DSC XActiveDirectory exception error thrown

Tagged: ,

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 7 months, 1 week ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #35351
    Profile photo of Wei-Yen Tan
    Wei-Yen Tan
    Participant

    Hi I have started writing my DSC configuration files. So I have tested the script with plain text as a test and it works with the $argument $PlainTextAlllowed = True.

    However with the certificates enabled it spits an error to say that an exception was thrown.

    I checked the event log under DSC – Operations and found that it was coming up with
    "The Directory Services Restore Mode password exceeds the maximum password length requirements of the password policy."

    When I see the mof file it has hashed the password like so for the safe domain credentials:

    Password = "gFAwQkG2Pa+I2403+2C7HXRdswkNfGsX9ypfr1ddKT56g2BwuWkkNzO1DhuaT69xwS2EXKW03p5wkAfUNi3ORYdU/XZQ+3VdXNA9v5HpKnjH/z/0TAy+ODgsNqCTbf6pCs3jzMBFUl0nOHQKgsChJXi1CSWzLoJGVetiwnof/+ox8eAkmrckvC0BSUOZctEK0dIToFsElX4ub6ClVaS4w7QkRjUtHPwlN2fxIrE8wq+D0oiFv2LucKDxJmu/2pR6LREK3Ngv1Y690BWxAqGYRUEmwAo83aiTLmHbKc5IUMP9UKpqvyNlEIb0K36FLSQLCq6RTv9Y8RqWE824j6c+jg==";

    which I am presuming is hashing correctly. I have made sure that the hash is also installed in the cert store on the target node. It is sitting in the cert:\localmachine\my location.

    Also note I am using a self signed certificate. (Would it be permissable to use that?).

    Any advice is appreciated.

    configuration DSCExample
    {
       param
        (
            [Parameter(Mandatory)]
            [pscredential]$safemodeAdministratorCred,
            [Parameter(Mandatory)]
            [pscredential]$domainCred
            #[Parameter(Mandatory)]
            #[pscredential]$DNSDelegationCred
        )
        Import-DscResource -ModuleName xActiveDirectory
    
        
        Node $AllNodes.Where{$_.Role -eq "ADServer"}.Nodename
        {
            LocalConfigurationManager
            {
                RebootNodeIfNeeded = $true
            }
    
            WindowsFeature RemoveGUI 
            {
                Ensure = "Absent"
                Name   = "Server-Gui-Mgmt-Infra"
            }
    
            WindowsFeature ADDSInstall
            {
                Ensure = "Present"
                Name = "AD-Domain-Services"
            }
            xADDomain FirstDS
            {
                DomainName = $Node.DomainName
                DomainAdministratorCredential = $domainCred
               SafemodeAdministratorPassword = $safemodeAdministratorCred
                #DnsDelegationCredential = $DNSDelegationCred
                DependsOn = "[WindowsFeature]ADDSInstall"
            }
            
        }
    }
    # Configuration Data for AD 
    
    DSCExample -configurationdata C:\scripts\configurationdata.psd1 -safemodeAdministratorCred (Get-Credential -Message "New Domain Safe Mode Admin Credentials") -domainCred (Get-Credential -Message "New Domain Admin Credentials") 
    
    $Session = New-CimSession -ComputerName "ad" -Credential administrator
    Start-DscConfiguration -path C:\cert\DSCExample -Wait -Credential (Get-Credential)  -Verbose
    
    

    regards,

    Wei-Yen Tan

    #35443
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, it's not a hash, it's an encrypted value. And a self-signed certificate won't necessarily work, no, because that certificate wouldn't be trusted by both the machine doing the encryption AND by the target node, which needs to do the decryption. You'd need a real certificate that they can both trust. The decryption is probably failing, which is contributing to the error.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.