These scripts can be used to join Lab Services VMs to an Active Directory Domain. VMs can be joined to:

• On-premises AD Domains
• Hybrid AD Domains: An on-prem AD which is connected to an Azure Active Directory through Azure AD Connect. AD Domain Services is installed on a on-prem server. Applies also to federated domains.
• Azure AD DS Domains: For full-cloud AD (Azure AD + Azure AD DS) or Hybrid AD with secondary Domain Services on Azure.

1. 2 options:
   • Wire up your on-prem Domain Controller network to an Azure VNet, either with a site-to-site VPN gateway or ExpressRoute.
   • Create a secondary managed domain on top of your on-prem one with Azure AD DS (PaaS).
2. Peer the Lab Account with the connected VNet.
3. Create a new Lab (Labs created prior to the VNet peering are not supported). Enable the option Use same password for all virtual machines.
4. On the Template VM:
   • Install the Azure PowerShell Module
   • Connect to your Azure Account: Connect-AzAccount
   • Set the default subscription to the one of the Lab Account: Select-AzSubscription -SubscriptionID <SUB_ID>

From the Template VM:

$DomainServiceAddress = '<PRIMARY_DS_IP>','<SECONDARY_DS_IP>'
$Domain = "contosounilab.com"
$LocalUser = "localuser"
$DomainUser = "[email protected]"
$LocalPassword = "<LOCAL_PASSWORD>"
$DomainPassword = "<DOMAIN_PASSWORD>"

. ".\Join-AzLabADTemplate.ps1" `
    -DomainServiceAddress $DomainServiceAddress `
    -Domain $Domain `
    -LocalUser $LocalUser `
    -DomainUser $DomainUser `
    -LocalPassword $LocalPassword `
    -DomainPassword $DomainPassword `
    -EnrollMDM

1 or more IP addresses of the Servers where AD DS is installed.

For on-prem AD DS Servers:

For Azure AD DS (PaaS):

Name of the AD domain (e.g. contoso.com).

Local Account name for the Template VM (the one specified at Lab creation).

Domain Account name (e.g. CONTOSO\frbona or [email protected]). The account must have permissions to add computers to the AD domain.

Local Account password for the Template VM (the one specified at Lab creation).

Domain account password.

(Optional) Whether to enroll the VMs to Intune (for Hybrid AD only).

Main script to be run from the Template VM. It gets details on the currently running Template VM and Lab. It then schedules the scripts chain starting with Join-AzLabADStudent_RenameVm.ps1 and publishes the Lab.

Note: Only the Student VMs are domain-joined. Template VM is used to run the Join-AzLabADTemplate.ps1 script and trigger the next chain of scripts in the Student VMs.

Gets the details on the currently running Student VM and renames the computer with a unique name. It then schedules the startup script Join-AzLabADStudent_JoinVm.ps1 to run at next boot.

Updates the DNS settings based on the Domain Services address/es and performs the actual join of the computer to the domain. It then schedules the startup script Join-AzLabADStudent_AddStudent.ps1 to run at next boot.

Checks whether the VM has been claimed by a student and eventually adds the student to the local RDP group.

Checks the device is Azure AD joined. If so, it enrolls the VM to Intune using the user AAD credentials.

Note: Applies only to Hybrid AD joined devices. Student must be assigned a valid Intune license. Other requirements for Intune can be found here.

Optional script to be run from the Template VM. It spins up all the VMs leaving enough time for the domain join scripts to be executed before shutting down the VMs.

Utility functions and extensions to the Az.LabServices module.

• The script currently supports only Windows 10.
• The domain join happens at the first boot of the Student VM. Approximately 2-3 minutes are required for the scripts to execute.
• Both unclaimed and claimed VMs are joined to the AD domain. For claimed VMs, students can use their university credentials. They can still use the local account credentials if professors provide those credentials.
• At Lab creation, enabling the option Use same password for all virtual machines is preferable. This way, students are not prompted to pick a new password and can use straightaway their university credentials.