-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WaitforADDomain: Throws an error when credentials are missing #478
Comments
Thanks for reporting this issue! 🙂 So something changed in the refactor version that gave you this error, it was rebuilt from the ground up, so something might have been overlooked. 🤔 I'm having a little difficulty following your description of the problem without the full configuration, can you please provide the full configuration you are using? They could help to reproduce the issue, or see if we can add a new integration test. |
I sounds like you have two configurations, one for the DC and one for a client/server? Please provide both configurations. |
I will try to explain the configuration and then will add the configuration itself. Yes, I am doing one PS DSC config on Domain Controller, in the meantime there are 4 other windows servers booting with PS DSC. After the previous happens and the log of the client (waiting for the domain to become available) configuration reports:
The configuration fails with:
The client suddenly reboots, it renames itself, joins the domain and completes the DSC configuration, so it looks like even the configuration failed, there is still something configuration running. I didn't check Get-DscLocalConfigurationManager if it's still running or what happens before the reboot yet - will do that tomorrow. I will provide the full configurations now. |
DCconfig (removed some configuration about users and DNS as it was too long and not relevant):
|
1 client node configuration:
|
Thanks for providing the detailed description it made me understand better, will look further tomorrow, getting late here now.
Yes, the refactored version function detects the domain in a background job and check more often. So it will be a bit quicker. |
I tried to confirm that the issue is in the client trying to register with a user before that user is created in the Domain Controller by adding some
Definitely not an ideal workaround as adding Thank you very much for looking into this and for putting so much work into these DSC modules and resources! |
I'm curious what resource initiated the reboot, can you see that? Maybe in the event logs https://docs.microsoft.com/en-us/powershell/dsc/troubleshooting/troubleshooting |
If I just kick of the resource using credentials that does not exist. Invoke-DscResource -Name WaitForADDomain -Method Set -Property @{
DomainName = 'contoso.com'
WaitTimeout = 120
Credential = $mockCredential
} -ModuleName ActiveDirectoryDsc -Verbose Then the Get-TargetResource fails which is called by both Set-TargetResource and Test-TargetResource. Calling the method
|
How do we want this scenario handled? Suggestions much appreciated. This worked in the previous version because that resource ignored any error that was thrown, any error meant no domain controller was not found, and did not show why it couldn't find a domain controller. One solution would be do make the Another solution, or workaround depending how you see it, to this scenario would be to use the resource WaitForSome to wait for the resource to have been ran on the domain controller. Although, this needs permission on the domain controller which seems excessive. 😕 Still curious what resource on the client that initiated the reboot, might be yet another issue somewhere. |
Checking the logs it was definitely DSC who rebooted the server (System log):
DSC Logs (in order of time)
8/9/2019 7:15:18 AM:
approx. 8 minutes later this is in the log 8/9/2019 7:24:41 AM: 8/9/2019 7:24:45 AM:
8/9/2019 7:24:55 AM:
I tried to include only those relevant, there couple more log entries in the middle. |
You are welcome. 😃
An optional parameter in WaitForADDomain to ignore the error message is my best idea so far.
I am looking for any information say what resource actually triggered the restart. Is it possible to see what resource last run/started before/when the event log message WaitForADDomain should restart only if |
How would I find that? I am trying to do
|
I vote for a a new optional parameter to ignore the authentication error and keep waiting, but how about naming the parameter |
@Crusad, add a |
I found it in
|
I have LCM set like this - why did it reboot it during consistency check?
|
If a resource fails, the DSC LCM ends up in a |
@X-Guardian Thank you for commenting! @Crusad to verify this, in the logs you should not see WaitForADDomain fail, and then run Computer and reboot. You should see WaitForADDomain succeed and then see Computer do the restart. |
Yeah sorry, should have added the whole log: |
@Crusad Awesome! That looks good. Then the only issue is that the credential error should be handled. If nobody get to it before me I will try to fix it in a week or so. |
- An optional parameter `IgnoreAuthenticationErrors` can be set to $true to tell the resource to ignore authentication errors (issue dsccommunity#478).
I have added parameter If you want to try, copy the files in that folder to your local module, replacing the files there. Once merged it won't be released for sometime since we just made a release (at least 6 weeks away). Would be awesome if you can try it out a report back if your scenario flows better. |
Sorry for the delay - I will test it just have been a bit busy past couple days. I will let you know. |
Finally got my test environment working again and was able to test. I am getting this:
It wouldn't be impossible that I would have the variable I pass into DomainName empty, but earlier in the resource there is message Full log for the resource:
|
Looks like a bug. The domain name doesn’t seem to be passed to the background job correctly. Strange. I thought I tested successfully myself, apparently not :) Thank you so much for testing! Get back to you. |
@Crusad I found the bug, and I missed it becuase of a basic mistake. I did the manual integration tests before I wrote the unit tests. When I wrote the unit tests I changed the order of the parameters in the background job script, and never tested it again after that. Fixed the bug and I added unit tests that tests that the parameters are passed correctly. 😄 If you would be so kind to test it again. :) |
Looks like the new version is working! I tested today, at first test I got End of the logs (Let me know if you want to see the full output)
|
Awesome that it worked this time and that your scenario flowed better! No need to get the full log, it looked great in the log you provided. Thank you for testing. I got a proposal in the pull request to change the parameter name, please see if you agree with the name change proposal there. |
- An optional parameter `IgnoreAuthenticationErrors` can be set to $true to tell the resource to ignore authentication errors (issue dsccommunity#478).
- Changes to ActiveDirectoryDsc.Common - Updated common helper function `Find-DomainController` with the optional parameter `WaitForValidCredentials` which will ignore authentication exceptions when the credentials cannot be authenticated. - Changes to WaitForADDomain - An optional parameter `WaitForValidCredentials` can be set to $true to tell the resource to ignore authentication errors (issue #478).
Details of the scenario you tried and the problem that is occurring
Running setup of an environment with Domain Controller and couple Windows nodes that should join the domain after it exist. I use
WaitforADDomain
to wait for Domain controller to boot and thenComputer
fromComputerManagementDsc
renames the server and join the domain under the credentials I provided (the Administrator account is created in the Domain Controller during its boot.When the domain exists, it finds it but probably the user which is specified in $Credential in Computer resource doesn't exist yet and the log show "The user name or password is incorrect". I tried moving the ADUser creation right after the domain creation but still getting this error (in the previous version this worked as there seemed to be bigger delay before the node discovered the domain?).
What is very weird is after this error, DSC fails with
The SendConfigurationApply function did not succeed
but after 1-2 minutes the nodes actually reboots and joins the domain and the configuration is finished is successful (everything is installed/setup after the reboot).Verbose logs showing the problem
The machine EC2AMAZ-CNTCG1V successfully joined the domain yyyy-xxxx.local.
Test-DscConfiguration reports True
Suggested solution to the issue
N/A
The DSC configuration that is used to reproduce the issue (as detailed as possible)
The operating system the target node is running
Version and build of PowerShell the target node is running
PS 6 is installed
Version of the DSC module that was used ('dev' if using current dev branch)
new ActiveDirectoryDsc 4.0.0.0
The text was updated successfully, but these errors were encountered: