search

NetDocuments-Archive / ad-join-cookbook

Chef cookbook to join windows computer to AD
Apache License 2.0
14 stars 12 forks source link

Add domain leave function. #16

Closed bender-the-greatest closed 7 years ago

bender-the-greatest commented 7 years ago

PR for domain leave functionality as referenced in #14

bender-the-greatest commented 7 years ago

This has been tested using Windows Server 2012 R2. One thing I did notice is that the double_reboot file never gets written, though Chef never fails on this. This issue existed prior to this PR, however, not sure how to fix that bit.

spuder commented 7 years ago

When a windows server leaves a domain, does it need to reboot? Does it need to reboot twice?

The reason for the double reboot when joining is we found the timezone didn't get updated on first gpupdate.

Also, what is the intended use case here? Are you changing the runlist on machines that you are unjoining from the domain?

bender-the-greatest commented 7 years ago

The server does need to reboot when leaving the domain, same as when joining. The first reboot is run immediately after the domain leave script completes successfully.

I'm not sure that double rebooting will solve anything on the domain leave functionality, unless you want to absolutely make sure that the original GPO settings to exist once the instance is removed from the domain. And even in your use case for the timezone, I'm not sure if that would revert or not on removal from the domain. I don't think gpupdate is even necessary when using the local policy, so it may be a non-issue after removal from the domain. It's not something I tested, but I can regress that bit over the weekend to confirm the expected behavior.

Our use case does dictate a different runlist when removing from the domain as part of a different set of tasks for deprovisioning that machine. In our case, the machine is removed from the domain, and will then be removed from any hypervisor it runs under.

spuder commented 7 years ago

Ok, lets keep it simple then, if unjoining doesn't require a reboot, then lets remove that logic from the leave action.

bender-the-greatest commented 7 years ago

I think you misunderstood. The first reboot is required when leaving the domain, there may be other bits of a recipe that need to run post-removal (e.g. if you desire to leave one domain to join another). It's the second reboot that I don't believe is necessary during unjoin.

spuder commented 7 years ago

This looks good to me. Have you tested it?

bender-the-greatest commented 7 years ago

Yep, tested this on WS 2012 R2, no issues I can see so far.

spuder commented 7 years ago

Thanks, merged and pushed to supermarket