LabBuilder
LabBuilder copied to clipboard
PlagueHO
Bug: DC_FORESTPRIMARY.DSC.PS1 leaves the system with unvalid properties
Verison of PowerShell:
$PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 17763 1007
PowerShell host:
Console
Operating system:
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, ServicePackMajorVersion, OSArchitecture, WindowsDirectory
Caption : Microsoft Windows Server 2019 Standard
Version : 10.0.17763
ServicePackMajorVersion : 0
OSArchitecture : 64-bit
WindowsDirectory : C:\Windows
Version of LabBuilder:
PS C:\Windows\system32> Get-Module -Name LabBuilder -ListAvailable
Directory: C:\Program Files\WindowsPowerShell\Modules
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 1.0.5.105 LabBuilder {Get-LabResourceModule, Initialize-LabResourceModule, Get-...
When checking the state of the DC after deployment with Get-DscConfiguration an error is returned.
I've verified this on two different setups. I've done three clean rebuilds on the second system with the same result each time.
PS C:\Users\Administrator> Get-DscConfiguration
Get-DscConfiguration : The PowerShell DSC resource returned results that are not valid from Get-TargetResource. The
KDSRootKey key is not a valid property in the corresponding DSC resource schema file. The results from
Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as the properties in the
corresponding DSC resource schema file.
At line:1 char:1
+ Get-DscConfiguration
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Ge
t-DscConfiguration], CimException
+ FullyQualifiedErrorId : GetOperationResultInvalidResultFormat,Get-DscConfiguration
The configuration used for the DC:
<vm name="DC"
template="Template Windows Server 2019 b1903 - 1GB"
computername="DC"
bootorder="10">
<dsc configname="DC_FORESTPRIMARY"
configfile="DC_FORESTPRIMARY.DSC.ps1">
<parameters>
DomainName = "LABBUILDER.COM"
DomainNetBiosName = "LABBUILDER"
DomainAdminPassword = "Password!1"
InstallRSATTools = $true
Forwarders = @('8.8.8.8','8.8.4.4')
ADZones = @(
@{ Name = 'ALPHA.LOCAL';
DynamicUpdate = 'Secure';
ReplicationScope = 'Forest';
}
)
PrimaryZones = @(
@{ Name = 'BRAVO.LOCAL';
ZoneFile = 'bravo.local.dns';
DynamicUpdate = 'None';
}
)
</parameters>
</dsc>
<adapters>
<adapter name="External"
switchname="External">
</adapter>
<adapter name="Private"
switchname="Private">
<ipv4 address="192.168.11.2"
subnetmask="24"
dnsserver="192.168.11.2"/>
</adapter>
</adapters>
</vm>
My guess is that the issue is with the CreateKDSRootKey script...
PS C:\Users\Administrator> Test-DscConfiguration -Detailed | select -ExpandProperty ResourcesInDesiredState | select ConfigurationName,InstanceName,ResourceName
ConfigurationName InstanceName ResourceName
----------------- ------------ ------------
DC_FORESTPRIMARY IPv4_2::[Networking]Network IPAddress
DC_FORESTPRIMARY IPv4G_2::[Networking]Network DefaultGatewayAddress
DC_FORESTPRIMARY IPv4D_2::[Networking]Network DnsServerAddress
DC_FORESTPRIMARY BackupInstall WindowsFeature
DC_FORESTPRIMARY DNSInstall WindowsFeature
DC_FORESTPRIMARY ADDSInstall WindowsFeature
DC_FORESTPRIMARY RSAT-AD-PowerShellInstall WindowsFeature
DC_FORESTPRIMARY PrimaryDC ADDomain
DC_FORESTPRIMARY DscDomainWait WaitForADDomain
DC_FORESTPRIMARY RecycleBin ADOptionalFeature
DC_FORESTPRIMARY CreateKDSRootKey Script
DC_FORESTPRIMARY DNSForwarders xDnsServerForwarder
DC_FORESTPRIMARY ADZone1 xDnsServerADZone
DC_FORESTPRIMARY PrimaryZone1 xDnsServerPrimaryZone
I recently discovered the tracing feature of the module xDscDiagnostics.
