Automatically adding systems to an AD domain

When using virtualisation it is very common to create template VMs that can be cloned from. This makes deployment much easier than having to install a new VM from scratch. Unfortunately, the cloned VMs lack any Active Directory memberships and the VMs have to be manually added to the AD domain. For automated deployment scenarios this is less than desirable. This recipe intends to solve that issue in a Hypervisor independant manner. This recipe uses a Visual Basic script that will automatically join a system to a domain during Windows system preparation. In Lab Manager these steps can be performed on a VM Template so that virtual machines cloned from it will be joined to the domain when the system customization process runs. A specific Active Directory Organizational Unit can be specified. The Visual Basic script will contain credentials used for joining the system to the domain. So, as a security measure the Visual Basic script is setup to be deleted at the end of a successful execution.

Prerequisites

  • Active Directory User Account with permissions to add Computer Objects.
  • LDAP path syntax to Active Directory Organizational Unit to add the Computer to.

Steps on the VM Template

Create Scripts Folder

C:\Windows\Setup\Scripts

Create Batch File

C:\Windows\Setup\SetupComplete.cmd

Start /wait cscript %WINDIR%\Setup\Scripts\AddDomain.vbs
Del %WINDIR%\Setup\Scripts\AddDomain.vbs

Create VBS File

C:\Windows\Setup\Scripts\AddDomain.vbs

Const JOIN_DOMAIN             = 1
Const ACCT_CREATE             = 2
Const ACCT_DELETE             = 4
Const WIN9X_UPGRADE           = 16
Const DOMAIN_JOIN_IF_JOINED   = 32
Const JOIN_UNSECURE           = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET        = 256
Const INSTALL_INVOCATION      = 262144

strDomain   = "DomainName"
strOU       = "LDAP\OU\PATH"
strUser     = "Domain\Username"
strPassword = "Password"

Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = _
  GetObject("winmgmts:{impersonationLevel=Impersonate}!" & _
  strComputer & "rootcimv2:Win32_ComputerSystem.Name='" _
  & strComputer & "'")

ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
   strPassword, _
   strDomain & "\" & strUser, _
   strOU, _
   JOIN_DOMAIN + ACCT_CREATE)

Tip: Start Notepad as administrator to have save access to the folder. Set the correct values for StrDomain, StrOU, StrUser and StrPassword Example:

    strDomain = "best.adinternal.com" 
    strOU = "ou=Virtuals,ou=CRE R&D,ou=Beaverton,ou=Shared Management,dc=best,dc=adinternal,dc=com" 
    strUser& = "_adjoinuser" 
    strPassword = "$uperS3curePassw()rd!{13245}" 

Deploy VM

Be sure Perform customization is checked and Microsoft Sysprep is selected on the VM Template properties. Clone the VM Template

Tip: Wait around 10 minutes before trying to login to the VM. During this time the VM is going through the sysprep process which will change the hostname to the name specified when cloning the VM to a configuration and join the domain. The process should be complete when the login screen displays [Ctrl]+[Alt]+[Delete] and prompts for a domain login.

Additional notes

To improve security we could for example not hardcode login credentials in the VB script. Instead, we could retrieve them from a web server (using SSL). This server could reset the Login password for the addDomain account and send that. Once this is completed, the password could be reset again. Also, the web server could check the IP address and referencing DNS/DHCP to see if this machine is indeed being authorised. Finally, we can place this in a different AD domain (with the appropriate trust relationships) so that you can apply additional security policies.

References

Other examples: