+
+ | Name |
+ AzStackHci_Software_IsNotPartofDomain |
+
+
+ | Display name |
+ Domain Membership |
+
+
+ | Validator / test |
+ Test-IsNotPartofDomain (run with Invoke-AzStackHciSoftwareValidation) |
+
+
+ | Component |
+ Software (Environment Validator / Environment Checker) |
+
+
+ | Severity |
+ Critical: this validator blocks deployment until the machine is back in a workgroup. |
+
+
+ | Requirement |
+ Each machine must be in a workgroup (not joined to an Active Directory domain) before deployment. |
+
+
+ | Applicable Scenarios |
+ Deployment (pre-deployment validation). |
+
+
+ | Affected Versions |
+ Azure Local, version 23H2 and later. |
+
+
+
+## Overview
+
+This validator checks that each Azure Local machine is **not** joined to an Active
+Directory domain before deployment. Azure Local requires every machine to be in a
+workgroup at the start of deployment; the deployment process performs the domain join
+itself, as part of standing up the cluster. The check fails when a machine is already
+domain-joined. Azure Local also refers to these machines as **nodes** (including in the
+validator detail you match against below); the two terms mean the same thing here.
+
+It runs by querying `(Get-WmiObject Win32_ComputerSystem).PartOfDomain` on each
+machine. A machine that is part of a domain returns a **FAILURE**; a machine in a
+workgroup returns a **SUCCESS**.
+
+While this check is failing, deployment is blocked at the Software validation stage,
+and the machine cannot proceed to cluster deployment. This is a pre-deployment gate,
+so it does not affect a cluster that is already deployed; it stops a new machine from
+being deployed while it is still attached to a domain.
+
+## Before you start: who should do this, and is it safe?
+
+- **Who owns this.** This is a customer Windows / Active Directory task (the server or
+ identity admin, or the deployment partner). It is **not** a networking task and **not** a
+ hardware-vendor (OEM) issue, so do not route it to the network team or escalate it to your
+ server vendor.
+- **Confirm this is a pre-deployment machine, not a live cluster member.** This check runs
+ only before deployment, so the machine it flags should be a host you are preparing to
+ deploy. **Do not unjoin a machine that is already a deployed Azure Local cluster member.**
+ If you are not sure whether this machine is already part of a running cluster, stop and
+ confirm with the cluster owner first; unjoining and restarting a live node is disruptive
+ and is not what this check is for.
+- **You will restart the machine and must sign in locally afterward.** Removing the machine
+ from the domain requires a restart, after which you can sign in only with a local account.
+ Confirm a working local administrator sign-in **before** you unjoin (see step 2 below).
+ Otherwise the restart can lock you out of the machine.
+
+## Where this failure appears
+
+You can see this failure in two places, the Azure portal and the machine itself. Both
+show the same underlying result.
+
+### In the Azure portal
+
+This check runs during the deployment validation step. When you deploy Azure Local
+from the portal (or with a deployment template), the **Validation** phase runs the
+environment checks and lists any that fail:
+
+1. Open the Azure Local deployment for your cluster and go to its **Validation**
+ results (the deployment surfaces these before it proceeds to apply).
+2. In the list of checks, this one appears under its display name, **Domain
+ Membership**, with a **Critical** severity.
+3. Select the failing check to see the per-machine detail, which names the machine
+ that is still domain-joined.
+
+### On the machine
+
+Two on-box sources carry the result.
+
+**Run the single validator (fastest).** The Environment Checker module ships on every
+Azure Local machine, so you can run this one Software check directly and read the
+result in a few seconds. Use `-Include Test-IsNotPartofDomain` to run only this check,
+so you do not have to run the full Software validation suite:
+
+```powershell
+$r = Invoke-AzStackHciSoftwareValidation -Include Test-IsNotPartofDomain -PassThru
+$r | Select-Object Name, Status, Severity
+$r.AdditionalData.Detail
+```
+
+A machine that is still domain-joined returns `Status` of `FAILURE` and a detail line
+of the form (the machine name, `AzL-Node-01` here, is an example; your output shows the
+actual name):
+
+```
+'AzL-Node-01' is part of a domain. Please remove 'AzL-Node-01' from the domain.
+```
+
+**Event log (per machine).** The Environment Checker writes every check result to the
+**AzStackHciEnvironmentChecker** event log, located at
+`C:\Windows\System32\winevt\Logs\AzStackHciEnvironmentChecker.evtx`. Each result is the
+JSON body of an **Event ID 17205** entry. To read this check's most recent result on a
+machine:
+
+```powershell
+Get-WinEvent -LogName AzStackHciEnvironmentChecker -FilterXPath '*[System[(EventID=17205)]]' -MaxEvents 2000 |
+ Where-Object { $_.Message -match 'AzStackHci_Software_IsNotPartofDomain' } |
+ Select-Object -First 1 -ExpandProperty Message
+```
+
+In both sources the result for this check looks like this:
+
+```json
+{
+ "Name": "AzStackHci_Software_IsNotPartofDomain",
+ "DisplayName": "Domain Membership",
+ "Title": "Domain Membership",
+ "Severity": "Critical",
+ "Status": "FAILURE",
+ "Description": "Validates nodes are not pre-joined to an Active Directory domain by querying (Get-WmiObject Win32_ComputerSystem).PartOfDomain on each node. Nodes must not be domain-joined before Azure Local deployment.",
+ "TargetResourceType": "OperatingSystem",
+ "TargetResourceName": "AzL-Node-01",
+ "Remediation": "Nodes must not be domain-joined before deployment. Remove the node from the domain using 'Remove-Computer -UnjoinDomainCredential