microsoft/SDN

VMM SDN Express Fails After Network Controller Deployment

Shane291 opened this issue · 10 comments

Hello,

I get the following error message. I'm running VMM 2019 Datacenter with May patches. My Sysprep image is also running the most recent May patches. It fails with the VMM job Add SC-NetworkService. I verified that the nodes can ping each other during the VM deployment phase. I am running the script as an admin from the VMM server.

I also tried with a January 2020 patched version with VMM and I had the same result.

I have verbose logging turned on:

The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Execution of :: on the configuration provider failed. Detailed exception: Unable to connect to the network service. Check connection
string and network connectivity. Execution of Microsoft.SystemCenter.NetworkService::OpenDeviceConnectionEx on the configuration provider 3e2875a7-5831-4fb2-b388-1672e1c20fee failed. Detailed exception:
Microsoft.VirtualManager.NCRestApiWrappers.NCRestApiWrappersException:
Check the documentation for the configuration provider or contact the publisher support.
Unable to connect to the network service. Check connection string and network connectivity. (Error ID: 21426)

VMMExpressLogFile Output:

Using configuration from file [.\Fabricconfig.psd1]
Getting VMM server connection with VMM server [DMZ-VMM1]
Checking the Fabric Configuration Input Parameters
WARNING: The product Key is blank. Specify the Product key by logging into the infrastructure VM while is it being configured
Successfully authenticated with domain lab
VMNetwork Name : [DMZ-INF-LAN]
Generating Self-Signed Certificate..
Generating the self signed certificate
Trimmed VMName:[SDN-NCVM01.lab.dmz]
Exporting the certificate
Certificate Path : cert:\LocalMachine\My\B358FF8CB0719444661E82C8F7D12F0486EBB476
Trimmed VMName:[SDN-NCVM01.lab.dmz]
Recieved VMName : [SDN-NCVM01.lab.dmz]
VmName : [SDN-NCVM01.lab.dmz]
Mapping VHD to template package
Mapping NCSetup.cr to template package
Mapping ServerCertificate.cr to template package
Mapping TrustedRootCertificate.cr to template package
Starting Service Template Configuration
getting Management Network []
Getting the service setting
Creating Account
VMName while onboarding NC : [SDN-NCVM01.lab.dmz]
COnnection String :
The deployment was not successful.
Reason: Execution of :: on the configuration provider failed. Detailed exception: Unable to connect to the network service. Check connection string and network connectivity. Execution of Microsoft.SystemCenter.NetworkService::OpenDeviceConnectionEx on the configuration provider 3e2875a7-5831-4fb2-b388-1672e1c20fee failed. Detailed exception: Microsoft.VirtualManager.NCRestApiWrappers.NCRestApiWrappersException:
Check the documentation for the configuration provider or contact the publisher support.
Unable to connect to the network service. Check connection string and network connectivity. (Error ID: 21426)

Check the documentation for the configuration provider or contact the publisher support.

To restart the job, run the following command:

PS> Restart-Job -Job (Get-VMMServer localhost | Get-Job | where { $_.ID -eq "{87bafc37-da92-4339-931b-fb9925180d01}"})

Cleaning up the system to get in previous state...

Shane,
I would start by running Get-NetworkController and Get-NetworkControllerCluster on the NC nodes themselves, it appears they are not providing the NC service as fully operaitonal. Once that is established, we can onboard the NC Service to VMM. Can you post your Service Deployment Name and Connection String you used, or at least confirm they match? Thanks.

Hi Shane,

Have you resolved the problem? would you mind reply with your solution?

I've got the same error message. I'm running VMM 2022 UR2.

'Reason: Execution of :: on the configuration provider failed. Detailed exception: Unable to connect to the network service. Check connection string and network connectivity. Execution of Microsoft.SystemCenter.NetworkService::OpenDeviceConnectionEx on the configuration provider 3e2875a7-5831-4fb2-b388-1672e1c20fee failed. Detailed exception: Microsoft.VirtualManager.NCRestApiWrappers.NCRestApiWrappersException: Unable to connect to the network service. Check connection string and network connectivity. (Error ID: 21426)'

Any help would be greatly appreciated.
Thanks

Hi Mike,
I've a similar issue deploying NC on VMM. Below is the result for 'Get-NetworkController' and 'Get-NetworkControllerCluster' running from the NC nodes.

