Domain Join using PowerShell V2.0 Part I

In the time of IaaS (Infrastructure as a Service) and cloud computing, provisioning of new servers by one click should not be a problem. And when we’re talking about cloning virtual machines (vmdk / vhd) that’s true for sure. But what about the necessary post steps after the VM and Operating System is ready? For example joining the windows server to any domain automatically? Many companies still do these steps by hand. Of course, if we work for a large one, we probably already have tools to save some time on these post-steps (e.g. if you have a vCenter Server, you can use the “deploy virtual machine from this template” function, which has some built-in tricks like domain join). But these tools are usually just trigger some built-in Windows mechanism like sysprep.

What happens if we want our own, customized solution which is probably better than the commercial ones? Then it’s time to write our own post-script tool set, and use these scripts to automate our work.

Let’s start with the automatic domain join.

In Powershell V2 there is a new cmdlet called Add-Computer which has actually more features than the GUI version of domain join.

Add-Computer [-DomainName]  [-Credential ] [-OUPath ] [-PassThru] [-Server ] [-Unsecure] [-Confirm] [-WhatIf] []

Let’s go through the interesting parameters:

[-PassThru]

You can use passthru to get some basic information about the results of the domain join process. You can send this information to a central database or just put it into your logfile.

[-Unsecure]

When you join a computer to a domain, the computer account is normally created with a unique password. Using the unsecure option, the computer account will have a common password which will be changed after the domain join is complete.

[-OUPath ]

This option gives you the possibility to define a specific Organization Unit where the server’s computer account needs to be created. You don’t need to pre-create the computer accounts or move them to the appropriate OU anymore after the server is joined to the domain. You can do this in one step.

[-Credential ]

The Credential parameter specifies the account which has the rights to create computer accounts in the domain. The Add-Computer cmdlet uses the current user by default for the authentication. Good to know: you cannot put the account’s password as a plain text here, the command will use a pop-up window where you need to enter the password for the account which was defined after the -Credential parameter.

Luckily there is a way to specify the password and pass it as a parameter to the Add-Computer command-let, using SecureStrings in PowerShell (this comes from the behaviour of the PowerShell. The Add-Computer command-let accepts PSCredential .Net object as input parameter). Below you can find an example on how to do it:

$user = "domainjoinadmin" 
$pass = ConvertTo-SecureString "P@ssw0rd88736" -AsPlainText -Force 
$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass 
Add-Computer -credential $DomainCred

Probably you’ve already recognized that in this case we store the “P@ssw0rd88736” as a plain text in the source code which is pretty unsecure. In the second part of this article we’re going to give you some ideas on how to provide this information to your Windows server during the provisioning.

Advertisements

8 thoughts on “Domain Join using PowerShell V2.0 Part I”

  1. I can’t seem to get this work, i get the following error when executed. What am I doing wrong???

    Script is:-
    $DomAdminPwd = “MyStr0ngPassw0rd123”
    $user = “Administrator”
    $pass = ConvertTo-SecureString “$DomAdminPwd” -AsPlainText -Force
    $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
    Add-Computer -domainname testdomain.dom -credential $DomainCred

    Error:-
    Add-Computer : This command cannot be executed on target computer(‘Server01’) due to following error: The format of the
    specified domain name is invalid.
    At C:\Script\AddtoDom.ps1:5 char:13
    + Add-Computer <<<< -domainname testdomain.dom -credential $DomainCred
    + CategoryInfo : InvalidOperation: (Server01:String) [Add-Computer], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.AddComputerCommand

  2. Hope this helps anyone with the same problem. I have figured out the issue basically it is expecting the user name to be in the format domain\user. So the line
    $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass
    should be changed to.
    $DomainCred = New-Object System.Management.Automation.PSCredential $DomainName\$user, $pass

  3. what i did is add-computer -DomainName xxx.local -passthru -OUPath “OU=WORKSTATION,DC=xxx,DC=local” with out the pass word and when i as login as admin

    1. @Justin: my recommendation is to use Powershell version 3 for this task, it does not use remoting. Submit the machine names in the -Computername parameter.
      Example from the help:
      Add-Computer -ComputerName (Get-Content Servers.txt) -Domain Domain02 -Credential Domain02\Admin0

      I haven’t tried this, though…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s