For months I have reliably used an ARM template that creates primary and backup domain controllers (based on 'active-directory-new-domain-ha-2-dc' in the quick start templates). On Friday it stopped working without any modifications being made.
The problem is on the primary DC. The xADDomain DSC resource triggers a reboot as shown in this excerpt from the first DSC log:
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM: [ End Resource
] [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:
[] A reboot is required to progress further. Please reboot the system.
Configuration will not be continued after the reboot. To continue
configuration, use Start-DscConfiguration -UseExisting after reboot.
After the reboot the following security error can be seen in the second DSC log:
VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration.
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod'
with following parameters, ''methodName' = ApplyConfiguration,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The
following error with errorcode 0x80090350 occurred while using Negotiate
authentication: An unknown security error occurred.
As no changes had been made to the ARM template or the DSC resources I assume that this is due to the deployment picking up the latest version of something.
Things I have tried:
I have also looked into preventing DSC from restarting after the reboot (there are no more resources to process). However, I think that those settings are already made due to the following entries in the first DSC log:
VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded =
False and ActionAfterReboot = "StopConfiguration"
VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager:
ActionAfterReboot : StopConfiguration
RebootNodeIfNeeded : False
I am stuck. Does anyone have any ideas? Thanks.
We faced the same issue. And we realized that this issue only occurs on some particular type of Vms with win_2016Datacenter.
I'm not sure which type of vm are you using, as a work around you can have a try with a different vm type.