locked
Can't automatically join VM to domain. RRS feed

  • Question

  • Hi.

    I'm experiencing issue with joining VM to a domain.

    I read Extensibility guide and did everything according to Example 2 says, but each time I try to create VM, receive error:

    Cannot validate argument on parameter 'JoinDomainCredential'. The argument is null. Supply a non-null argument and try the command again.

     

    My domain name is not contoso.com, but even if I try with :

    $domainCredential = New-Object System.Management.Automation.PSCredential $credentialMyDomainadministrator.username, ...


    I still receive the error.

    Please help.

     

    Tuesday, July 26, 2011 10:07 AM

Answers

  • Hi,

    Please check following.

    1. Domain name is added as an input parameter for the script.
    2. Default script has three instances of the New-VM cmdlet. Edit all three instances with "-JoinDomain $domainName -JoinDomainCredential $domainCredential"
    3. Make sure the network you are selecting has "Corporate Network" set to 'Yes'
    4. Ensure that you are selecting the domain name during create virtual machine Wizard.

    To ensure that credentials are encrypted correctly, Can you please write sample PowerShell Task given below in one of the Action and to execute the same. Assuming that credenatils are encrypted using AddUserProfile.ps1 with User Name: Contoso\Administrator

    Script for the Task:

    $credentialcontosoadministrator.username  >> C:\Test.txt
    $credentialcontosoadministrator.password >> C:\Test.txt

    If you get below output in C:\Test.txt available on VMMSSP Server Machine then credentials are encrypted correctly and you should not get error you mentioned.

    Output:

    contoso\Administrator
    System.Security.SecureString

    If you are not getting above output, then please delete then please re-encrypt the credentails. This should resolve your issue.

    Thanks,

    Santosh..

    Friday, July 29, 2011 9:50 PM

All replies

  • Hi,

    Looks like you are not able to retrievethe credentials correctly.  Can you please confirm following.

    1. Used the self-service portal service account to log on to the computer running the VMMSSP server component to encrypt the credentials.
    2. When you have finished encrypting the credentials, Virtual Machine Manager Self-Service Portal 2.0 service is restarted.
    3. Re-Encrypt the Credentials if the Service account is recently changed.
    4. Please see if there are any errors in the VMMSSP Server Component Events.

    Thanks,

    Santosh..

    • Proposed as answer by Santosh Karale Wednesday, July 27, 2011 5:15 PM
    Wednesday, July 27, 2011 5:14 PM
  • 1. Done

    2. Done

    3. Rebooted the server

    4. No error messages in any of logs.

     

    And again:

    Cannot validate argument on parameter 'JoinDomainCredential'. The argument is null. Supply a non-null argument and try the command again.

    Friday, July 29, 2011 6:38 AM
  • Hi,

    Please check following.

    1. Domain name is added as an input parameter for the script.
    2. Default script has three instances of the New-VM cmdlet. Edit all three instances with "-JoinDomain $domainName -JoinDomainCredential $domainCredential"
    3. Make sure the network you are selecting has "Corporate Network" set to 'Yes'
    4. Ensure that you are selecting the domain name during create virtual machine Wizard.

    To ensure that credentials are encrypted correctly, Can you please write sample PowerShell Task given below in one of the Action and to execute the same. Assuming that credenatils are encrypted using AddUserProfile.ps1 with User Name: Contoso\Administrator

    Script for the Task:

    $credentialcontosoadministrator.username  >> C:\Test.txt
    $credentialcontosoadministrator.password >> C:\Test.txt

    If you get below output in C:\Test.txt available on VMMSSP Server Machine then credentials are encrypted correctly and you should not get error you mentioned.

    Output:

    contoso\Administrator
    System.Security.SecureString

    If you are not getting above output, then please delete then please re-encrypt the credentails. This should resolve your issue.

    Thanks,

    Santosh..

