Hi I have started writing my DSC configuration files. So I have tested the script with plain text as a test and it works with the $argument $PlainTextAlllowed = True.
However with the certificates enabled it spits an error to say that an exception was thrown.
I checked the event log under DSC - Operations and found that it was coming up with
“The Directory Services Restore Mode password exceeds the maximum password length requirements of the password policy.”
When I see the mof file it has hashed the password like so for the safe domain credentials:
Password = “gFAwQkG2Pa+I2403+2C7HXRdswkNfGsX9ypfr1ddKT56g2BwuWkkNzO1DhuaT69xwS2EXKW03p5wkAfUNi3ORYdU/XZQ+3VdXNA9v5HpKnjH/z/0TAy+ODgsNqCTbf6pCs3jzMBFUl0nOHQKgsChJXi1CSWzLoJGVetiwnof/+ox8eAkmrckvC0BSUOZctEK0dIToFsElX4ub6ClVaS4w7QkRjUtHPwlN2fxIrE8wq+D0oiFv2LucKDxJmu/2pR6LREK3Ngv1Y690BWxAqGYRUEmwAo83aiTLmHbKc5IUMP9UKpqvyNlEIb0K36FLSQLCq6RTv9Y8RqWE824j6c+jg==”;
which I am presuming is hashing correctly. I have made sure that the hash is also installed in the cert store on the target node. It is sitting in the cert:\localmachine\my location.
Also note I am using a self signed certificate. (Would it be permissable to use that?).
Any advice is appreciated.
configuration DSCExample { param ( [Parameter(Mandatory)] [pscredential]$safemodeAdministratorCred, [Parameter(Mandatory)] [pscredential]$domainCred #[Parameter(Mandatory)] #[pscredential]$DNSDelegationCred ) Import-DscResource -ModuleName xActiveDirectory Node $AllNodes.Where{$_.Role -eq "ADServer"}.Nodename { LocalConfigurationManager { RebootNodeIfNeeded = $true } WindowsFeature RemoveGUI { Ensure = "Absent" Name = "Server-Gui-Mgmt-Infra" } WindowsFeature ADDSInstall { Ensure = "Present" Name = "AD-Domain-Services" } xADDomain FirstDS { DomainName = $Node.DomainName DomainAdministratorCredential = $domainCred SafemodeAdministratorPassword = $safemodeAdministratorCred #DnsDelegationCredential = $DNSDelegationCred DependsOn = "[WindowsFeature]ADDSInstall" } } } # Configuration Data for AD DSCExample -configurationdata C:\scripts\configurationdata.psd1 -safemodeAdministratorCred (Get-Credential -Message "New Domain Safe Mode Admin Credentials") -domainCred (Get-Credential -Message "New Domain Admin Credentials") $Session = New-CimSession -ComputerName "ad" -Credential administrator Start-DscConfiguration -path C:\cert\DSCExample -Wait -Credential (Get-Credential) -Verbose
regards,
Wei-Yen Tan