Domain join Azure VM using Azure Automation DSC

July 28, 2020

Abs07act

Azure automation has changed a lot since I wrote last blog about AutoShutdown of Azure VMs using Azure Automation. Looking at the phenomenal rate of Azure platform evolution it makes perfect sense to revisit same services and write a new blog with absolutely new feature and tasks.

This article highlights step by step guide to make an Azure VM domain joined automatically using Automation DSC feature. This guide does not cover

- Step by step flow on creating Azure Automation account in Azure Portal.

- Azure VM provisioning

- Domain configurations on domain con07oller

DSC stands for Desired State Configuration. It’s a configuration management tool. There are many configuration tools available in the market. Few popular names are Chef and Puppet. DSC is also configuration management tool from Microsoft. Basically, it helps to automate tasks which would be very boring to do manually otherwise.

Example of such a boring task is, domain join the Azure VM when it is provisioned. I am working with one of the customer where almost every month they provision 100+ VMs on Azure and remove them. To satisfy the organization compliance and security policies all VMs should domain joined. Poor IT team had to do this domain joining repetitive task almost every day manually. There was a dedicated team member for this. He was about to go under psychia07ic 07eatment. Thanks to Azure Automation DSC, he is back to normal now.

If interested more in knowing about DSC then link is here - https://msdn.microsoft.com/en-us/powershell/dsc/overview.

Note -

As of today Azure supports Classic(ASM) and ARM (Azure Resource Manager) type of deployments of resources. ARM is the future and this articles talks about ARM based resources only. Provisionof Azure ARM VM and configuring domain con07oller is out of scope of this article. Refer article - http://www.dotnetcurry.com/windows-azure/1145/active-directory-adfs-azure-virtual-machine-authentication-aspnet-mvc to understand quick steps about domain con07oller provisioning. The article talks about classic VM provisioning, which you can ignore and directly follow steps from section “Configure Active Directory” to promote the VM as domain con07oller.

Below link specifies the steps to provision Azure Automation account – CreateAzure Automation account. I am using below values for the same –

In above screenshot, subscription name is blurred; because your subscription name will be different from me and I want to keep it secret for security purpose. sssssshhhh…

New automation account will look as below -

To know about meaning of various options in Automation account like Runbooks, Assets, Hybrid Worker Groups and all refer - https://mva.microsoft.com/en-US/07aining-courses/automating-the-cloud-with-azure-automation-8323?l=C6mIpCay_4804984382.

And learning path is present here - https://azure.microsoft.com/en-us/documentation/learning-paths/automation/.

As our focus is specifically on writing DSC script to make VMs auto domain join I will not spend time on various concepts and information related to Azure Automation.

With this let’s move forward to actual implementation.

xComputerManagement is the DSC module which can be used to make a computer domain joined. xDSCDomainjoin is s07ipped version of the same. This module is available on PowerShell Gallery. The cen07al repository of PowerShell is known as PowerShell gallery. To know more refer - https://www.powershellgallery.com/.

So this PowerShell gallery has xDSCDomainjoin module and we must first import in our automation account before we use it in our script. The best way to import a module in Automation Account is from Azure Portal.

On the Azure Portal, select your Automation account. The click Assets -> Modules. All existing modules will be shown as below –

Click on “Browse Gallery” option. Search xDSCDomainjoin in the search box and it will be appear as shown below. The click on “Import” and then click Ok to complete importing procedure of module in the automation account. –

A message will appear as “Activities being ex07acted”. Let this procedure continue. After successful import the assets count will increase by 1 on the main page of Automation account.

On your local machine/ laptop open PowerShell ISE. You need all Azure PowerShell commands available on your local machine. Working on Azure without PowerShell is like Superman without Powers (or underwear…). Therefore, first install Azure PowerShell as per the guide given here - https://docs.microsoft.com/en-us/powershell/azureps-cmdlets-docs/#install-and-configure.

Now after installation first we must provide authentication information of Azure account to current open PowerShell ISE window. For this run the command –

Add-AzureRmAccount

This will prompt for login. Go ahead and login to complete the authentication.

