In the time of IaaS (Infrastructure as a Service) and cloud computing, provisioning of new servers by one click should not be a problem. And when we’re talking about cloning virtual machines (vmdk / vhd) that’s true for sure. But what about the necessary post steps after the VM and Operating System is ready? For example joining the windows server to any domain automatically? Many companies still do these steps by hand. Of course, if we work for a large one, we probably already have tools to save some time on these post-steps (e.g. if you have a vCenter Server, you can use the “deploy virtual machine from this template” function, which has some built-in tricks like domain join). But these tools are usually just trigger some built-in Windows mechanism like sysprep.
What happens if we want our own, customized solution which is probably better than the commercial ones? Then it’s time to write our own post-script tool set, and use these scripts to automate our work.
Let’s start with the automatic domain join.
In Powershell V2 there is a new cmdlet called Add-Computer which has actually more features than the GUI version of domain join.
Add-Computer [-DomainName] [-Credential ] [-OUPath ] [-PassThru] [-Server ] [-Unsecure] [-Confirm] [-WhatIf] 
Let’s go through the interesting parameters:
You can use passthru to get some basic information about the results of the domain join process. You can send this information to a central database or just put it into your logfile.
When you join a computer to a domain, the computer account is normally created with a unique password. Using the unsecure option, the computer account will have a common password which will be changed after the domain join is complete.
This option gives you the possibility to define a specific Organization Unit where the server’s computer account needs to be created. You don’t need to pre-create the computer accounts or move them to the appropriate OU anymore after the server is joined to the domain. You can do this in one step.
The Credential parameter specifies the account which has the rights to create computer accounts in the domain. The Add-Computer cmdlet uses the current user by default for the authentication. Good to know: you cannot put the account’s password as a plain text here, the command will use a pop-up window where you need to enter the password for the account which was defined after the -Credential parameter.
Luckily there is a way to specify the password and pass it as a parameter to the Add-Computer command-let, using SecureStrings in PowerShell (this comes from the behaviour of the PowerShell. The Add-Computer command-let accepts PSCredential .Net object as input parameter). Below you can find an example on how to do it:
$user = "domainjoinadmin" $pass = ConvertTo-SecureString "P@ssw0rd88736" -AsPlainText -Force $DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass Add-Computer -credential $DomainCred
Probably you’ve already recognized that in this case we store the “P@ssw0rd88736” as a plain text in the source code which is pretty unsecure. In the second part of this article we’re going to give you some ideas on how to provide this information to your Windows server during the provisioning.