Author Posts

March 23, 2016 at 9:55 pm

after installing the windows feature RSAT-AD-GROUP, I'm running the group resource and the xADgroup which is failing to connect to adws. throws an error which causes the configuration not to apply. what is the best way to deal with this?

configuration below

$node = 'test01'
$ConfigurationData = @{
AllNodes = @(
@{
NodeName="$node"
groupname="Local admins – $node"
Description = "Test 01"
PSDscAllowPlainTextPassword=$true
Domain = 'Test.Intranet'
}
)
}

configuration SoeBuild
{

Param(
$DomainAdminCredential
)

LocalConfigurationManager
{
ConfigurationMode = "ApplyAndAutoCorrect"
RebootNodeIfNeeded = $true
DebugMode = 'ALL'
ActionAfterReboot = "ContinueConfiguration"
RefreshMode = "Pull"
}
Import-DscResource -modulename iComputerDescription, xActiveDirectory, xComputerManagement, iServiceOwnProcess, istorage, xSystemVirtualMemory, xactivedirectory, xPendingReboot,iWaitForADWS

Node $AllNodes.NodeName {
iComputerDescription description
{
Name = $node.Description
Ensure = 'Present'
}
iadgroup localadmins
{
GroupName = $node.groupname
Credential = $DomainAdminCredential
dependson = '[windowsfeature]RSATADPowerShell'
}
group Localadmins
{
GroupName = 'Administrators'
Ensure = 'Present'
MembersToInclude = "Test\$($node.groupname)"
Credential = $DomainAdminCredential
dependson = '[windowsfeature]RSATADPowerShell'
}
xComputer Domain
{
Name = $node.nodename
Credential = $DomainAdminCredential
DomainName = $node.domain
}
iServiceOwnProcess WinRM
{
ServiceName = "WinRM"
Ensure = "Present"
}
iWaitForDisk DiskP
{
DiskNumber= 0
RetryCount = 10
RetryIntervalSec = 20
}
iWaitForDisk DiskD
{
DiskNumber= 2
RetryCount = 10
RetryIntervalSec = 20
}
idisk Data
{
DiskNumber = 2
DriveLetter = "D"
Dependson = "[iWaitForDisk]DiskD"
}
xSystemVirtualMemory Page
{
ConfigureOption = 'CustomSize'
DriveLetter = "P:"
InitialSize = '2048'
MaximumSize = '8096'
}
windowsfeature RSATADPowerShell
{
name = 'RSAT-AD-PowerShell'
Ensure = 'Present'
}

}
}

$path = 'C:\DSCBuilds\Server_builds\'
$test=Test-Path "$path\$node"
if(!($test)){New-Item -Path $path -ItemType directory -Name $node}
SoeBuild -OutputPath "$path$node" -ConfigurationData $ConfigurationData -DomainAdminCredential (Get-Credential)

March 23, 2016 at 11:44 pm

Hi Nathan,

I think the reason is the hardcoded 'Test' domain, when the domain is 'Test.Intranet' according to the ConfigurationData. Try this:

group Localadmins
 {
 GroupName = 'Administrators'
 Ensure = 'Present'
 MembersToInclude = "($node.domain)\$($node.groupname)"
 Credential = $DomainAdminCredential
 dependson = '[windowsfeature]RSATADPowerShell'
 }

The only other thing i can see, if that doesnt help, is that your group resource is trying to add a local group, you created via iadgroup localadmins, to the local administrators group but you didnt set a DependsOn correctly as the creation of the local group has to happen before you add it to the the local admin group ofc.

Try this:

 group Localadmins
 {
 GroupName = 'Administrators'
 Ensure = 'Present'
 MembersToInclude = "Test\$($node.groupname)"
 Credential = $DomainAdminCredential
 dependson = '[iadgroup]localadmins'
 }

Hope this helps 🙂

March 28, 2016 at 10:17 pm

should of thought to use the that! good idea! 🙂

When i first run the configuration on the machine it goes unable to find a default server with ADWS running. After a reboot it works fine? is there anyway to skip running that resource until after a reboot?

March 29, 2016 at 12:49 am

Might be that you dont have .net installed which is required by RSAT, on which case you need to add it to your script as a feature block and use the DependsOn for the RSAT to depend on the .net feature.

Neither is needed though to be able to use xADGroup or Group resources. So I can't tell why it would require a restart. The lcm settings do state it will do a reboot if needed.

Your script is missing a command to create the meta.mof and publish it to the node lcm. I assume you ran it before hand and just ommited it from the script.

Other then that well need better description of the process you're doing, or at least I do 😉

March 29, 2016 at 1:15 am

No! I didn't run it for the lcm! 😅. I made a mistake on the lcm it's meant to be push, not pull. I haven't had any luck with a pull server and a bare metal image yet. I just find it strange, it would run without .net! After about 10 minutes the iadgroup resource works, though the group resource doesn't till after a reboot.

