Overview
I'm migrating from traditional VMs to Azure Virtual Machine Scale Sets (VMSS) using VM Applications for application deployment. The VMSS instances require domain-joining for enterprise compliance and DNS resolution, but I'm encountering a fundamental conflict between the domain join reboot and VM Applications execution flow.
The Problem Sequence
- VM Applications install script starts execution
- Script attempts domain join (
Add-Computer -DomainName "domain.local")
- Domain join triggers automatic reboot
- VM Applications installation fails due to interruption by the reboot
- VMSS instances end up in failed state - neither domain-joined nor application installed
Why Traditional Extensions Don't Work
CustomScriptExtensions (CSE)
- ❌ Create irrecoverable VMSS lock-out states when they fail
- ❌ "Chicken and egg" problem: If CSE fails, any VMSS update attempts run the old broken CSE first
- ❌ Requires complete resource recreation to recover
VM Applications
- ✅ Much better reliability and atomic rollback capabilities
- ❌ Currently can't handle reboots during installation
The Azure Solution (That We Can't Use)
Azure documentation shows a scriptBehaviorAfterReboot: "Rerun" property that should solve this exact problem by allowing VM Applications to resume after reboot.
The Issue: This feature is only available in:
- ✅ ARM templates (API version 2024-03-03)
- ❌ Azure CLI (not supported)
- ❌ Terraform (not supported)
Since we use Infrastructure as Code with Terraform, we can't leverage this solution.
Questions
How do others handle domain joining in VM Applications that require reboots?
Are there workarounds for the scriptBehaviorAfterReboot limitation in standard tooling?
Should I separate domain join from application installation into different deployment phases?
Are there alternatives to traditional domain join that work better with VMSS + VM Applications?
Environment Details
- OS: Windows Server 2022
- Platform: Azure VMSS with VM Applications
- Infrastructure: Terraform (Infrastructure as Code requirement)
- Network: Enterprise domain environment
Compliance: Domain join mandatory
Overview
I'm migrating from traditional VMs to Azure Virtual Machine Scale Sets (VMSS) using VM Applications for application deployment. The VMSS instances require domain-joining for enterprise compliance and DNS resolution, but I'm encountering a fundamental conflict between the domain join reboot and VM Applications execution flow.
The Problem Sequence
- VM Applications install script starts execution
- Script attempts domain join (
Add-Computer -DomainName "domain.local")
- Domain join triggers automatic reboot
- VM Applications installation fails due to interruption by the reboot
- VMSS instances end up in failed state - neither domain-joined nor application installed
Why Traditional Extensions Don't Work:
CustomScriptExtensions (CSE)
- ❌ Create irrecoverable VMSS lock-out states when they fail
- ❌ "Chicken and egg" problem: If CSE fails, any VMSS update attempts run the old broken CSE first
- ❌ Requires complete resource recreation to recover
VM Applications
- ✅ Much better reliability and atomic rollback capabilities
- ❌ Currently can't handle reboots during installation
The Azure Solution (That We Can't Use)
Azure documentation shows a scriptBehaviorAfterReboot: "Rerun" property that should solve this exact problem by allowing VM Applications to resume after reboot.
The Issue: This feature is only available in:
- ✅ ARM templates (API version 2024-03-03)
- ❌ Azure CLI (not supported)
- ❌ Terraform (not supported)
Since we use Infrastructure as Code with Terraform, we can't leverage this solution.
Questions
- How do others handle domain joining in VM Applications that require reboots?
- Are there workarounds for the scriptBehaviorAfterReboot limitation in standard tooling?
- Should I separate domain join from application installation into different deployment phases?
- Are there alternatives to traditional domain join that work better with VMSS + VM Applications?
- OS: Windows Server 2022
- Platform: Azure VMSS with VM Applications
- Infrastructure: Terraform (Infrastructure as Code requirement)
- Network: Enterprise domain environment
- Compliance: Domain join mandatory
OS: Windows Server 2022
Platform: Azure VMSS with VM Applications
Infrastructure: Terraform (Infrastructure as Code requirement)
Network: Enterprise domain environment
Compliance: Domain join mandatory
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 55.00000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)