DSC running the group resource

Tagged: 

This topic contains 8 replies, has 2 voices, and was last updated by Profile photo of Arie H Arie H 8 months, 1 week ago.

  • Author
    Posts
  • #36934
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    after installing the windows feature RSAT-AD-GROUP, I'm running the group resource and the xADgroup which is failing to connect to adws. throws an error which causes the configuration not to apply. what is the best way to deal with this?

    configuration below

    $node = 'test01'
    $ConfigurationData = @{
    AllNodes = @(
    @{
    NodeName="$node"
    groupname="Local admins – $node"
    Description = "Test 01"
    PSDscAllowPlainTextPassword=$true
    Domain = 'Test.Intranet'
    }
    )
    }

    configuration SoeBuild
    {

    Param(
    $DomainAdminCredential
    )

    LocalConfigurationManager
    {
    ConfigurationMode = "ApplyAndAutoCorrect"
    RebootNodeIfNeeded = $true
    DebugMode = 'ALL'
    ActionAfterReboot = "ContinueConfiguration"
    RefreshMode = "Pull"
    }
    Import-DscResource -modulename iComputerDescription, xActiveDirectory, xComputerManagement, iServiceOwnProcess, istorage, xSystemVirtualMemory, xactivedirectory, xPendingReboot,iWaitForADWS

    Node $AllNodes.NodeName {
    iComputerDescription description
    {
    Name = $node.Description
    Ensure = 'Present'
    }
    iadgroup localadmins
    {
    GroupName = $node.groupname
    Credential = $DomainAdminCredential
    dependson = '[windowsfeature]RSATADPowerShell'
    }
    group Localadmins
    {
    GroupName = 'Administrators'
    Ensure = 'Present'
    MembersToInclude = "Test\$($node.groupname)"
    Credential = $DomainAdminCredential
    dependson = '[windowsfeature]RSATADPowerShell'
    }
    xComputer Domain
    {
    Name = $node.nodename
    Credential = $DomainAdminCredential
    DomainName = $node.domain
    }
    iServiceOwnProcess WinRM
    {
    ServiceName = "WinRM"
    Ensure = "Present"
    }
    iWaitForDisk DiskP
    {
    DiskNumber= 0
    RetryCount = 10
    RetryIntervalSec = 20
    }
    iWaitForDisk DiskD
    {
    DiskNumber= 2
    RetryCount = 10
    RetryIntervalSec = 20
    }
    idisk Data
    {
    DiskNumber = 2
    DriveLetter = "D"
    Dependson = "[iWaitForDisk]DiskD"
    }
    xSystemVirtualMemory Page
    {
    ConfigureOption = 'CustomSize'
    DriveLetter = "P:"
    InitialSize = '2048'
    MaximumSize = '8096'
    }
    windowsfeature RSATADPowerShell
    {
    name = 'RSAT-AD-PowerShell'
    Ensure = 'Present'
    }

    }
    }

    $path = 'C:\DSCBuilds\Server_builds\'
    $test=Test-Path "$path\$node"
    if(!($test)){New-Item -Path $path -ItemType directory -Name $node}
    SoeBuild -OutputPath "$path$node" -ConfigurationData $ConfigurationData -DomainAdminCredential (Get-Credential)

  • #36935
    Profile photo of Arie H
    Arie H
    Participant

    Hi Nathan,

    I think the reason is the hardcoded 'Test' domain, when the domain is 'Test.Intranet' according to the ConfigurationData. Try this:

    group Localadmins
     {
     GroupName = 'Administrators'
     Ensure = 'Present'
     MembersToInclude = "($node.domain)\$($node.groupname)"
     Credential = $DomainAdminCredential
     dependson = '[windowsfeature]RSATADPowerShell'
     }
    

    The only other thing i can see, if that doesnt help, is that your group resource is trying to add a local group, you created via iadgroup localadmins, to the local administrators group but you didnt set a DependsOn correctly as the creation of the local group has to happen before you add it to the the local admin group ofc.

    Try this:

     group Localadmins
     {
     GroupName = 'Administrators'
     Ensure = 'Present'
     MembersToInclude = "Test\$($node.groupname)"
     Credential = $DomainAdminCredential
     dependson = '[iadgroup]localadmins'
     }
    

    Hope this helps 🙂

  • #37043
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    should of thought to use the that! good idea! 🙂

    When i first run the configuration on the machine it goes unable to find a default server with ADWS running. After a reboot it works fine? is there anyway to skip running that resource until after a reboot?

  • #37046
    Profile photo of Arie H
    Arie H
    Participant

    Might be that you dont have .net installed which is required by RSAT, on which case you need to add it to your script as a feature block and use the DependsOn for the RSAT to depend on the .net feature.

    Neither is needed though to be able to use xADGroup or Group resources. So I can't tell why it would require a restart. The lcm settings do state it will do a reboot if needed.

    Your script is missing a command to create the meta.mof and publish it to the node lcm. I assume you ran it before hand and just ommited it from the script.