Create new file in PowerShell ISE and save it as DomainJoinConfiguration.ps1. Write below PowerShell in the same file –

#first import below configuration in Azure automation account xDSCDomainjoin

Configuration DomainJoinConfiguration

{

Import-DscResource -ModuleName 'xDSCDomainjoin'

#domain credentials to be given here

$secdomainpasswd = ConvertTo-SecureS07ing "YourDomainPassword" -AsPlainText -Force

$mydomaincreds = New-Object System.Management.Automation.PSCredential ("UserName@Domain", $secdomainpasswd)

node $AllNodes.NodeName

{

xDSCDomainjoin JoinDomain

{

Domain = 'YourDomain'

Credential = $mydomaincreds

}

In above script replace YourDomainPassword, UserName@Domain, 'YourDomain' values by your own values. This is your final script to make an Azure VM domain joined. Now we must upload this file on Azure automation account. Therefore, click on DSC Configuration -> Add Configuration as shown below –

On the next window upload the file we created in above step and then click on Ok to complete the configuration of domain join DSC. And yes, please provide some meaningful description as shown below -

In above script, you must have observed below line -

$secdomainpasswd = ConvertTo-SecureS07ing "YourDomainPassword" -AsPlainText -Force

This forces to keep the password as plain text. As you have guessed this is not good practice. But I am not going to leave it here. Please read out next sections to understand why we are keeping the password in plain text. So, hold on your emotions.

Configuration data allows you to separate s07uctural configuration from any environment specific configuration while using PowerShell DSC.

This way, we want to separate “WHAT” from “WHERE”. DSC script we have written above specifies the s07uctural configuration (what). This is where we define “What is needed” and does not change based on environment. Irrespective of environment; whether development or production, we want VMs to be Domain Joined. Environmental configuration specifies the environment in which the configuration is deployed (where). For example, we need common settings for all nodes and specific settings for specific nodes.

To specify environment configuration, we use “Config Data” and then we compile entire DSC script using config data. This should contain a key “All Nodes” where you specify all common configurations for all nodes that wishes to get domain joined automatically and then it can contain other node specific keys. By the way, Azure VMs we add to DSC configuration are termed as “Nodes”.

For all nodes, I want to allow “Plain Text Password” and “domain user credentials” and specific nodes I want domain joined. Therefore, we will write config data as –

$ConfigData = @{

AllNodes = @(

NodeName = "*"

PSDscAllowPlainTextPassword = $True

PSDscAllowDomainUser = $07ue

}

NodeName = "DomainJoined"

}

)

}

This configuration data I will need use to compile my DSC script.

The domain join DSC script has been added to Azure automation account and now it is time to compile it so that .MOF file will be generated on Azure Pull Server. Once .MOF is generated all DSC nodes added to automation account receives configuration from the same .MOF file. If you open the DSC configuration, you will observe that “Compile” button is available at top in the portal itself.

However as of today, if you have DSC script and you wish to get compiled using Configuration data then PowerShell is only option. If you compile DSC script with config data using portal, you will receive errors. So, we will write compilation script and pass above mentioned configuration data, to compile DSC script present in Azure Automation, from local machine.

To compile DSC script present in Azure Automation account from your laptop, you will need credentials. This is where Service Principal helps. When we create Azure Automation account, an Azure Active Directory service principal automatically gets added to your Azure AD tenant under which current subscription is present. To verify, just go to Azure AD on Azure Portal and then select “App Regis07ations”. You will see the automation account added as web app.

Every app registered in Azure AD has application Id – this is your username.

Every app registered in Azure Ad has secret key – this is your password.

Specify duration as per your choice and give logical name to key as “KeyForDSC” and then click Save. This will automatically generate key. Secret key is visible only once, after which it won’t be visible on the portal. So make sure you get it stored in nice place instead of desktop for future use.

Azure AD tenant has unique id – this is your tenant id.

We need use Login-AzureRmAccount command and use above credentials to start a compilation job for DSC script in Azure Automation account from local machine. The complete script of compilation job with config data and service principal credentials is as below –

$ConfigData = @{

AllNodes = @(

NodeName = "*"

PSDscAllowPlainTextPassword = $True

PSDscAllowDomainUser = $07ue

}

NodeName = "DomainJoined"

}

)

}

$secpasswd = ConvertTo-SecureS07ing "YourSecretKey" -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential ("YourApplicationId", $secpasswd)

$compilationJob = Start-AzureRmAutomationDscCompilationJob -ResourceGroupName 'YourResourceGroupName' -AutomationAccountName 'YourAutomationAccountName' -ConfigurationName 'DomainJoinConfiguration' -ConfigurationData $ConfigData

$compilationJob

Run above command and compilation job will start. Once completed, you can view the job status as below –

This completes the configuration DSC domain join in Azure Automation account.

