DSC 扩展 - MSFT_xADDomainController Get-ADDomain PowerShell 失败
DSC Extension - MSFT_xADDomainController Failing on Get-ADDomain PowerShell
我在尝试将 VM (Windows Server 2019) 加入域并将其提升为 DC 时遇到问题。正在使用 DSC 扩展通过 ARM 模板停止部署。它是一个部署两个 VM 并将它们配置为 DC 的单一模板,因此它们都使用相同的凭据等。我已经尝试了来自 here.
的更新的 Active Directory DSC
我得到的错误是:
"DSC Configuration 'CreateADBDC' completed with error(s). Following are the first few: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. PowerShell DSC resource MSFT_xADDomainController failed to execute Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found. The SendConfigurationApply function did not succeed
奇怪的是,我可以通过 UI 登录到 VM 并加入域,它工作正常,同样我可以通过 UI 推广它,并且再次工作。 DNS设置正确,主DC可解析
据我所知,MSFT_xADDomainController.psm1:
中的 "Set-TargetResource" 函数正在执行此命令 运行
Get-ADDomain -Identity $DomainName -Credential $DomainAdministratorCredential
如果我 运行 我试图提升命令的 VM 上的这个命令失败,失败的输出是:
Get-ADDomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running
这看起来与 DSC 扩展的错误输出非常相似,这让我想知道实际问题是否与 PowerShell Active Directory 模块有关。
附加信息:
DSC 扩展代码段
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('dc2name'), '/CreateADBDC')]",
"apiVersion": "2019-03-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('dc2name'))]",
"[resourceId('Microsoft.Compute/virtualMachines/extensions', variables('dc1name'), 'CreateADForest')]"
],
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.77",
"autoUpgradeMinorVersion": true,
"settings": {
"WMFVersion": "latest",
"configuration": {
"url": "[concat(parameters('Artifacts Location'), '/dsc/CreateADBDC.zip')]",
"script": "CreateADBDC.ps1",
"function": "CreateADBDC"
},
"configurationArguments": {
"DomainName": "[parameters('Domain Name')]",
"DNSServer": "[variables('dc1ipaddress')]"
}
},
"protectedSettings": {
"configurationArguments": {
"adminCreds": {
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('Administrator Password')]"
},
"SafeModeAdminCreds" :{
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('SafeMode Password')]"
}
},
"configurationUrlSasToken": "[parameters('Artifacts Location SAS Token')]"
}
}
}
]
创建ADBDC。ps1
configuration CreateADBDC {
Param (
# Get deployment details
[Parameter(Mandatory)]
[String]$DNSServer,
[Parameter(Mandatory)]
[String]$DomainName,
# Credentials
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$Admincreds,
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$SafeModeAdminCreds,
[Int]$RetryCount = 500,
[Int]$RetryIntervalSec = 3
)
Import-DscResource -ModuleName PSDesiredStateConfiguration, xStorage, xNetworking, xActiveDirectory, xPendingReboot
$Interface = Get-NetAdapter | Where-Object { $_.Name -Like "Ethernet*" } | Select-Object -First 1
[System.Management.Automation.PSCredential]$DomainCreds = New-Object System.Management.Automation.PSCredential ("${DomainName}$($Admincreds.UserName)", $Admincreds.Password)
$features = @("AD-Domain-Services", "RSAT-ADDS-Tools", "RSAT-AD-AdminCenter")
Node localhost {
LocalConfigurationManager {
ActionAfterReboot = 'ContinueConfiguration'
ConfigurationMode = 'ApplyOnly'
RebootNodeIfNeeded = $true
}
xWaitforDisk Disk2 {
DiskNumber = 2
RetryIntervalSec = $RetryIntervalSec
RetryCount = $RetryCount
}
xDisk ADDataDisk {
DiskNumber = 2
DriveLetter = "F"
DependsOn = "[xWaitForDisk]Disk2"
}
WindowsFeatureSet Prereqs {
Name = $features
Ensure = "Present"
IncludeAllSubFeature = $true
}
xDnsServerAddress DnsServerAddress {
Address = $DNSServer
InterfaceAlias = $Interface.Name
AddressFamily = "IPv4"
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xWaitForADDomain DscForestWait {
DomainName = $DomainName
DomainUserCredential = $DomainCreds
RetryCount = $RetryCount
RetryIntervalSec = $RetryIntervalSec
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xADDomainController BDC {
DomainName = $DomainName
DomainAdministratorCredential = $DomainCreds
SafemodeAdministratorPassword = $SafeModeAdminCreds
DatabasePath = "F:\NTDS"
LogPath = "F:\NTDS"
SysvolPath = "F:\SYSVOL"
DependsOn = "[xWaitForADDomain]DscForestWait"
}
xPendingReboot RebootAfterPromotion {
Name = "RebootAfterDCPromotion"
DependsOn = "[xADDomainController]BDC"
}
}
}
MSFT_xADDomainController.psm1 - LINK
DSC 日志文件输出
VERBOSE: [2019-03-17 22:23:12Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xDNSServerAddress]DnsServerAddress] in 0.7500 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers have been set correctly.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xDNSServerAddress]DnsServerAddress] in 0.0940 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Checking for domain DOMAIN.CO.UK ...