Using Get-xDscOperation | select -ExpandProperty Allevents | ft -Wrap on a DC brings out the same issue...
PS C:\Users\Administrator> Get-DscConfiguration
Get-DscConfiguration : The PowerShell DSC resource returned results that are not valid from Get-TargetResource. The KDSRootKey key is not a valid property in
the corresponding DSC resource schema file. The results from Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as
the properties in the corresponding DSC resource schema file.
At line:1 char:1
+ Get-DscConfiguration
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get-DscConfiguration], CimException
+ FullyQualifiedErrorId : GetOperationResultInvalidResultFormat,Get-DscConfiguration
PS C:\Users\Administrator> Get-xDscOperation | where result -eq failure | select -ExpandProperty allevents | ft -Wrap
TimeCreated Message
----------- -------
8/10/2021 12:08:13 PM Operation Get-DscConfiguration started by user sid S-1-5-21-2802173511-2513878040-2912752035-500 from computer NULL.
8/10/2021 12:08:13 PM The local configuration manager is updating the PSModulePath to WindowsPowerShell\Modules;C:\Program
Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules.
8/10/2021 12:08:17 PM PsDscRunAsCredential has been specified. The user name is Administrator.
8/10/2021 12:08:18 PM Impersonation successful. Thread is running under the context of NT AUTHORITY\SYSTEM.
8/10/2021 12:08:18 PM Impersonation reverted. Thread is running under the context of NT AUTHORITY\SYSTEM.
8/10/2021 12:08:21 PM This event indicates that failure happens when LCM is processing the configuration. Error Id is 0xD. Error Detail is The
SendConfigurationApply function did not succeed.. Resource Id is [Script]CreateKDSRootKey and Source Info is
C:\Users\Public\myLab\AzDev\AzDev-RDC\LabBuilder Files\DSC.ps1::258::9::Script. Error Message is The PowerShell DSC resource returned
results that are not valid from Get-TargetResource. The KDSRootKey key is not a valid property in the corresponding DSC resource schema
file. The results from Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as the properties in
the corresponding DSC resource schema file..
8/10/2021 12:08:21 PM MIResult: 13
Error Message: The PowerShell DSC resource returned results that are not valid from Get-TargetResource. The KDSRootKey key is not a
valid property in the corresponding DSC resource schema file. The results from Get-TargetResource must be in a Hashtable format. The
keys in the Hashtable must be the same as the properties in the corresponding DSC resource schema file.
Message ID: GetOperationResultInvalidResultFormat
Error Category: 8
Error Code: 13
Error Type: MI
8/10/2021 12:08:21 PM Impersonation reverted. Thread is running under the context of NT AUTHORITY\SYSTEM.
8/10/2021 12:08:21 PM Impersonation successful. Thread is running under the context of NT AUTHORITY\SYSTEM.
Looking into the issue I found out that the value indeed is returned as a hashtable
GetScript = {
Return @{
KDSRootKey = (Get-KDSRootKey)
}
But I couldn't find any schema.MOF file defining KDSRootKey.
I found ADKDSKey in the DSC resource MSFT_ADKDSKey that might be usable instead...
"C:\Program Files\WindowsPowerShell\Modules\ActiveDirectoryDsc\4.1.0.0\DSCResources\MSFT_ADKDSKey\MSFT_ADKDSKey.schema.mof"
It contains the properties
- [Key] String EffectiveTime
- [Write] String Ensure
- [Write] Boolean AllowUnsafeEffectiveTime;
- [Write] Boolean ForceRemove
- [Read] String DistinguishedName
- [Read] DateTime CreationTime
- [Read] String KeyId
which seems appropriate for a KDSRootKey.
