DSC to join domain

This topic contains 7 replies, has 3 voices, and was last updated by  Michael Greene 1 month, 3 weeks ago.

  • Author
    Posts
  • #72734

    Jens
    Participant

    Hello all,

    I'm experiencing with some DSC scripts in azure.

    Login-AzureRmAccount

    Show-SubscriptionARM

    $rgName = 'rgName'
    $storageAccountName = "storageaccount"

    $storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccountName
    $storageAccountKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $rgName -AccountName $storageAccountName).Value[0]

    # we are using default container
    $containerName = 'windows-powershell-dsc'

    $configurationName = 'IISInstall'
    $configurationPath = ".\$configurationName.ps1"
    #Publish your DSC configuration to the Azure storage
    $moduleURL = Publish-AzureRmVMDscConfiguration -ConfigurationPath $configurationPath -ResourceGroupName $rgName -StorageAccountName $storageAccount.StorageAccountName -Force

    $storageContext = New-AzureStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageAccountKey
    $sasToken = New-AzureStorageContainerSASToken -Name $containerName -Context $storageContext -Permission r

    $settingsHashTable = @{
    "ModulesUrl" = "$moduleURL";
    "ConfigurationFunction" = "$configurationName.ps1\$configurationName";
    "SasToken" = "$sasToken"
    }

    $vmName= "VMTEST"
    $extensionName = 'DSC'
    $extensionType = 'DSC'
    $publisher = 'Microsoft.Powershell'
    $typeHandlerVersion = '2.1'

    Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $storageAccount.Location `
    -Name $extensionName -Publisher $publisher -ExtensionType $extensionType -TypeHandlerVersion $typeHandlerVersion `
    -Settings $settingsHashTable

    This script calls the DSC what is in these script:

    Configuration IISInstall
    {

    Import-DSCResource -module xDSCDomainjoin
    #domain credentials to be given here
    $secdomainpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
    $mydomaincreds = New-Object System.Management.Automation.PSCredential("domain\account", $secdomainpasswd)
    $domain = "mydomain"

    Node localhost
    {
    WindowsFeature IIS
    {
    Name = "Web-Server"
    Ensure = "Present"
    }

    # Install ASP.NET 4.5
    WindowsFeature AspNet45

    {
    Name = "Web-Asp-Net45"
    Ensure = "Present"
    }

    # Join domain
    xDSCDomainjoin JoinDomain
    {
    Domain = $domain
    Credential = $mydomaincreds
    }
    }
    }

    The first 2 steps are successful, however the domain join function always gives an error. Anyone knows what is the problem?

    I would like to join the domain with the DSC script.

  • #72745

    Don Jones
    Keymaster

    It's a little tough to guess what the error might be. Can you just post the error?

    • #72797

      Jens
      Participant

      Sorry about that. Here is the error:

      Set-AzureRmVMExtension : Long running operation failed with status 'Failed'.
      ErrorCode: VMExtensionProvisioningError
      ErrorMessage: VM has reported a failure when processing extension 'DSC'. Error message: "The DSC Extension received an incorrect input: Compilation errors occurred while processing configuration 'IISInsta
      ll'. Please review the errors reported in error stream and modify your configuration code appropriately. System.InvalidOperationException error processing property 'Credential' OF TYPE 'xDSCDomainjoin': C
      onverting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=3937
      29
      At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.26.0.0\DSCWork\IISInstall.ps1.0\IISInstall.ps1:75 char:5
      + xDSCDomainjoin Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com
      /fwlink/?LinkId=393729 Cannot find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist.
      Another common error is to specify parameters of type PSCredential without an explicit type. Please be sure to use a typed parameter in DSC Configuration, for example:
      configuration Example {
      param([PSCredential] $UserAccount)
      ...
      }.
      Please correct the input and retry executing the extension.".
      StartTime: 14/06/2017 8:59:39
      EndTime: 14/06/2017 9:06:57
      OperationID: 10c08c2e-de25-439d-b02a-d9646dcd477b
      Status: Failed
      At line:31 char:1
      + Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $st ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : CloseError: (:) [Set-AzureRmVMExtension], ComputeCloudException
      + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureVMExtensionCommand

  • #72812

    Don Jones
    Keymaster

    You appear to be trying to use a non-encrypted credential. That isn't allowed – as described at the URL referenced in the error.

    • #73636

      Jens
      Participant

      I added following in the first script:
      $settingsHashTable = @{
      "ModulesUrl" = "$moduleURL";
      "ConfigurationFunction" = "$configurationName.ps1\$configurationName";
      "SasToken" = "$sasToken"
      AllNodes = @(
      @{
      NodeName = "localhost"
      PsDscAllowPlainTextPassword = $true
      }
      )
      }

      So plain text password shouldn't be a problem.
      However I still get the error. Any ideas how I can solve it?

      Thanks.

    • #73843

      Jens
      Participant

      I thought it maybe because the hash in a hash function, so I edited it to:
      $settingsHashTable = @{

      "ModulesUrl" = "$moduleURL";
      "ConfigurationFunction" = "$configurationName.ps1\$configurationName";
      "SasToken" = "$sasToken";
      "NodeName" = "localhost";
      "PsDscAllowPlainTextPassword" = $true
      }

      But still an error..
      Set-AzureRmVMExtension : Long running operation failed with status 'Failed'.
      ErrorCode: VMExtensionProvisioningError
      ErrorMessage: VM has reported a failure when processing extension 'DSC'. Error message: "The DSC Extension received an incorrect input: Compilation errors occurred while processi
      ng configuration 'IISInstall'. Please review the errors reported in error stream and modify your configuration code appropriately. System.InvalidOperationException error processi
      ng property 'Credential' OF TYPE 'xDSCDomainjoin': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MO
      F file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
      At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.26.0.0\DSCWork\IISInstall.ps1.0\IISInstall.ps1:76 char:5
      + xDSCDomainjoin Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blo
      g: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot find path 'HKLM:\SOFTWARE\Microsof
      t\PowerShell\3\DSC' because it does not exist.
      Another common error is to specify parameters of type PSCredential without an explicit type. Please be sure to use a typed parameter in DSC Configuration, for example:
      configuration Example {
      param([PSCredential] $UserAccount)
      ...
      }.
      Please correct the input and retry executing the extension.".
      StartTime: 28/06/2017 14:39:24
      EndTime: 28/06/2017 14:45:58
      OperationID: edb84240-384f-4c83-8966-781339e75d65
      Status: Failed
      At line:48 char:1
      + Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $st ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : CloseError: (:) [Set-AzureRmVMExtension], ComputeCloudException
      + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureVMExtensionCommand

  • #73846

    Don Jones
    Keymaster

    Keep in mind that Azure is a little different. The error is still telling me it doesn't like your plain-text password. Azure's DSC extension may simply – and wisely – disallow that.

  • #73868

    Michael Greene
    Participant

    Hi Jens, I'm a PM on Azure Automation DSC. Take a look at this doc on securing credentials used with the extension.
    https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-dsc-credentials

    Overall, I typically recommend using the extension as a bootstrap mechanism in ARM templates and using the service for the actual configuration delivery wherever possible. It is night and day easier to diagnose problems when they occur, and you can understand the state of the machine over time rather than just at deployment.

    Since your configuration contains a secret (credential) there are some gotchas along the way with both options. If you would like to PM me I'd be happy to help.

    For more information:
    https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

You must be logged in to reply to this topic.