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Found domain DOMAIN.CO.UK
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xWaitForADDomain]DscForestWait] in 0.6790 seconds.
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Skip Set ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:15Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Domain 'DOMAIN.CO.UK' is NOT present on the current node.
VERBOSE: [2019-03-17 22:23:57Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.77.0.0\Status[=16=].status)
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xADDomainController]BDC] in 43.2480 seconds.
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:24:40Z] [ERROR] Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
VERBOSE: [2019-03-17 22:24:40Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Checking if domain 'DOMAIN.CO.UK' is present ...
VERBOSE: [2019-03-17 22:25:22Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xADDomainController]BDC] in 84.3140 seconds.
VERBOSE: [2019-03-17 22:25:22Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.77.0.0\Status[=16=].status)
VERBOSE: [2019-03-17 22:25:22Z] [ERROR] PowerShell DSC resource MSFT_xADDomainController failed to execute
Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found.
查看模块代码 xWaitForADDomain 正在使用特殊函数 Get-Domain,而不是 Get-ADDomain cmdlet(在您的情况下显然会出错),因此您需要进行此调用 (Get-ADDomain)在你的虚拟机上工作。按照建议检查 Active Directory Web 服务? 运行 使用 -debug 开关获取 addomain
好吧,经过大量的摸索之后,我回到了基础并找到了罪魁祸首,似乎 MS 在他们的文档 (link) 中忽略了一个或两个端口来配置防火墙广告。是的,列表中缺少 ADWS(Active Directory Web 服务)端口。为 TCP9389 添加一条规则,突然之间,我所有的担心都烟消云散了。谢谢您的帮助。
我在尝试将 VM (Windows Server 2019) 加入域并将其提升为 DC 时遇到问题。正在使用 DSC 扩展通过 ARM 模板停止部署。它是一个部署两个 VM 并将它们配置为 DC 的单一模板,因此它们都使用相同的凭据等。我已经尝试了来自 here.
的更新的 Active Directory DSC我得到的错误是:
"DSC Configuration 'CreateADBDC' completed with error(s). Following are the first few: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. PowerShell DSC resource MSFT_xADDomainController failed to execute Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found. The SendConfigurationApply function did not succeed
奇怪的是,我可以通过 UI 登录到 VM 并加入域,它工作正常,同样我可以通过 UI 推广它,并且再次工作。 DNS设置正确,主DC可解析
据我所知,MSFT_xADDomainController.psm1:
中的 "Set-TargetResource" 函数正在执行此命令 运行Get-ADDomain -Identity $DomainName -Credential $DomainAdministratorCredential
如果我 运行 我试图提升命令的 VM 上的这个命令失败,失败的输出是:
Get-ADDomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running
这看起来与 DSC 扩展的错误输出非常相似,这让我想知道实际问题是否与 PowerShell Active Directory 模块有关。
附加信息:
DSC 扩展代码段
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('dc2name'), '/CreateADBDC')]",
"apiVersion": "2019-03-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('dc2name'))]",
"[resourceId('Microsoft.Compute/virtualMachines/extensions', variables('dc1name'), 'CreateADForest')]"
],
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.77",
"autoUpgradeMinorVersion": true,
"settings": {
"WMFVersion": "latest",
"configuration": {
"url": "[concat(parameters('Artifacts Location'), '/dsc/CreateADBDC.zip')]",
"script": "CreateADBDC.ps1",
"function": "CreateADBDC"
},
"configurationArguments": {
"DomainName": "[parameters('Domain Name')]",
"DNSServer": "[variables('dc1ipaddress')]"
}
},
"protectedSettings": {
"configurationArguments": {
"adminCreds": {
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('Administrator Password')]"
},
"SafeModeAdminCreds" :{
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('SafeMode Password')]"
}
},
"configurationUrlSasToken": "[parameters('Artifacts Location SAS Token')]"
}
}
}
]
创建ADBDC。ps1
configuration CreateADBDC {
Param (
# Get deployment details
[Parameter(Mandatory)]
[String]$DNSServer,
[Parameter(Mandatory)]
[String]$DomainName,
# Credentials
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$Admincreds,
