Partial Configurations & Encrypted Credentials

This topic contains 2 replies, has 2 voices, and was last updated by  thevillag3idi0t 2 weeks, 5 days ago.

  • Author
    Posts
  • #84965

    thevillag3idi0t
    Participant

    Hi All,

    Was hoping someone could steer me in the right direction. I'm hoping to to utilise partial configurations to firstly deploy a base set of features to the server (first partial configuration), and then deploy and configure AD Domain Services (with the second configuration).

    The LCM code to configure the target server looks like this (the code below is used in a test environment, so nothing sensitive...)

    
    [DSCLocalConfigurationManager()]
    
    Configuration PullClientConfig
    
    {
        Node localhost
    
        {
            Settings
    
            {
                RefreshMode = 'Pull'
                RefreshFrequencyMins = 30
                RebootNodeIfNeeded = $true            
                CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()
            }
    
            ConfigurationRepositoryWeb PullSrv
    
            {
                ServerURL = 'https://config.testing.id.au:8080/PSDSCPullServer.svc'
                RegistrationKey = '252b8bef-2c38-4f66-b7d8-682136763da4'
                ConfigurationNames = @('BaseConfig','NewADDSDomain')
                CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()            
            }
    
            PartialConfiguration BaseConfig {
    
                ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'
    
            }
    
            PartialConfiguration NewADDSDomain {
    
                ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'
                DependsOn = '[PartialConfiguration]BaseConfig'
    
            }
    
        }
    
    }
    
    PullClientConfig
    
    Set-DscLocalConfigurationManager -Path ".\PullClientConfig" -Verbose
    Update-DscConfiguration -Wait -Verbose
    
    

    When i run this, the server attempts to configure itself, but eventually fails with an error message of "Verification of prerequisites for Domain Controller promotion failed. The Directory Services Restore Mode password exceeds the maximum
    password length requirement of the password policy".

    This leads me to believe that the encrypted credentials in the MOF file are not getting decrypted properly (as the encrypted string is quite long). I've tried the following things to resolve it:
    * Removing the partial configuration blocks and just running the NewADDSDomain portion of the config by itself (which works perfectely on its own)
    * Placing the CertificateID parameter in various places in the configuration

    The BaseConfig configuration does not contain any credentials and is not encrypted with the certificate. Is there a trick to using partial configurations when not all of your configurations require encryption/decryption at the target node?

  • #84989

    Michael Greene
    Participant

    Before getting in to the details, may I ask why the use of partial configurations in this scenario?

  • #85028

    thevillag3idi0t
    Participant

    Hi Michael,

    I'm just trying to familiarise myself with the concept at the moment, i'd like to be able split the configuration documents into smaller pieces. In this scenario, every server managed by DSC would get configured with a base set of components and features (BaseConfig), and then depending on the servers role (in this case, a new domain controller), a configuration document specific to that role would then configure the rest of the features/services as required.

You must be logged in to reply to this topic.