    Other then that well need better description of the process you're doing, or at least I do 😉

  • #37047
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    No! I didn't run it for the lcm! 😅. I made a mistake on the lcm it's meant to be push, not pull. I haven't had any luck with a pull server and a bare metal image yet. I just find it strange, it would run without .net! After about 10 minutes the iadgroup resource works, though the group resource doesn't till after a reboot.

  • #37073
    Profile photo of Arie H
    Arie H
    Participant

    I still think it has to do with the order. For start well need to see the full script your running, use the pre tag before and after the code or use gist URL to make the long script more readable.

    The latest online documentation is quiet stable in terms of creating and working with a pull server, so you should give it another try. The benefits are better imho.

  • #37077
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    Shame in the MOF there is no way to do conditional logic, like chef has. The only way i see out its to turn those resources into script resources to be able to handle ADWS not running? Or modifying the current resources to not to err out.

    This is what I'm trying to do:
    1. Build from a bare metal template in vmm.
    2. Get the VM up to build checklist standard. (Pull Server complaining about not allowing unencrypted traffic as i have set the auth to basic as the machine will start in a workgroup, but i have set ws-man to allow unencrypted traffic.)
    3. Than my next goal is using my pull server build my new 2012r2 ADCS solution.

  • #37148
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    worked it out. Sadly it was all due to the order i was running my configuration. I needed to join it to the domain first. Allow the configuration continue after reboot. Which is working nicely. Thanks for your help Arie!

    Have you had any luck around the pull server and machines on a workgroup?

    
    $node = 'SRV1'
    $ConfigurationData = @{
        AllNodes = @(
            @{
      NodeName                    = "$node"
      groupname                   = "Local admins - $node"
      Description                 = 'SRV1 OCSP01 '
      PSDscAllowPlainTextPassword = $true
      Domain                      = "$env:USERDNSDOMAIN"
    }
        )
    }
    
    
    
    Configuration SoeBuild
    {
    Param(
            $DomainAdminCredential
        )
        LocalConfigurationManager
        {
        ConfigurationMode  = 'ApplyAndAutoCorrect' 
        RebootNodeIfNeeded = $true
        DebugMode = 'ALL'
        ActionAfterReboot  = 'ContinueConfiguration' 
        RefreshMode = 'push' 
        }
        Import-DscResource -modulename iComputerDescription, xActiveDirectory, xComputerManagement, iServiceOwnProcess, istorage, xSystemVirtualMemory, xactivedirectory, xPendingReboot,iWaitForADWS
    
        Node $AllNodes.NodeName {
            windowsfeature RSATADPowerShell
            {
            name = 'RSAT-AD-PowerShell'
            Ensure = 'Present'
            }
            iComputerDescription description
            {
                Name = $node.Description
                Ensure = 'Present'
            }
            xComputer Domain
            {
                Name = $node.nodename
                Credential = $DomainAdminCredential
                DomainName = $node.domain
            }
            iServiceOwnProcess WinRM
            {
                Name = 'WinRM'
                Ensure = 'Present'
            }
            iWaitForDisk DiskP
            {
                DiskNumber= 0
                RetryCount = 10
                RetryIntervalSec = 20
            }
            iWaitForDisk DiskD
            {
                DiskNumber= 2
                RetryCount = 10
                RetryIntervalSec = 20
            }
            idisk Data
            {
                DiskNumber = 2
                DriveLetter = 'D'
                Dependson = '[iWaitForDisk]DiskD'
            }
            xSystemVirtualMemory Page
            {
                ConfigureOption = 'CustomSize'
                DriveLetter = 'P:'
                InitialSize = '2048'
                MaximumSize = '8096'
            }
            iadgroup localadmins
            {
                GroupName = $node.groupname
                Credential = $DomainAdminCredential
            }
            group Localadmins
            {
                GroupName = 'Administrators'
                Ensure = 'Present'
                MembersToInclude = "$($node.domain)\$($node.groupname)"
                Credential = $DomainAdminCredential
                dependson = '[iadgroup]localadmins'
            }
    }
    }
    
    
    $path = 'D:\DSCBuilds\Server_builds\test\'
    $test=Test-Path "$path\$node"
    if(!($test))
    {
    New-Item -Path $path -ItemType directory -Name $node
    }
    SoeBuild -OutputPath "$path$node" -ConfigurationData $ConfigurationData -DomainAdminCredential (Get-Credential)
    
  • #37195
    Profile photo of Arie H
    Arie H
    Participant

    Glad it helped in a way. You could use a few DependsOn in your script to make sure no wired things happen. Remember DSC also has the WAIT resource family if you need extra logic in workflow. Not the best solution, but it helps inter-node dependency for example.

    I work in an enterprise with a domain, so I haven't had the option to work with workgroup yet. I imagine I would at some point when I reach the "bare metal" phase, were just not there yet.

    Can look further to see if I see any quirks with workgroup and pull server. I would imagine the basic issues there will be user credentials, but that can be alleviated using the same user/password combination on all machines so with proper network connection and firewall rules it shouldn't pose a problem. Start a new thread with your script so others can help as well 😊

You must be logged in to reply to this topic.