Azure Storage Account domain join issues

Question

I'm trying to join an Az Storage Account to Domain. The parameters are giving me a problem.

VERBOSE: Setting AD properties on **********001stg in ************-*-***-001-rg :
            EnableActiveDirectoryDomainServicesForFile=True, ActiveDirectoryDomainName=******.org,
            ActiveDirectoryNetBiosDomainName=******.org, ActiveDirectoryForestName=******.org
            ActiveDirectoryDomainGuid=************************************, ActiveDirectoryDomainSid=,
            ActiveDirectoryAzureStorageSid=,
            ActiveDirectorySamAccountName=testfileshbrjqu,
            ActiveDirectoryAccountType=Computer
Set-AzStorageAccount: Cannot validate argument on parameter 'ActiveDirectoryDomainSid'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
VERBOSE: Set-StorageAccountDomainProperties: Complete
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'className' = win32_computersystem'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
VERBOSE: Session is running in a domain-joined environment.
VERBOSE: Get storage account object for StorageAccountName=*********share001stg.

What parameter needs to be passed here in order for this to run? https://github.com/Azure-Samples/azure-files-samples/releases

Expecting it to work normally as defined in article https://github.com/Azure-Samples/azure-files-samples/releases

Answer 1

Set-AzStorageAccount: Cannot validate argument on parameter 'ActiveDirectoryDomainSid'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. VERBOSE: Set-StorageAccountDomainProperties: Complete VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'className' = win32_computersystem'.

According to your error message, the issue is being caused by the 'ActiveDirectoryDomainSid' argument being empty or null.

You can follow this Ms-Docs to join domain with a storage account.

You can get the ActiveDirectoryDomainSid by using the following command.

Command:

  Get-ADDomain -Identity user.com 

Once you run the above command you can get the ActiveDirectoryDomainSid value.

Output:

Now you can config using the below command.

Set-AzStorageAccount `
        -ResourceGroupName "<your-resource-group-name-here>" `
        -Name "<your-storage-account-name-here>" `
        -EnableActiveDirectoryDomainServicesForFile $true `
        -ActiveDirectoryDomainName "<your-domain-dns-root-here>" `
        -ActiveDirectoryNetBiosDomainName "<your-domain-dns-root-here>" `
        -ActiveDirectoryForestName "<your-forest-name-here>" `
        -ActiveDirectoryDomainGuid "<your-guid-here>" `
        -ActiveDirectoryDomainsid "<your-domain-sid-here>" `
        -ActiveDirectoryAzureStorageSid "<your-storage-account-sid>" `
        -ActiveDirectorySamAccountName "<your-domain-object-sam-account-name>" `
        -ActiveDirectoryAccountType "<you-domain-object-account-type, the value could be 'Computer' or 'User', for AES256 must be 'Computer'>"

Output:

Now, you can check to confirm whether Active Directory is enabled on your storage account by using following command.

$storageaccount = Get-AzStorageAccount `
        -ResourceGroupName "<your-resource-group-name-here>" `
        -Name "<your-storage-account-name-here>"

# List the directory service of the selected service account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

# List the directory domain information if the storage account has enabled AD DS authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

Output: