ARM template with DSC extension fails with security error after reboot during create new AD forest and domain

Question

ARM template with DSC extension fails with security error after reboot during create new AD forest and domain

For months I have reliably used an ARM template that creates primary and backup domain controllers (based on 'active-directory-new-domain-ha-2-dc' in the quick start templates). On Friday it stopped working without any modifications being made.

The problem is on the primary DC. The xADDomain DSC resource triggers a reboot as shown in this excerpt from the first DSC log:

VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM:  [ End    Resource 
]  [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.

After the reboot the following security error can be seen in the second DSC log:

VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.

As no changes had been made to the ARM template or the DSC resources I assume that this is due to the deployment picking up the latest version of something.

Things I have tried:

Using DSC 2.76 instead of 2.80
Using WMF 5.0 instead of 5.1
Using Windows Server 2019-Datacenter instead of 2016 (it seems there has been no update to the 2016 image since 20190603).

I have also looked into preventing DSC from restarting after the reboot (there are no more resources to process). However, I think that those settings are already made due to the following entries in the first DSC log:

VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded = 
False and ActionAfterReboot = "StopConfiguration"

VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager: 
ActionAfterReboot              : StopConfiguration
RebootNodeIfNeeded             : False

I am stuck. Does anyone have any ideas? Thanks.

azure

dsc

asked on Stack Overflow May 24, 2020 by

Ed2001

2 Answers

Encountered similar issue recently. A little bit different is that instead of xADDomain, I'm using ActiveDirectoryDsc. And the error was gone when I upgraded OS to Windows Server 2019-Datacenter.

A potential root cause might because of the version of Powershell between 2016 and 2019. Here's my log.

Windows Server 2016

VERBOSE: [2020-06-01 03:47:34Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:47:34Z] Retrieving system information ...
VERBOSE: [2020-06-01 03:47:40Z]     OS Version : 10.0
VERBOSE: [2020-06-01 03:47:40Z]     Server OS  : True
VERBOSE: [2020-06-01 03:47:40Z]     64-bit OS  : True
VERBOSE: [2020-06-01 03:47:40Z]     PS Version : 5.1.14393.3471
VERBOSE: [2020-06-01 03:47:40Z] Validating user provided settings for the DSC 
Extension Handler ...

And after reboot

VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:53:05Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 03:53:07Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.  

 Possible causes are:

  -The user name or password specified are invalid.

  -Kerberos is used when no authentication method and no user name are 
specified.

  -Kerberos accepts domain user names, but not local user names.

  -The Service Principal Name (SPN) for the remote computer name and port does 
not exist.

  -The client and remote computers are in different domains and there is no 
trust between the two domains.

 After checking for the above issues, try the following:

  -Check the Event Viewer for events related to authentication.

  -Change the authentication method; add the destination computer to the WinRM 
TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

   -For more information about WinRM configuration, run the following command: 
winrm help config.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Operation 'Invoke CimMethod' 
complete.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Time taken for configuration job to 
complete is 0.039 seconds

Windows Server 2019

VERBOSE: [2020-06-01 08:33:17Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:33:18Z] Retrieving system information ...
VERBOSE: [2020-06-01 08:33:22Z]     OS Version : 10.0
VERBOSE: [2020-06-01 08:33:22Z]     Server OS  : True
VERBOSE: [2020-06-01 08:33:22Z]     64-bit OS  : True
VERBOSE: [2020-06-01 08:33:22Z]     PS Version : 5.1.17763.1007
VERBOSE: [2020-06-01 08:33:22Z] Validating user provided settings for the DSC Extension Handler ...

And after reboot

VERBOSE: [2020-06-01 08:38:49Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:38:49Z] Will continue the existing configuration. Executing Start-DscConfiguration with 
-UseExisting option ...
VERBOSE: [2020-06-01 08:38:50Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] Perform operation 'Invoke CimMethod' with following parameters, ''methodName'
 = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] An LCM method call arrived from computer adPDC with user sid S-1-5-18.

answered on Stack Overflow Jun 1, 2020 by

tkk

We faced the same issue. And we realized that this issue only occurs on some particular type of Vms with win_2016Datacenter.

Reproduced this issue with vm type "Standard_F4s_v2"
But it doesn't occur with other vms, such as “Standard_DS2_v2”

I'm not sure which type of vm are you using, as a work around you can have a try with a different vm type.

answered on Stack Overflow Jun 10, 2020 by

Frank Li

User contributions licensed under CC BY-SA 3.0