在创建新的 AD 林和域期间重新启动后,具有 DSC 扩展的 ARM 模板失败并出现安全错误
ARM template with DSC extension fails with security error after reboot during create new AD forest and domain
几个月来,我一直可靠地使用创建主域控制器和备用域控制器的 ARM 模板(基于快速入门模板中的 'active-directory-new-domain-ha-2-dc')。周五它停止工作,没有进行任何修改。
问题出在主 DC 上。 xADDomain DSC 资源触发重新启动,如第一个 DSC 日志的摘录所示:
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM: [ End Resource
] [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
重新启动后,可以在第二个 DSC 日志中看到以下安全错误:
VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration.
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod'
with following parameters, ''methodName' = ApplyConfiguration,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The
following error with errorcode 0x80090350 occurred while using Negotiate
authentication: An unknown security error occurred.
由于没有对 ARM 模板或 DSC 资源进行任何更改,我认为这是由于部署选择了最新版本的东西。
我尝试过的事情:
- 使用 DSC 2.76 而不是 2.80
- 使用 WMF 5.0 而不是 5.1
- 使用 Windows Server 2019-Datacenter 而不是 2016(看起来
自 20190603 以来,2016 年的图像没有更新。
我还研究了如何防止 DSC 在重新启动后重新启动(没有更多资源要处理)。但是,我认为由于第一个 DSC 日志中的以下条目,这些设置已经完成:
VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded =
False and ActionAfterReboot = "StopConfiguration"
VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager:
ActionAfterReboot : StopConfiguration
RebootNodeIfNeeded : False
我卡住了。有人有什么想法吗?
谢谢
最近遇到了类似的问题。有点不同的是,我使用的不是 xADDomain,而是 ActiveDirectoryDsc。
当我将 OS 升级到 Windows Server 2019-Datacenter 时错误消失了。
潜在的根本原因可能是 2016 年到 2019 年间的 Powershell 版本。这是我的日志。
- Windows 服务器 2016
VERBOSE: [2020-06-01 03:47:34Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=10=].status)
VERBOSE: [2020-06-01 03:47:34Z] Retrieving system information ...
VERBOSE: [2020-06-01 03:47:40Z] OS Version : 10.0
VERBOSE: [2020-06-01 03:47:40Z] Server OS : True
VERBOSE: [2020-06-01 03:47:40Z] 64-bit OS : True
VERBOSE: [2020-06-01 03:47:40Z] PS Version : 5.1.14393.3471
VERBOSE: [2020-06-01 03:47:40Z] Validating user provided settings for the DSC
Extension Handler ...
重启后
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-06-01 03:53:05Z] Will continue the existing configuration.
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Perform operation 'Invoke CimMethod'
with following parameters, ''methodName' = ApplyConfiguration,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 03:53:07Z] [ERROR] WinRM cannot process the request. The
following error with errorcode 0x80090350 occurred while using Negotiate
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Operation 'Invoke CimMethod'
complete.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Time taken for configuration job to
complete is 0.039 seconds
- Windows 服务器 2019
VERBOSE: [2020-06-01 08:33:17Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=12=].status)
VERBOSE: [2020-06-01 08:33:18Z] Retrieving system information ...
VERBOSE: [2020-06-01 08:33:22Z] OS Version : 10.0
VERBOSE: [2020-06-01 08:33:22Z] Server OS : True
VERBOSE: [2020-06-01 08:33:22Z] 64-bit OS : True
VERBOSE: [2020-06-01 08:33:22Z] PS Version : 5.1.17763.1007
VERBOSE: [2020-06-01 08:33:22Z] Validating user provided settings for the DSC Extension Handler ...
重启后
VERBOSE: [2020-06-01 08:38:49Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=13=].status)
VERBOSE: [2020-06-01 08:38:49Z] Will continue the existing configuration. Executing Start-DscConfiguration with
-UseExisting option ...
VERBOSE: [2020-06-01 08:38:50Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=13=].status)
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] Perform operation 'Invoke CimMethod' with following parameters, ''methodName'
= ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] An LCM method call arrived from computer adPDC with user sid S-1-5-18.
我们遇到了同样的问题。我们意识到这个问题只发生在某些特定类型的虚拟机上 win_2016Datacenter.