`PS C:\Windows\system32> Get-NetworkController

Node : {SDN-NCVM03.domain.com, SDN-NCVM01.domain.com, SDN-NCVM02.domain.com}
ClientAuthentication : Kerberos
ClientCertificateThumbprint :
ClientSecurityGroup : domain\NC Management Users
ServerCertificate : [Subject]
CN=NJESDNNC.domain.com
[Issuer]
CN=NJESDNNC.domain.com
[Serial Number]
4A8F7AA52FF28B9849754D618D3AEA53
[Not Before]
7/18/2024 2:40:27 PM
[Not After]
7/18/2025 3:00:27 PM
[Thumbprint]
7B540142C340959D6986745A730D5DC922CF1D13
RestIPAddress :
RestName : NJESDNNC.domain.com
Version : 15.0.165

PS C:\Windows\system32> Get-NetworkControllerCluster

Version : 12.1.2
ServiceFabricVersion : 7.1.409.9590
ClassVersion : 1.3.0
Node : {SDN-NCVM01.domain.com, SDN-NCVM03.domain.com, SDN-NCVM02.domain.com}
ClusterAuthentication : Kerberos
GmsaAccountName :
ManagementSecurityGroup : domain\NC Management
EnableAutomaticUpdates : True
CredentialEncryptionCertificate : [Subject]
CN=NJESDNNC.domain.com
[Issuer]
CN=NJESDNNC.domain.com
[Serial Number]
4A8F7AA52FF28B9849754D618D3AEA53
[Not Before]
7/18/2024 2:40:27 PM
[Not After]
7/18/2025 3:00:27 PM
[Thumbprint]
7B540142C340959D6986745A730D5DC922CF1D13
`
It's a multi-node deployment.
Connection string: ServerUrl=https://NJESDNNC.domain.com/;ServiceName=NC
@mgodfre3

Thank you!

I have found if you build the service ensure you have set the correct AD permissions and group membership then restart the NC service VMs. after a few mins it will add the DNS record and you should then be able to access the API.

@DCoates-InnovateLtd the issue I'm having is during the onboarding network controller process.
All the NC nodes are registered in DNS including the restname. All the required group memberships are set as well.

yep i had the same have you checked AD permissions? and the certificate is valid and trusted? have you added it to the trusted store in VMM Server?

The Runas service account is a member of domain admins. What other AD permissions do I need to check?
I'm using the certs that are provided in the Github SDN-master folder. All the certs are imported to the VMM trusted store.

i cant find the doc but this is what i use.

#Add NetControl Group to each Network Controller AD Computer Object to allow Service Principal Validation + Read + Write Then Reboot them all.
#Adds Security Group to Network Controller Computer Objects and allows for self and read,write,validate of Service Principal Name
$Networkcontrollers = Get-ADComputer -Filter *| Where-Object{$_.Name -match $ComputerNameFriendly}

foreach($NetController in $Networkcontrollers){

$path = "AD:\$($NetController.distinguishedname)"
$acl = get-acl $Path
$group = Get-ADgroup "netcontrol"
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID

#Creates an ACE to allow mygroup1 to manage read write execute on the computer object required for basic management of network conntrollers
$objectguid = new-object Guid 00000000-0000-0000-0000-000000000000
$inheritedobjectguid = new-object Guid 00000000-0000-0000-0000-000000000000
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ReadProperty, WriteProperty, GenericExecute"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)

#Creates an ACE to allow mygroup1 to manage read, write and validate Service Principal Name on the computer object required for basic management of network conntrollers
$objectguid = new-object Guid f3a64788-5306-11d1-a9c5-0000f80367c1
$inheritedobjectguid = new-object Guid 00000000-0000-0000-0000-000000000000
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "Self, ReadProperty, WriteProperty"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)

#Applies the ACL to the computer object
Set-acl -aclobject $acl $Path

}

@DCoates-InnovateLtd that worked!!!
Thank you so much!

For future reference below is the link for the Kerberos auth with SPN.
https://learn.microsoft.com/en-us/azure-stack/hci/manage/kerberos-with-spn