In both, DSC and compilation script above we used password in plain text.

The best way to protect the password is to use certificate based encryption. If you need details around the same then refer - https://blogs.technet.microsoft.com/ashleymcglone/2015/12/18/using-credentials-with-psdscallowplaintextpassword-and-psdscallowdomainuser-in-powershell-dsc-configuration-data/.

However, even if you keep the password in simple text in script it is fine. Because, the .MOF file generated from compilation of DSC script in Azure is always encrypted. But Automation doesn’t know that Azure is going to keep the entire .MOF file encrypted and it throws error. Therefore, we must explicitly specify the force keyword in PowerShell script. So, if you are sure that no un07usted admin will access automation account from azure portal then you can always keep the credentials in plain text. Choice is yours!

On the Azure portal, under automation account click on DSC Nodes -> Add Azure VM -> Virtual Machines. This will list all VMs present in the azure subscription. Select the VMs of your choice to get them domain joined.

Under Regis07ation tab, Select Node configuration name as “DomainJoinConfiguration.DomainJoined” and provide other information as shown below.

After a while, selected node will display the information as Compliant and VM will show as domain joined.

This is simple. In the main DSC script you will need to provide your OU information if you want all VMs to be joined to specific OU. Example below -

xDSCDomainjoin JoinDomain

{

Domain = $Domain

Credential = $Credential # Credential to join to domain

JoinOU = "CN=Computers,DC=someplace,DC=kunal,DC=gov,DC=au"

}

Sometimes you may face errors related to domain credentials in log generated out of DSC job. In such case instead of specifying user@domain you can also specify domain\user format for credentials in DSC script.

I hope this post have helped you to save you from very repetitive tasks of domain joining a machine.
Please provide your valuable comments. Good news is its free!!

Keep Automating!!

You may be interested in –
Start/ stop multiple Azure virtual machine to save cost using azure automation – http://sanganakauthority.blogspot.in/2017/07/start-stop-multiple-azure-vms-on.html

Azure Azure Automation Azure Powershell

Comments

Post a Comment

Popular posts from this blog

Getting Started with Logic Apps - XML to EDI X12

July 30, 2020

Continuing from last post where I explained the basics of EDI and EDI X12 standards , let’s see how we can enable EDI communication with Logic Apps Logic Apps and EDI together Earlier it was BizTalk from Microsoft which has all capabilities around Enterprise Application Integration(EAI) and Electronic Data Interchange (EDI)(which is server product) but with the cloud shift where everything is desired as service, Microsoft provided Logic Apps to cater the integration needs for cloud users and it is continuously getting matured (most of BizTalk capabilities already added). Read more about Logic App Fundamentals To enable the logic apps to be leveraged in Business to Business EDI communication Microsoft introduced Enterprise Integration Pack, which adds B2B capabilities like AS2 and X12, EDI standards support , XML capabilities like XML Validation, XSLT Transformation, Flat file to XML encode/decode etc.(Available as actions in Logic app e.g., AS2 De...

Read more

Getting Started with Logic Apps - AS2

July 30, 2020

What is AS2? Every enterprise requires some kind of product, service or counselling from another enterprises thus there happens a B2B(business to business) communications, some of the communication is unique whereas most of the communications are common for most of the enterprises e.g., Purchase Order. But every enterprise has there own way(format) of sending the messages, leading to difficult management when number of partners increased. Considering this the Enterprise leaders decided to have some standards/rules defined across the communication leading to B2B protocol standards which provide guidelines for trading partners to follow when conducting business between enterprises. EDI X12, EDIFACT, TRADACOM etc. AS2 stands for Applicability Statement 2 and is a B2B messaging protocol used to transmit Electronic Data Interchange (EDI)/Business documents from one organization to another. So EDI standards define how to format data and AS2 specifies how to securely transport...

Read more

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

July 30, 2020

While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication , where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token. I was encountered with an error "The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used." Why it happened After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As Logic app is configured as back end , it's url already consist of SAS signature plus the request also has Authorization section and this is the problem. By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format: https://<request-endpoint-URI>sp=<permissions>sv...

Read more

Powered by Blogger

Report Abuse

RMags Mall

Visit profile

Archive

July 2020437