[Computer] Join AD domain succeeds but it throws error "The user name or password is incorrect"

[Yvand]

Problem description

Scenario: VM is in a workgroup and wants to join an AD domain for the 1st time:
It successfully joins the AD domain, but DSC throws the following error:
Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect."

This is thrown by DirectorySearcher.FindOne() in function Get-ADSIComputer :

ComputerManagementDsc/source/DSCResources/DSC_Computer/DSC_Computer.psm1

Line 745 in fcff2e0

return $searcher.FindOne()

Verbose logs

VERBOSE: [2023-06-15 08:29:26Z] [VERBOSE] [SP]: LCM:  [ Start  Set      ]  [[Computer]JoinDomain]
VERBOSE: [2023-06-15 08:29:26Z] [VERBOSE] [SP]:                            [[Computer]JoinDomain] Setting computer 
state for 'SP'.
VERBOSE: [2023-06-15 08:29:26Z] [VERBOSE] [SP]:                            [[Computer]JoinDomain] Perform operation 
'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'className' = Win32_ComputerSystem'.
VERBOSE: [2023-06-15 08:29:26Z] [VERBOSE] [SP]:                            [[Computer]JoinDomain] Operation 'Enumerate CimInstances' complete.
VERBOSE: [2023-06-15 08:29:29Z] [ERROR] Exception calling "FindOne" with "0" argument(s): "The user name or password is incorrect."
VERBOSE: [2023-06-15 08:29:30Z] [WARNING] [SP]:                            [[Computer]JoinDomain] The changes will take effect after you restart the computer SP.
VERBOSE: [2023-06-15 08:29:30Z] [VERBOSE] [SP]:                            [[Computer]JoinDomain] Added computer to domain 'contoso.local'.
VERBOSE: [2023-06-15 08:29:30Z] [VERBOSE] [SP]: LCM:  [ End    Set      ]  [[Computer]JoinDomain]  in 3.8950 seconds.

DSC configuration

configuration ConfigureSQLVM
{
    param
    (
        [Parameter(Mandatory)] [String]$DomainFQDN,
        [Parameter(Mandatory)] [System.Management.Automation.PSCredential]$DomainAdminCreds
    )

    Import-DscResource -ModuleName ComputerManagementDsc -ModuleVersion 9.0.0

    [String] $DomainNetbiosName = (Get-NetBIOSName -DomainFQDN $DomainFQDN)
    [PSCredential] $DomainAdminCredsQualified = New-Object PSCredential ("${DomainNetbiosName}\$($DomainAdminCreds.UserName)", $DomainAdminCreds.Password)
    [String] $ComputerName = Get-Content env:computername

    Node localhost
    {
        Computer JoinDomain
        {
            Name       = $ComputerName
            DomainName = $DomainFQDN
            Credential = $DomainAdminCredsQualified
        }
    }
}

Suggested solution

I did not investigate the exact reason of the error message "The user name or password is incorrect.", but credentials are valid since VM joins the AD domain successfully.

A possible simple workaround would be to add a try catch:

try 
{
	return $searcher.FindOne()
}
catch
{
}

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.20348.1366
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1366
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path
----                  ------- ----
ComputerManagementDsc 9.0.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\ComputerManagementDsc.psd1

[johlju]

Can you verify that it throws the same error if you use the fully qualified domain name instead of NetBios name, eg user@domain.com

[Yvand]

@johlju I confirm it works fine if the username is in format user@domain.com

[bdanse]

Safer solution might be to pickup username with $Credential.GetNetworkCredential().UserName this will only have the username. and not domain part if this was supplied in the credential object.

https://github.com/dsccommunity/ComputerManagementDsc/blob/438d2c29a938f1c4e2b5a1e916bd6205fd950c13/source/DSCResources/DSC_Computer/DSC_Computer.psm1#L733C1-L742C37

`
$params = @{
TypeName = 'System.DirectoryServices.DirectoryEntry'
ArgumentList = @(
$DomainName,
$Credential.GetNetworkCredential().UserName,
$Credential.GetNetworkCredential().password
)
ErrorAction = 'Stop'
}
$searchRoot = New-Object @params
$searcher.SearchRoot = $searchRoot

`