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$SafeModeAdminCreds,
[Int]$RetryCount = 500,
[Int]$RetryIntervalSec = 3
)
Import-DscResource -ModuleName PSDesiredStateConfiguration, xStorage, xNetworking, xActiveDirectory, xPendingReboot
$Interface = Get-NetAdapter | Where-Object { $_.Name -Like "Ethernet*" } | Select-Object -First 1
[System.Management.Automation.PSCredential]$DomainCreds = New-Object System.Management.Automation.PSCredential ("${DomainName}$($Admincreds.UserName)", $Admincreds.Password)
$features = @("AD-Domain-Services", "RSAT-ADDS-Tools", "RSAT-AD-AdminCenter")
Node localhost {
LocalConfigurationManager {
ActionAfterReboot = 'ContinueConfiguration'
ConfigurationMode = 'ApplyOnly'
RebootNodeIfNeeded = $true
}
xWaitforDisk Disk2 {
DiskNumber = 2
RetryIntervalSec = $RetryIntervalSec
RetryCount = $RetryCount
}
xDisk ADDataDisk {
DiskNumber = 2
DriveLetter = "F"
DependsOn = "[xWaitForDisk]Disk2"
}
WindowsFeatureSet Prereqs {
Name = $features
Ensure = "Present"
IncludeAllSubFeature = $true
}
xDnsServerAddress DnsServerAddress {
Address = $DNSServer
InterfaceAlias = $Interface.Name
AddressFamily = "IPv4"
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xWaitForADDomain DscForestWait {
DomainName = $DomainName
DomainUserCredential = $DomainCreds
RetryCount = $RetryCount
RetryIntervalSec = $RetryIntervalSec
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xADDomainController BDC {
DomainName = $DomainName
DomainAdministratorCredential = $DomainCreds
SafemodeAdministratorPassword = $SafeModeAdminCreds
DatabasePath = "F:\NTDS"
LogPath = "F:\NTDS"
SysvolPath = "F:\SYSVOL"
DependsOn = "[xWaitForADDomain]DscForestWait"
}
xPendingReboot RebootAfterPromotion {
Name = "RebootAfterDCPromotion"
DependsOn = "[xADDomainController]BDC"
}
}
}
MSFT_xADDomainController.psm1 - LINK
DSC 日志文件输出
VERBOSE: [2019-03-17 22:23:12Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xDNSServerAddress]DnsServerAddress] in 0.7500 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers have been set correctly.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xDNSServerAddress]DnsServerAddress] in 0.0940 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Checking for domain DOMAIN.CO.UK ...
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Found domain DOMAIN.CO.UK
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xWaitForADDomain]DscForestWait] in 0.6790 seconds.
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Skip Set ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:15Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Domain 'DOMAIN.CO.UK' is NOT present on the current node.
VERBOSE: [2019-03-17 22:23:57Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.77.0.0\Status[=16=].status)
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xADDomainController]BDC] in 43.2480 seconds.
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:24:40Z] [ERROR] Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
VERBOSE: [2019-03-17 22:24:40Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Checking if domain 'DOMAIN.CO.UK' is present ...
VERBOSE: [2019-03-17 22:25:22Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xADDomainController]BDC] in 84.3140 seconds.
VERBOSE: [2019-03-17 22:25:22Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.77.0.0\Status[=16=].status)
VERBOSE: [2019-03-17 22:25:22Z] [ERROR] PowerShell DSC resource MSFT_xADDomainController failed to execute
Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found.
查看模块代码 xWaitForADDomain 正在使用特殊函数 Get-Domain,而不是 Get-ADDomain cmdlet(在您的情况下显然会出错),因此您需要进行此调用 (Get-ADDomain)在你的虚拟机上工作。按照建议检查 Active Directory Web 服务? 运行 使用 -debug 开关获取 addomain
好吧,经过大量的摸索之后,我回到了基础并找到了罪魁祸首,似乎 MS 在他们的文档 (link) 中忽略了一个或两个端口来配置防火墙广告。是的,列表中缺少 ADWS(Active Directory Web 服务)端口。为 TCP9389 添加一条规则,突然之间,我所有的担心都烟消云散了。谢谢您的帮助。