azuredsc

ARM template with DSC extension fails with security error after reboot during create new AD forest and domain


For months I have reliably used an ARM template that creates primary and backup domain controllers (based on 'active-directory-new-domain-ha-2-dc' in the quick start templates). On Friday it stopped working without any modifications being made.

The problem is on the primary DC. The xADDomain DSC resource triggers a reboot as shown in this excerpt from the first DSC log:

VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM:  [ End    Resource 
]  [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.

After the reboot the following security error can be seen in the second DSC log:

VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.

As no changes had been made to the ARM template or the DSC resources I assume that this is due to the deployment picking up the latest version of something.

Things I have tried:

  1. Using DSC 2.76 instead of 2.80
  2. Using WMF 5.0 instead of 5.1
  3. Using Windows Server 2019-Datacenter instead of 2016 (it seems there has been no update to the 2016 image since 20190603).

I have also looked into preventing DSC from restarting after the reboot (there are no more resources to process). However, I think that those settings are already made due to the following entries in the first DSC log:

VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded = 
False and ActionAfterReboot = "StopConfiguration"

VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager: 
ActionAfterReboot              : StopConfiguration
RebootNodeIfNeeded             : False

I am stuck. Does anyone have any ideas? Thanks.


Solution

  • We faced the same issue. And we realized that this issue only occurs on some particular type of Vms with win_2016Datacenter.

    I'm not sure which type of vm are you using, as a work around you can have a try with a different vm type.