Chef- ad- join cookbook


#1

Greetings Spuder- Author,

can you please help me in solving the Issue here i tried may ways but could not able to figure out the method to join the domain if it is already exists.

when ever we take a snapshot from aws we need to unjoin machine from domain first and take snapshot and again rejoin the machine to domain , i could able to perform the unjoin task by action : leave and when i am trying to join the same machine to domain it says the account is already exist and chef is unable to join the machine to domain.

Below is the images when i try to join the machine which is already exists but running the recipie after unjoing it from domain

please advise how to rejoin the when it is already got registered and unjoin is performed

Thanks
Prash


#2

Glad to hear you are using the cookbook. This is a use case we never anticipated. It still might be doable.

Depending on how quickly you are unjoining & joining, AD might not have time to fully purge the record.

See comment from Awinish here:

We actually don’t use the :leave action, that was contributed by another user. Instead we have an external powershell script that removes the record from active directory and then syncs replicas. You might be able to modify this script as part of your cookbook.

function Destroy-ActiveDirectory {
    param(
        [Parameter(mandatory=$true)][String]$VMName,
        [Parameter(mandatory=$true)][String]$ADServer,
        [Parameter(mandatory=$true)][Bool]$Replicate
    )
    #find the AD server to talk to
    Write-Host "Removing $VMName from Domain, if exists"
    try{
        $ADComputer = Get-ADComputer -Server $ADServer -Identity $VMName
        if ($ADComputer){
            $ADComputer | Remove-ADObject -Recursive -Confirm:$false
        }
    }
    catch{
        Write-Warning "Failed to remove $VMName from Active Directory, manual cleanup may be required, or the server was not joined to the domain."
    }

    if ($ADComputer -and $Replicate) {
        $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
        ForEach ($dc in $Domain) {
            #replicate the change just made to this server out to all servers in the domain
            if ($ADServer -eq $dc.Name.Split('.')[0]){
                ForEach ($part in $dc.Partitions) {
                    Write-Host "$dcName - Syncing replicas from all servers for partition '$part'"
                    $dc.SyncReplicaFromAllServers($part, @('PushChangeOutward','CrossSite'))
                }
            }
        }
    }
}

#3

Only problem with your code is it assumes the ActiveDirectory module is present. Many of my Windows nodes do not have this module installed, especially at build time. Sure I can install it as part of the cookbook, but I’m instead using ADSI to check and see if the object is in AD already and if it is I delete it using ADSI again.