    Friday, July 29, 2011 9:50 PM
  • Hi Santosh,

    I have been experiencing the same issue with my SSP 2.0 SP1 as Ktostam reported. I have followed the steps in the Extensibility Guide as well as the debugging steps you mentioned above but no luck.

    After encrypting the user credentials with using AddUserProfiles.ps1 and restarting the SSP service on the computer running the SSP server component, the user (mydomain\administrator) is added into the registry under HKEY_Local_Machine\Software\Microsoft\DITSC\UserProfile. However, running $credentialMyDomainAdministrator.username and .password return nothing.

    Each time when restarting the SSP service, an warning EventID 1425 occurred in the application log. It says
    Source: ScriptManager
    Error Code: 1425
    Message: Error reading the credentials from registry.
    Error Stack:
    1)Object reference not set to an instance of an object.
    ....
    Application Domain: Microsoft.DITSC.ProvisioningService.exe

    By the way, there is no problem for my SSP to create VMs without joining a domain. Any thoughts?

    Thanks,

    Gong

    Friday, August 19, 2011 9:16 PM
  • Hi,

    Looks like credenatials are not stored correctly in the registry. Can you please try re-encrypting the credentials and see if that resolves the issue. Please ensure that credentials are added by the Service Account. If you are stil facing the issues, please send the VMMSSPService.log and Event log to sspfeedback@microsoft.com

    Thanks,

    Santosh

    Friday, August 26, 2011 6:19 PM
  • Hi Santosh,

    I retried it and still got the same results. I just emailed the two logs you requested to the email address you referred.

    Thanks,

    Gong

    Thursday, September 1, 2011 3:41 PM
  • Sorry it took so long, but I've added the lines

    $credentialMyDomainadministrator.username  >> C:\Test.txt
    $credentialMyDomainadministrator.password >> C:\Test.txt

     

    right after

    domainCredential = New-Object System.Management.Automation.PSCredential $credentialMyDomainadministrator.username, $credentialMyDomainadministrator.password

     

    and... no file c:\test.txt is prepared and the machine is not being added to the domain.

    No error is displayed.

    Credentials are visible (and encrypted) in the registry.


    Thursday, September 8, 2011 11:10 AM
  • Hi, Looks like credenatials are not stored correctly in the registry. Can you please try re-encrypting the credentials and see if that resolves the issue. Please ensure that credentials are added by the Service Account. If you are stil facing the issues, please send the VMMSSPService.log and Event log to sspfeedback@microsoft.com

    Thanks, Santosh

    Thursday, September 8, 2011 6:48 PM
  • Ehh, I have enough of this. I've worked arround the issue, changing properties of the vm template. SCVMM adds a machine to the domain properly.

    BTW: I've been reencrypting the cred into registry for several times, using various user accounts. So I don't consider doing it for another (5th, maybe 6th !) time might be helpful. Thanks for the advice, the issue is closed for me.

    There is also an option with preparing a script with netdom command sequence, but I've not tested it. This is only my concept.

     

    Friday, September 9, 2011 5:31 AM
  • There are a couple of factors contributing to the failure I experienced:

    First, I made a mistake in the CreateVMTask script by including a carriage return within $domainCredential. Santosh helped fixing this issue. Thanks!

    Second, my VM template was a VHD which was created outside SCVMM. It used an unattended.xml for sysprep. This somehow blocked the joindomain action.

    Third, use DHCP for the VM instead of the static IP. A DHCP network is needed for the VM to join the domain.

    Forth, by default, only 10 computers are allowed to join the AD domain by an authenticated user in Windows 2008 R2. Use ADSIEdit.msc to remove the value from the "ms-DS-MachineAccountQuota" attribute. I experienced failure of VM not joining the domain while a couple of warnings (EventID 1706) occured in the VMM event log (not the VMM SSP event log).

    I hope this information helps.

    Gong

    Tuesday, September 13, 2011 5:13 PM