[SOLVED] ARM template with DSC extension fails with security error after reboot during create new AD forest and domain

ARM template with DSC extension fails with security error after reboot during create new AD forest and domain

For months I have reliably used an ARM template that creates primary and backup domain controllers (based on 'active-directory-new-domain-ha-2-dc' in the quick start templates). On Friday it stopped working without any modifications being made.

The problem is on the primary DC. The xADDomain DSC resource triggers a reboot as shown in this excerpt from the first DSC log:

VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM:  [ End    Resource 
]  [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.

After the reboot the following security error can be seen in the second DSC log:

VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.

As no changes had been made to the ARM template or the DSC resources I assume that this is due to the deployment picking up the latest version of something.

Things I have tried:

Using DSC 2.76 instead of 2.80
Using WMF 5.0 instead of 5.1
Using Windows Server 2019-Datacenter instead of 2016 (it seems there has been no update to the 2016 image since 20190603).

I have also looked into preventing DSC from restarting after the reboot (there are no more resources to process). However, I think that those settings are already made due to the following entries in the first DSC log:

VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded = 
False and ActionAfterReboot = "StopConfiguration"

VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager: 
ActionAfterReboot              : StopConfiguration
RebootNodeIfNeeded             : False

I am stuck. Does anyone have any ideas? Thanks.

Solution

We faced the same issue. And we realized that this issue only occurs on some particular type of Vms with win_2016Datacenter.

Reproduced this issue with vm type "Standard_F4s_v2"
But it doesn't occur with other vms, such as “Standard_DS2_v2”

I'm not sure which type of vm are you using, as a work around you can have a try with a different vm type.