- 使用 vm 类型重现此问题 "Standard_F4s_v2"
- 但其他虚拟机不会出现这种情况,例如“Standard_DS2_v2”
我不确定您使用的是哪种类型的虚拟机,作为解决方法,您可以尝试使用不同的虚拟机类型。
几个月来,我一直可靠地使用创建主域控制器和备用域控制器的 ARM 模板(基于快速入门模板中的 'active-directory-new-domain-ha-2-dc')。周五它停止工作,没有进行任何修改。
问题出在主 DC 上。 xADDomain DSC 资源触发重新启动,如第一个 DSC 日志的摘录所示:
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM: [ End Resource
] [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
重新启动后,可以在第二个 DSC 日志中看到以下安全错误:
VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration.
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod'
with following parameters, ''methodName' = ApplyConfiguration,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The
following error with errorcode 0x80090350 occurred while using Negotiate
authentication: An unknown security error occurred.
由于没有对 ARM 模板或 DSC 资源进行任何更改,我认为这是由于部署选择了最新版本的东西。
我尝试过的事情:
- 使用 DSC 2.76 而不是 2.80
- 使用 WMF 5.0 而不是 5.1
- 使用 Windows Server 2019-Datacenter 而不是 2016(看起来 自 20190603 以来,2016 年的图像没有更新。
我还研究了如何防止 DSC 在重新启动后重新启动(没有更多资源要处理)。但是,我认为由于第一个 DSC 日志中的以下条目,这些设置已经完成:
VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded =
False and ActionAfterReboot = "StopConfiguration"
VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager:
ActionAfterReboot : StopConfiguration
RebootNodeIfNeeded : False
我卡住了。有人有什么想法吗? 谢谢
最近遇到了类似的问题。有点不同的是,我使用的不是 xADDomain,而是 ActiveDirectoryDsc。 当我将 OS 升级到 Windows Server 2019-Datacenter 时错误消失了。
潜在的根本原因可能是 2016 年到 2019 年间的 Powershell 版本。这是我的日志。
- Windows 服务器 2016
VERBOSE: [2020-06-01 03:47:34Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=10=].status)
VERBOSE: [2020-06-01 03:47:34Z] Retrieving system information ...
VERBOSE: [2020-06-01 03:47:40Z] OS Version : 10.0
VERBOSE: [2020-06-01 03:47:40Z] Server OS : True
VERBOSE: [2020-06-01 03:47:40Z] 64-bit OS : True
VERBOSE: [2020-06-01 03:47:40Z] PS Version : 5.1.14393.3471
VERBOSE: [2020-06-01 03:47:40Z] Validating user provided settings for the DSC
Extension Handler ...
重启后
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-06-01 03:53:05Z] Will continue the existing configuration.
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=11=].status)
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Perform operation 'Invoke CimMethod'
with following parameters, ''methodName' = ApplyConfiguration,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 03:53:07Z] [ERROR] WinRM cannot process the request. The
following error with errorcode 0x80090350 occurred while using Negotiate
authentication: An unknown security error occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does
not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM
TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command:
winrm help config.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Operation 'Invoke CimMethod'
complete.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Time taken for configuration job to
complete is 0.039 seconds
- Windows 服务器 2019
VERBOSE: [2020-06-01 08:33:17Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=12=].status)
VERBOSE: [2020-06-01 08:33:18Z] Retrieving system information ...
VERBOSE: [2020-06-01 08:33:22Z] OS Version : 10.0
VERBOSE: [2020-06-01 08:33:22Z] Server OS : True
VERBOSE: [2020-06-01 08:33:22Z] 64-bit OS : True
VERBOSE: [2020-06-01 08:33:22Z] PS Version : 5.1.17763.1007
VERBOSE: [2020-06-01 08:33:22Z] Validating user provided settings for the DSC Extension Handler ...
重启后
VERBOSE: [2020-06-01 08:38:49Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=13=].status)
VERBOSE: [2020-06-01 08:38:49Z] Will continue the existing configuration. Executing Start-DscConfiguration with
-UseExisting option ...
VERBOSE: [2020-06-01 08:38:50Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC.80.0.0\Status[=13=].status)
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] Perform operation 'Invoke CimMethod' with following parameters, ''methodName'
= ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] An LCM method call arrived from computer adPDC with user sid S-1-5-18.
我们遇到了同样的问题。我们意识到这个问题只发生在某些特定类型的虚拟机上 win_2016Datacenter.
- 使用 vm 类型重现此问题 "Standard_F4s_v2"
- 但其他虚拟机不会出现这种情况,例如“Standard_DS2_v2”
我不确定您使用的是哪种类型的虚拟机,作为解决方法,您可以尝试使用不同的虚拟机类型。