I am hitting an issue when trying to join a VM (Windows Server 2019) to a domain and promote it to a DC. The deployment is being down via ARM Templates using the DSC extensions. It is a single template that deploys both VMs and configures them as DCs so they are all using the same credentials etc. I've tried the updated Active Directory DSC from here.
The error I am getting is:
"DSC Configuration 'CreateADBDC' completed with error(s). Following are the first few: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. PowerShell DSC resource MSFT_xADDomainController failed to execute Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found. The SendConfigurationApply function did not succeed
The odd thing is I can login to the VM and join the domain through the UI and it works fine, likewise I can promote it via the UI and again that works. The DNS settings are right and the primary DC is resolvable.
From what I can see is this command that is being run by the "Set-TargetResource" function within the MSFT_xADDomainController.psm1:
Get-ADDomain -Identity $DomainName -Credential $DomainAdministratorCredential
If I run this command on the VM I am trying to promote the command fails, the output from the failure is:
Get-ADDomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running
Which looks very similar to the error output from the DSC extension which is making me wonder if the actual issue is with the PowerShell Active Directory module.
Additional info:
DSC Extension snipet
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('dc2name'), '/CreateADBDC')]",
"apiVersion": "2019-03-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('dc2name'))]",
"[resourceId('Microsoft.Compute/virtualMachines/extensions', variables('dc1name'), 'CreateADForest')]"
],
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.77",
"autoUpgradeMinorVersion": true,
"settings": {
"WMFVersion": "latest",
"configuration": {
"url": "[concat(parameters('Artifacts Location'), '/dsc/CreateADBDC.zip')]",
"script": "CreateADBDC.ps1",
"function": "CreateADBDC"
},
"configurationArguments": {
"DomainName": "[parameters('Domain Name')]",
"DNSServer": "[variables('dc1ipaddress')]"
}
},
"protectedSettings": {
"configurationArguments": {
"adminCreds": {
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('Administrator Password')]"
},
"SafeModeAdminCreds" :{
"UserName": "[parameters('Administrator User')]",
"Password": "[parameters('SafeMode Password')]"
}
},
"configurationUrlSasToken": "[parameters('Artifacts Location SAS Token')]"
}
}
}
]
CreateADBDC.ps1
configuration CreateADBDC {
Param (
# Get deployment details
[Parameter(Mandatory)]
[String]$DNSServer,
[Parameter(Mandatory)]
[String]$DomainName,
# Credentials
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$Admincreds,
[Parameter(Mandatory)]
[System.Management.Automation.PSCredential]$SafeModeAdminCreds,
[Int]$RetryCount = 500,
[Int]$RetryIntervalSec = 3
)
Import-DscResource -ModuleName PSDesiredStateConfiguration, xStorage, xNetworking, xActiveDirectory, xPendingReboot
$Interface = Get-NetAdapter | Where-Object { $_.Name -Like "Ethernet*" } | Select-Object -First 1
[System.Management.Automation.PSCredential]$DomainCreds = New-Object System.Management.Automation.PSCredential ("${DomainName}\$($Admincreds.UserName)", $Admincreds.Password)
$features = @("AD-Domain-Services", "RSAT-ADDS-Tools", "RSAT-AD-AdminCenter")
Node localhost {
LocalConfigurationManager {
ActionAfterReboot = 'ContinueConfiguration'
ConfigurationMode = 'ApplyOnly'
RebootNodeIfNeeded = $true
}
xWaitforDisk Disk2 {
DiskNumber = 2
RetryIntervalSec = $RetryIntervalSec
RetryCount = $RetryCount
}
xDisk ADDataDisk {
DiskNumber = 2
DriveLetter = "F"
DependsOn = "[xWaitForDisk]Disk2"
}
WindowsFeatureSet Prereqs {
Name = $features
Ensure = "Present"
IncludeAllSubFeature = $true
}
xDnsServerAddress DnsServerAddress {
Address = $DNSServer
InterfaceAlias = $Interface.Name
AddressFamily = "IPv4"
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xWaitForADDomain DscForestWait {
DomainName = $DomainName
DomainUserCredential = $DomainCreds
RetryCount = $RetryCount
RetryIntervalSec = $RetryIntervalSec
DependsOn = "[WindowsFeatureSet]Prereqs"
}
xADDomainController BDC {
DomainName = $DomainName
DomainAdministratorCredential = $DomainCreds
SafemodeAdministratorPassword = $SafeModeAdminCreds
DatabasePath = "F:\NTDS"
LogPath = "F:\NTDS"
SysvolPath = "F:\SYSVOL"
DependsOn = "[xWaitForADDomain]DscForestWait"
}
xPendingReboot RebootAfterPromotion {
Name = "RebootAfterDCPromotion"
DependsOn = "[xADDomainController]BDC"
}
}
}
MSFT_xADDomainController.psm1 - LINK
DSC Log file output
VERBOSE: [2019-03-17 22:23:12Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xDNSServerAddress]DnsServerAddress] in 0.7500 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] Checking the DNS Server Address ...
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers are not correct. Expected 10.x.x.250, actual 10.x.x.250 10.x.x.249 8.8.8.8
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xDNSServerAddress]DnsServerAddress] DNS Servers have been set correctly.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xDNSServerAddress]DnsServerAddress] in 0.0940 seconds.
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xDNSServerAddress]DnsServerAddress]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:13Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Checking for domain DOMAIN.CO.UK ...
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: [[xWaitForADDomain]DscForestWait] Found domain DOMAIN.CO.UK
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xWaitForADDomain]DscForestWait] in 0.6790 seconds.
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Skip Set ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ End Resource ] [[xWaitForADDomain]DscForestWait]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Resource ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:14Z] [VERBOSE] [DC2]: LCM: [ Start Test ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:15Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Domain 'DOMAIN.CO.UK' is NOT present on the current node.
VERBOSE: [2019-03-17 22:23:57Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.77.0.0\Status\0.status)
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ End Test ] [[xADDomainController]BDC] in 43.2480 seconds.
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: LCM: [ Start Set ] [[xADDomainController]BDC]
VERBOSE: [2019-03-17 22:23:57Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Resolving 'DOMAIN.CO.UK' ...
VERBOSE: [2019-03-17 22:24:40Z] [ERROR] Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
VERBOSE: [2019-03-17 22:24:40Z] [VERBOSE] [DC2]: [[xADDomainController]BDC] Checking if domain 'DOMAIN.CO.UK' is present ...
VERBOSE: [2019-03-17 22:25:22Z] [VERBOSE] [DC2]: LCM: [ End Set ] [[xADDomainController]BDC] in 84.3140 seconds.
VERBOSE: [2019-03-17 22:25:22Z] Settings handler status to 'transitioning'
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.77.0.0\Status\0.status)
VERBOSE: [2019-03-17 22:25:22Z] [ERROR] PowerShell DSC resource MSFT_xADDomainController failed to execute
Set-TargetResource functionality with error message: Domain 'DOMAIN.CO.UK' could not be found.
Ok, after a lot of head scratching I went back to basics and I found the culprit, it appears that MS have neglected a port or two from their documentation (link) for configuring firewalls to work with AD. Yes, the ADWS (Active Directory Web Services) port is missing from the list. Add a rule for TCP9389 and suddenly all my worries are far away. Thanks for the help.