DSC to join domain

Hello all,

I’m experiencing with some DSC scripts in azure.

Login-AzureRmAccount

Show-SubscriptionARM

$rgName = ‘rgName’
$storageAccountName = “storageaccount”

$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccountName
$storageAccountKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $rgName -AccountName $storageAccountName).Value[0]

we are using default container

$containerName = ‘windows-powershell-dsc’

$configurationName = ‘IISInstall’
$configurationPath = “.$configurationName.ps1”
#Publish your DSC configuration to the Azure storage
$moduleURL = Publish-AzureRmVMDscConfiguration -ConfigurationPath $configurationPath -ResourceGroupName $rgName -StorageAccountName $storageAccount.StorageAccountName -Force

$storageContext = New-AzureStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageAccountKey
$sasToken = New-AzureStorageContainerSASToken -Name $containerName -Context $storageContext -Permission r

$settingsHashTable = @{
“ModulesUrl” = “$moduleURL”;
“ConfigurationFunction” = “$configurationName.ps1$configurationName”;
“SasToken” = “$sasToken”
}

$vmName= “VMTEST”
$extensionName = ‘DSC’
$extensionType = ‘DSC’
$publisher = ‘Microsoft.Powershell’
$typeHandlerVersion = ‘2.1’

Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $storageAccount.Location `
-Name $extensionName -Publisher $publisher -ExtensionType $extensionType -TypeHandlerVersion $typeHandlerVersion `
-Settings $settingsHashTable

This script calls the DSC what is in these script:

Configuration IISInstall {
Import-DSCResource -module xDSCDomainjoin
#domain credentials to be given here   
$secdomainpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mydomaincreds = New-Object System.Management.Automation.PSCredential("domain\account", $secdomainpasswd)
$domain = "mydomain"

Node localhost

{
WindowsFeature IIS
{
Name = “Web-Server”
Ensure = “Present”
}

# Install ASP.NET 4.5 
WindowsFeature AspNet45  

     {
     Name   = "Web-Asp-Net45" 
     Ensure = "Present"
     }

# Join domain
xDSCDomainjoin JoinDomain
    {
     Domain = $domain
     Credential = $mydomaincreds          
    }
}

}

The first 2 steps are successful, however the domain join function always gives an error. Anyone knows what is the problem?

I would like to join the domain with the DSC script.

It’s a little tough to guess what the error might be. Can you just post the error?

Sorry about that. Here is the error:

Set-AzureRmVMExtension : Long running operation failed with status ‘Failed’.
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension ‘DSC’. Error message: "The DSC Extension received an incorrect input: Compilation errors occurred while processing configuration ‘IISInsta
ll’. Please review the errors reported in error stream and modify your configuration code appropriately. System.InvalidOperationException error processing property ‘Credential’ OF TYPE ‘xDSCDomainjoin’: C
onverting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=3937
29
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.26.0.0\DSCWork\IISInstall.ps1.0\IISInstall.ps1:75 char:5

  • xDSCDomainjoin Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com
    /fwlink/?LinkId=393729 Cannot find path ‘HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC’ because it does not exist. Cannot find path ‘HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC’ because it does not exist.
    Another common error is to specify parameters of type PSCredential without an explicit type. Please be sure to use a typed parameter in DSC Configuration, for example:
    configuration Example {
    param([PSCredential] $UserAccount)

    }.
    Please correct the input and retry executing the extension.".
    StartTime: 14/06/2017 8:59:39
    EndTime: 14/06/2017 9:06:57
    OperationID: 10c08c2e-de25-439d-b02a-d9646dcd477b
    Status: Failed
    At line:31 char:1
  • Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $st …
  •   + CategoryInfo          : CloseError: (:) [Set-AzureRmVMExtension], ComputeCloudException
      + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureVMExtensionCommand

You appear to be trying to use a non-encrypted credential. That isn’t allowed - as described at the URL referenced in the error.

I added following in the first script:
$settingsHashTable = @{
“ModulesUrl” = “$moduleURL”;
“ConfigurationFunction” = “$configurationName.ps1$configurationName”;
“SasToken” = “$sasToken”
AllNodes = @(
@{
NodeName = “localhost”
PsDscAllowPlainTextPassword = $true
}
)
}

So plain text password shouldn’t be a problem.
However I still get the error. Any ideas how I can solve it?

Thanks.

I thought it maybe because the hash in a hash function, so I edited it to:
$settingsHashTable = @{

        "ModulesUrl" = "$moduleURL";
        "ConfigurationFunction" = "$configurationName.ps1\$configurationName";
        "SasToken" = "$sasToken";
        "NodeName" = "localhost";
        "PsDscAllowPlainTextPassword" = $true
    }

But still an error…
Set-AzureRmVMExtension : Long running operation failed with status ‘Failed’.
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension ‘DSC’. Error message: "The DSC Extension received an incorrect input: Compilation errors occurred while processi
ng configuration ‘IISInstall’. Please review the errors reported in error stream and modify your configuration code appropriately. System.InvalidOperationException error processi
ng property ‘Credential’ OF TYPE ‘xDSCDomainjoin’: Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MO
F file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.26.0.0\DSCWork\IISInstall.ps1.0\IISInstall.ps1:76 char:5

  • xDSCDomainjoin Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blo
    g: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find path ‘HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC’ because it does not exist. Cannot find path ‘HKLM:\SOFTWARE\Microsof
    t\PowerShell\3\DSC’ because it does not exist.
    Another common error is to specify parameters of type PSCredential without an explicit type. Please be sure to use a typed parameter in DSC Configuration, for example:
    configuration Example {
    param([PSCredential] $UserAccount)

    }.
    Please correct the input and retry executing the extension.".
    StartTime: 28/06/2017 14:39:24
    EndTime: 28/06/2017 14:45:58
    OperationID: edb84240-384f-4c83-8966-781339e75d65
    Status: Failed
    At line:48 char:1
  • Set-AzureRmVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $st …
  •   + CategoryInfo          : CloseError: (:) [Set-AzureRmVMExtension], ComputeCloudException
      + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.SetAzureVMExtensionCommand

Keep in mind that Azure is a little different. The error is still telling me it doesn’t like your plain-text password. Azure’s DSC extension may simply - and wisely - disallow that.

Hi Jens, I’m a PM on Azure Automation DSC. Take a look at this doc on securing credentials used with the extension.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-dsc-credentials

Overall, I typically recommend using the extension as a bootstrap mechanism in ARM templates and using the service for the actual configuration delivery wherever possible. It is night and day easier to diagnose problems when they occur, and you can understand the state of the machine over time rather than just at deployment.

Since your configuration contains a secret (credential) there are some gotchas along the way with both options. If you would like to PM me I’d be happy to help.

For more information:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

Hi Michael,

I’m again trying to set it up with azure automation, but again running into some trouble…

How can I contact you with a PM?

Thanks in advance!