc,DC=net', user='abc\SVC_Azure_Srv_Joindom', option='NetSetupJoinDomain' (#1:User Specified without NetSetupAcctCreate), errCode='1326'. 2017-07-31T05:05:15.4223371Z [Error]: Computer failed to join domain 'child.abc.net' from workgroup 'WORKGROUP'. 2017-07-31T05:05:15.4223371Z [Info]: Retrying action after 3 seconds, at attempt 1 out of '3'.
The NetSetup.log available at %windir%\debug\netsetup.log reports below error.
07/31/2017 05:05:14:253 NetpProvisionComputerAccount: 07/31/2017 05:05:14:253 NetpProvisionComputerAccount: 07/31/2017 05:05:14:253 lpDomain: child.abc.net 07/31/2017 05:05:14:253 lpHostName: AUETARMVM01 07/31/2017 05:05:14:253 lpMachineAccountOU: OU=Test Objects,DC=child,DC=abc,DC=net 07/31/2017 05:05:14:253 lpDcName: mydc01.child.abc.net 07/31/2017 05:05:14:253 lpMachinePassword: (null) 07/31/2017 05:05:14:253 lpAccount: orica\SVC_Azure_Srv_Joindom 07/31/2017 05:05:14:253 lpPassword: (non-null) 07/31/2017 05:05:14:253 dwJoinOptions: 0x1 07/31/2017 05:05:14:253 dwOptions: 0x40000003 07/31/2017 05:05:15:406 NetpLdapBind: ldap_bind failed on mydc01.child.abc.net: 49: Invalid Credentials 07/31/2017 05:05:15:406 NetpJoinCreatePackagePart: status:0x52e. 07/31/2017 05:05:15:406 NetpAddProvisioningPackagePart: status:0x52e. 07/31/2017 05:05:15:406 NetpJoinDomainOnDs: Function exits with status of: 0x52e 07/31/2017 05:05:15:406 NetpJoinDomainOnDs: status of disconnecting from '\\mydc01.child.abc.net': 0x0 07/31/2017 05:05:15:406 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'child.abc.net' returned 0x0 07/31/2017 05:05:15:406 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'child.abc.net': 0x0 07/31/2017 05:05:15:406 NetpDoDomainJoin: status: 0x52e 07/31/2017 05:05:18:432 -----------------------------------------------------------------
The issue was obvious after that. The service account used for domain join was incorrect. It should have been corrected as child.abc.net\SVC_Azure_Srv_Joindom Once this was corrected I was able to re-deploy the arm template without any issue and the join domain operation was successful.
If you want know more about how to leverage the “JsonADDomainExtension” in your ARM template, following article provides an excellent overview.