xWindowsFeature: Domain Controller with WindowsFeature Resource Error
nanalakshmanan opened this issue · 5 comments
This issue is coming from a customer email
The customer is trying to create a domain controller with this snippet in his DSC configuration:
WindowsFeature InstallAD-Domain-Services
{
Ensure = "Present"
Name = "AD-Domain-Services"
}
Once the domain controller is created he is seeing these errors:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStat
eConfiguration'.
VERBOSE: An LCM method call arrived from computer NEULIV-RTDC00 with user sid S-1-5-21-1187121464-4283592160-823084155-500.
VERBOSE: [NEULIV-RTDC00]: LCM: [ Start Set ]
VERBOSE: [NEULIV-RTDC00]: LCM: [ Start Resource ] [[WindowsFeature]InstallAD-Domain-Services]
VERBOSE: [NEULIV-RTDC00]: LCM: [ Start Test ] [[WindowsFeature]InstallAD-Domain-Services]
DEBUG: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] Begin executing Test functionality on the AD-Domain-Services feature.
DEBUG: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] Querying for feature AD-Domain-Services using Server Manager cmdlet Get-WindowsFeature.
VERBOSE: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] The operation 'Get-WindowsFeature' started: AD-Domain-Services
DEBUG: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] GetServerComponentsAsync provider method started: AD-Domain-Services
DEBUG: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] Call to GetServerComponentsAsync provider method succeeded.
VERBOSE: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] The operation 'Get-WindowsFeature' succeeded: AD-Domain-Services
DEBUG: [NEULIV-RTDC00]: [[WindowsFeature]InstallAD-Domain-Services] End executing Test functionality on the AD-Domain-Services feature.
Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : IdentityNotMappedException
+ PSComputerName : localhost
VERBOSE: [NEULIV-RTDC00]: LCM: [ End Test ] [[WindowsFeature]InstallAD-Domain-Services] in 1.2500 seconds.
The PowerShell DSC resource MSFT_RoleResource threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [NEULIV-RTDC00]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 3.088 seconds
Customer thinks that this is due to a bug in ServerManager.psm1 per this email:
---BEGIN EMAIL---
I have narrowed this down to the following code in ServerManager.psm1:
S-1-5-32-559 => Performance Log Users
S-1-5-32-573 => Event Log Readers
S-1-5-32-580 => Remote Management Users
$groupNames = @()
foreach($sid in @("S-1-5-32-559", "S-1-5-32-573", "S-1-5-32-580"))
{
$groupNames = @(((New-Object System.Security.Principal.SecurityIdentifier ($sid)).Translate([System.Security.Principal.NTAccount]).Value -split "\\+")[1]) + $groupNames
}
The last of the three SIDs fails to translate on the domain controller. This corresponds to a well-known SID as per this KB, but for some reason it does not appear to be present after promoting a second server to be a DC.
Based on this I have got a workaround which is to define the following resource:
Script ServerManagerWorkaround
{
GetScript = { @{Dummy = "dummy"} }
TestScript =
{
try
{
Get-WindowsFeature "AD-Domain-Services"
}
catch
{
Write-Verbose "Server Manager exception caught"
}
return $true
}
SetScript = { Write-Verbose "Dummy Set" }
}
And to have my WindowsFeature resources depend on this.
Not ideal. This looks like a bug in ServerManager.psm1 to me.
---END EMAIL---
Hi @nanalakshmanan - I don't think this is the best place to log this issue. The issue is with the WindowsFeature DSC resource which is one of the built in DSC resources (comes built into the PSDesiredStateConfiguration resource module). We don't have access to change the built in DSC resources here. This resource module is xPSDesiredStateConfiguration (the x makes all the difference 😄 ).
Possibly the place to log this is in UserVoice.
Are we able to close this issue?
I'm running into this same issue every time I add a 2016 DC to a 2008R2 domain. It appears to occur after the DC has been promoted, rebooted, and the LCM is re-applying the DSC configuration, which re-runs the Test-TargetResource function of the xWindowsFeature resource.
I've seen that it can take a while after the first reboot following the promotion of a new DC for the DC to be fully functional. This is more prevalent with Server 2016, but I've seen it with 2012R2 as well. During this time, the test errors out with this error because the Remote Management Users group doesn't exist yet when installing a domain controller in an existing 2008R2 or lower domain.
If you wait a bit for the group to be created and re-appy the DSC configuration, it completes successfully and all future DSC runs are successful as well.
I resolved this issue in #267.
I had this same issue. Apparently, when you add a Windows 2012 R2 domain controller, it looks for the following groups after promotion.
S-1-5-32-559 => Performance Log Users
S-1-5-32-573 => Event Log Readers
S-1-5-32-580 => Remote Management Users
In order for these groups to be created, you have to transfer the PDC role to the Windows 2012 R2 domain controller. Once the groups are created, the error goes away.
@ripclawffb Thanks, your comment helped.