DSC XActiveDirectory exception error thrown

Tagged: ,

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 1 year, 7 months ago.

  • Author
  • #35351

    Wei-Yen Tan

    Hi I have started writing my DSC configuration files. So I have tested the script with plain text as a test and it works with the $argument $PlainTextAlllowed = True.

    However with the certificates enabled it spits an error to say that an exception was thrown.

    I checked the event log under DSC – Operations and found that it was coming up with
    "The Directory Services Restore Mode password exceeds the maximum password length requirements of the password policy."

    When I see the mof file it has hashed the password like so for the safe domain credentials:

    Password = "gFAwQkG2Pa+I2403+2C7HXRdswkNfGsX9ypfr1ddKT56g2BwuWkkNzO1DhuaT69xwS2EXKW03p5wkAfUNi3ORYdU/XZQ+3VdXNA9v5HpKnjH/z/0TAy+ODgsNqCTbf6pCs3jzMBFUl0nOHQKgsChJXi1CSWzLoJGVetiwnof/+ox8eAkmrckvC0BSUOZctEK0dIToFsElX4ub6ClVaS4w7QkRjUtHPwlN2fxIrE8wq+D0oiFv2LucKDxJmu/2pR6LREK3Ngv1Y690BWxAqGYRUEmwAo83aiTLmHbKc5IUMP9UKpqvyNlEIb0K36FLSQLCq6RTv9Y8RqWE824j6c+jg==";

    which I am presuming is hashing correctly. I have made sure that the hash is also installed in the cert store on the target node. It is sitting in the cert:\localmachine\my location.

    Also note I am using a self signed certificate. (Would it be permissable to use that?).

    Any advice is appreciated.

    configuration DSCExample
        Import-DscResource -ModuleName xActiveDirectory
        Node $AllNodes.Where{$_.Role -eq "ADServer"}.Nodename
                RebootNodeIfNeeded = $true
            WindowsFeature RemoveGUI 
                Ensure = "Absent"
                Name   = "Server-Gui-Mgmt-Infra"
            WindowsFeature ADDSInstall
                Ensure = "Present"
                Name = "AD-Domain-Services"
            xADDomain FirstDS
                DomainName = $Node.DomainName
                DomainAdministratorCredential = $domainCred
               SafemodeAdministratorPassword = $safemodeAdministratorCred
                #DnsDelegationCredential = $DNSDelegationCred
                DependsOn = "[WindowsFeature]ADDSInstall"
    # Configuration Data for AD 
    DSCExample -configurationdata C:\scripts\configurationdata.psd1 -safemodeAdministratorCred (Get-Credential -Message "New Domain Safe Mode Admin Credentials") -domainCred (Get-Credential -Message "New Domain Admin Credentials") 
    $Session = New-CimSession -ComputerName "ad" -Credential administrator
    Start-DscConfiguration -path C:\cert\DSCExample -Wait -Credential (Get-Credential)  -Verbose


    Wei-Yen Tan

  • #35443

    Don Jones

    So, it's not a hash, it's an encrypted value. And a self-signed certificate won't necessarily work, no, because that certificate wouldn't be trusted by both the machine doing the encryption AND by the target node, which needs to do the decryption. You'd need a real certificate that they can both trust. The decryption is probably failing, which is contributing to the error.

You must be logged in to reply to this topic.