March 29, 2016 at 10:15 pm

I still think it has to do with the order. For start well need to see the full script your running, use the pre tag before and after the code or use gist URL to make the long script more readable.

The latest online documentation is quiet stable in terms of creating and working with a pull server, so you should give it another try. The benefits are better imho.

March 30, 2016 at 3:41 am

Shame in the MOF there is no way to do conditional logic, like chef has. The only way i see out its to turn those resources into script resources to be able to handle ADWS not running? Or modifying the current resources to not to err out.

This is what I'm trying to do:
1. Build from a bare metal template in vmm.
2. Get the VM up to build checklist standard. (Pull Server complaining about not allowing unencrypted traffic as i have set the auth to basic as the machine will start in a workgroup, but i have set ws-man to allow unencrypted traffic.)
3. Than my next goal is using my pull server build my new 2012r2 ADCS solution.

March 31, 2016 at 11:06 pm

worked it out. Sadly it was all due to the order i was running my configuration. I needed to join it to the domain first. Allow the configuration continue after reboot. Which is working nicely. Thanks for your help Arie!

Have you had any luck around the pull server and machines on a workgroup?


$node = 'SRV1'
$ConfigurationData = @{
    AllNodes = @(
        @{
  NodeName                    = "$node"
  groupname                   = "Local admins - $node"
  Description                 = 'SRV1 OCSP01 '
  PSDscAllowPlainTextPassword = $true
  Domain                      = "$env:USERDNSDOMAIN"
}
    )
}



Configuration SoeBuild
{
Param(
        $DomainAdminCredential
    )
    LocalConfigurationManager
    {
    ConfigurationMode  = 'ApplyAndAutoCorrect' 
    RebootNodeIfNeeded = $true
    DebugMode = 'ALL'
    ActionAfterReboot  = 'ContinueConfiguration' 
    RefreshMode = 'push' 
    }
    Import-DscResource -modulename iComputerDescription, xActiveDirectory, xComputerManagement, iServiceOwnProcess, istorage, xSystemVirtualMemory, xactivedirectory, xPendingReboot,iWaitForADWS

    Node $AllNodes.NodeName {
        windowsfeature RSATADPowerShell
        {
        name = 'RSAT-AD-PowerShell'
        Ensure = 'Present'
        }
        iComputerDescription description
        {
            Name = $node.Description
            Ensure = 'Present'
        }
        xComputer Domain
        {
            Name = $node.nodename
            Credential = $DomainAdminCredential
            DomainName = $node.domain
        }
        iServiceOwnProcess WinRM
        {
            Name = 'WinRM'
            Ensure = 'Present'
        }
        iWaitForDisk DiskP
        {
            DiskNumber= 0
            RetryCount = 10
            RetryIntervalSec = 20
        }
        iWaitForDisk DiskD
        {
            DiskNumber= 2
            RetryCount = 10
            RetryIntervalSec = 20
        }
        idisk Data
        {
            DiskNumber = 2
            DriveLetter = 'D'
            Dependson = '[iWaitForDisk]DiskD'
        }
        xSystemVirtualMemory Page
        {
            ConfigureOption = 'CustomSize'
            DriveLetter = 'P:'
            InitialSize = '2048'
            MaximumSize = '8096'
        }
        iadgroup localadmins
        {
            GroupName = $node.groupname
            Credential = $DomainAdminCredential
        }
        group Localadmins
        {
            GroupName = 'Administrators'
            Ensure = 'Present'
            MembersToInclude = "$($node.domain)\$($node.groupname)"
            Credential = $DomainAdminCredential
            dependson = '[iadgroup]localadmins'
        }
}
}


$path = 'D:\DSCBuilds\Server_builds\test\'
$test=Test-Path "$path\$node"
if(!($test))
{
New-Item -Path $path -ItemType directory -Name $node
}
SoeBuild -OutputPath "$path$node" -ConfigurationData $ConfigurationData -DomainAdminCredential (Get-Credential)

April 3, 2016 at 9:35 pm

Glad it helped in a way. You could use a few DependsOn in your script to make sure no wired things happen. Remember DSC also has the WAIT resource family if you need extra logic in workflow. Not the best solution, but it helps inter-node dependency for example.

I work in an enterprise with a domain, so I haven't had the option to work with workgroup yet. I imagine I would at some point when I reach the "bare metal" phase, were just not there yet.

Can look further to see if I see any quirks with workgroup and pull server. I would imagine the basic issues there will be user credentials, but that can be alleviated using the same user/password combination on all machines so with proper network connection and firewall rules it shouldn't pose a problem. Start a new thread with your script so others can help as well 😊