Closed sayanghosh123 closed 4 years ago
I had issues with this also. I made sure i was in the correct Azure AD group and i also created a Server in Azure and joined the domain manually, once that worked i re-ran the script again and it got past that stage.
It now errors out on the customextensions for me and cannot resolve it sadly. Shame as this is a great pipeline i just wish i could get it going end to end.
Thanks @VinceThompson - I just tried that and nothing seemed to work. I am not great with Windows server administration though so probably didn't do it right.
I created a new Win server VM on the same VNET as aadds and tried to domain join that. Every time I try to enter the credential to join the domain (this is the same AAD admin account we used to create the deployment? I used the UPN format as per https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm) - I run into "The referenced account is currently locked out and may not be logged on to." Tried enabling https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events using a Log Analytics workspace but the query doesn't give me zilch
Any clues? Would appreciate if I could do this and at least reach the state where you got stuck.
In Azure AAD the account you are using what groups does it belong to?
Hi @VinceThompson - it is not a member of any groups in AAD. It has "Global Admin" role in AAD, and Owner RBAC role against the subscription.
I should also point out that I did crack the domain join nut. It's a bit tricky but the following video helped -
https://www.youtube.com/watch?v=OQjK4gC89Xc
Couple concerns -
Coming back to the original issue, I ran the pipeline again after this and it failed at exactly the same stage as reported so the original issue persists.
Try removing the Extension from the VM(s), it should say failed or something. Then try running the pipeline again.
Thanks for all your help mate @VinceThompson.
Also - another observation. Based on Vince's earlier comments, there was a whole bunch of "AAD DC Admins" groups created (I have retried many times and this wasn't one of the cleanup recommendations). I added the account to each one of them, and after that I could RDP to my manually created and domain joined VM! After this, I reran the pipeline, and it did clear "Deploy_WVDSessionHosts" step. Then, it failed in the "Deploy_WVDSessionHosts" step with the same error. I wonder if this is a bug with the automation as well where it may fail to add the initial admin ID as a member of "AAD DC Admins" group.
I did remove the domain join extension to the 2 VMs created from Azure portal, and reran the pipeline. It again got up to the "Deploy_WVDSessionHosts" step and failed with the same error, and I see the extension back with a status of "Provisioning failed".
@sayanghosh123 it will happen automatically you do not need to press the configure button. I think it failed in your case due an earlier issue and we never got to that code. Than you on the cleanup recomednation
If anyone ever stumbled into this issue, I finally found the issue. I was using a different domain name for AD DS than the AAD (I have no idea whether that is a supported scenario, but it came from my OCD to keep things distinguished). After looking through the docs, I realised that existingDomainName is inferred from DomainJoinAccountUPN, so using a different AD DS name means domain join will definitely fail. I went back and used the same domain name and voila, it started to work like magic. Hope this helps someone else running into the same issue.
@sayanghosh123 we will consider adding overwritable domain field in the advanced version.
Would love to see a Terraform version of this WVDquickstart 👍
I was trying to run the new deployment on empty subscription, i.e. NewSubAADDSSetup/deploy.json. Location EastUS.
The deployment in Azure succeeded. Then I went to the DevOps pipeline and saw that it failed at "Deploy_WVDSessionHosts > Deploy module [VirtualMachines]"
Raw error
What I have also found -
inputValidationRunbook
I have validated the input and the "Azure Admin Upn" was provided in the user@domain.onmicrosoft.com. The deployment is trying to use ADDS only (it's a POC).
Four subsequent errors which seem related. In Azure AD, there are no new users added.
devOpsSetupRunbook
Total 8 errors but these seemed significant.
Any clues where to look next or what else we can try? I have tried several times on this subscription before but cleaned up after each times as per the recommended steps. Those attempts did not fully succeed but I was trying to deploy my forked repo. This was based on this (primary) repo. Not sure if that has any impact.