Author Posts

February 16, 2016 at 8:07 pm

Hi I have started writing my DSC configuration files. So I have tested the script with plain text as a test and it works with the $argument $PlainTextAlllowed = True.

However with the certificates enabled it spits an error to say that an exception was thrown.

I checked the event log under DSC – Operations and found that it was coming up with
"The Directory Services Restore Mode password exceeds the maximum password length requirements of the password policy."

When I see the mof file it has hashed the password like so for the safe domain credentials:

Password = "gFAwQkG2Pa+I2403+2C7HXRdswkNfGsX9ypfr1ddKT56g2BwuWkkNzO1DhuaT69xwS2EXKW03p5wkAfUNi3ORYdU/XZQ+3VdXNA9v5HpKnjH/z/0TAy+ODgsNqCTbf6pCs3jzMBFUl0nOHQKgsChJXi1CSWzLoJGVetiwnof/+ox8eAkmrckvC0BSUOZctEK0dIToFsElX4ub6ClVaS4w7QkRjUtHPwlN2fxIrE8wq+D0oiFv2LucKDxJmu/2pR6LREK3Ngv1Y690BWxAqGYRUEmwAo83aiTLmHbKc5IUMP9UKpqvyNlEIb0K36FLSQLCq6RTv9Y8RqWE824j6c+jg==";

which I am presuming is hashing correctly. I have made sure that the hash is also installed in the cert store on the target node. It is sitting in the cert:\localmachine\my location.

Also note I am using a self signed certificate. (Would it be permissable to use that?).

Any advice is appreciated.

configuration DSCExample
{
   param
    (
        [Parameter(Mandatory)]
        [pscredential]$safemodeAdministratorCred,
        [Parameter(Mandatory)]
        [pscredential]$domainCred
        #[Parameter(Mandatory)]
        #[pscredential]$DNSDelegationCred
    )
    Import-DscResource -ModuleName xActiveDirectory

    
    Node $AllNodes.Where{$_.Role -eq "ADServer"}.Nodename
    {
        LocalConfigurationManager
        {
            RebootNodeIfNeeded = $true
        }

        WindowsFeature RemoveGUI 
        {
            Ensure = "Absent"
            Name   = "Server-Gui-Mgmt-Infra"
        }

        WindowsFeature ADDSInstall
        {
            Ensure = "Present"
            Name = "AD-Domain-Services"
        }
        xADDomain FirstDS
        {
            DomainName = $Node.DomainName
            DomainAdministratorCredential = $domainCred
           SafemodeAdministratorPassword = $safemodeAdministratorCred
            #DnsDelegationCredential = $DNSDelegationCred
            DependsOn = "[WindowsFeature]ADDSInstall"
        }
        
    }
}
# Configuration Data for AD 

DSCExample -configurationdata C:\scripts\configurationdata.psd1 -safemodeAdministratorCred (Get-Credential -Message "New Domain Safe Mode Admin Credentials") -domainCred (Get-Credential -Message "New Domain Admin Credentials") 

$Session = New-CimSession -ComputerName "ad" -Credential administrator
Start-DscConfiguration -path C:\cert\DSCExample -Wait -Credential (Get-Credential)  -Verbose

regards,

Wei-Yen Tan

February 18, 2016 at 10:35 am

So, it's not a hash, it's an encrypted value. And a self-signed certificate won't necessarily work, no, because that certificate wouldn't be trusted by both the machine doing the encryption AND by the target node, which needs to do the decryption. You'd need a real certificate that they can both trust. The decryption is probably failing, which is contributing to the error.