Partial Configurations & Encrypted Credentials

Hi All,

Was hoping someone could steer me in the right direction. I’m hoping to to utilise partial configurations to firstly deploy a base set of features to the server (first partial configuration), and then deploy and configure AD Domain Services (with the second configuration).

The LCM code to configure the target server looks like this (the code below is used in a test environment, so nothing sensitive…)


Configuration PullClientConfig

    Node localhost


            RefreshMode = 'Pull'
            RefreshFrequencyMins = 30
            RebootNodeIfNeeded = $true            
            CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()

        ConfigurationRepositoryWeb PullSrv

            ServerURL = ''
            RegistrationKey = '252b8bef-2c38-4f66-b7d8-682136763da4'
            ConfigurationNames = @('BaseConfig','NewADDSDomain')
            CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()            

        PartialConfiguration BaseConfig {

            ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'


        PartialConfiguration NewADDSDomain {

            ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'
            DependsOn = '[PartialConfiguration]BaseConfig'





Set-DscLocalConfigurationManager -Path ".\PullClientConfig" -Verbose
Update-DscConfiguration -Wait -Verbose

When i run this, the server attempts to configure itself, but eventually fails with an error message of “Verification of prerequisites for Domain Controller promotion failed. The Directory Services Restore Mode password exceeds the maximum
password length requirement of the password policy”.

This leads me to believe that the encrypted credentials in the MOF file are not getting decrypted properly (as the encrypted string is quite long). I’ve tried the following things to resolve it:

  • Removing the partial configuration blocks and just running the NewADDSDomain portion of the config by itself (which works perfectely on its own)
  • Placing the CertificateID parameter in various places in the configuration

The BaseConfig configuration does not contain any credentials and is not encrypted with the certificate. Is there a trick to using partial configurations when not all of your configurations require encryption/decryption at the target node?

Before getting in to the details, may I ask why the use of partial configurations in this scenario?

Hi Michael,

I’m just trying to familiarise myself with the concept at the moment, i’d like to be able split the configuration documents into smaller pieces. In this scenario, every server managed by DSC would get configured with a base set of components and features (BaseConfig), and then depending on the servers role (in this case, a new domain controller), a configuration document specific to that role would then configure the rest of the features/services as required.


I just encountered something similar. I have two partial configurations, the first one joins a member server to the domain with some base windows config and the second config does some web server related configuration. However, with the second partial config present it always fails on joining the machine to the domain with the following:

Computer 'EC2AMAZ-B0FFA8R' failed to join domain 'blah.local' from its current workgroup 'WORKGROUP' with following error message: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history 
requirements of the domain.

If I remove the second partial config or just throw it all in to the one config it all works no issue.

Why not use a single config?

I came across a very similar issue using partials.

In my scenario I have upwards of 5 partials that are applied. All partials referenced by the LCM Configuration had to have encrypted credentials stored within each partial configuration. This seems bizarre to me. I have opened a Microsoft Case on this.

Example 1 Fails:

Partial 1: Uses Encrypted Credential in MOF
Partial 2: Uses Encrypted Credential in MOF
Partial 3: Uses Encrypted Credential in MOF
Partial 4: Uses Encrypted Credential in MOF
Partial 5: No Stored Credential in MOF

Example 2 Succeeds:

Partial 1: Uses Encrypted Credential in MOF
Partial 2: Uses Encrypted Credential in MOF
Partial 3: Uses Encrypted Credential in MOF
Partial 4: Uses Encrypted Credential in MOF
Partial 5: Uses Encrypted Credential in MOF (In my test I added a needless PsDscRunAsCredential to one of the config blocks)

The weirdest part of this failure from Example 1:
The first place that required credential decryption caused the exception. In my use case, adding Partial 5 caused an exception in Partial 1 when decrypting creds. However the error wasn’t about credential decryption from the LCM. The error was access denied. It seems like the LCM decrypted the credentials but could not use them correctly.

I will follow up when/if I get a formal Microsoft opinion on this.

I never ended up getting a resolution to this, other things took priority and I haven’t had a chance to revisit.

I’d be very interested hearing the feedback you receive from Microsoft.

So I got a response from Microsoft on the issue that I identified in my earlier post. It is a known issue in WMF 5.1:

From Microsoft:
‘The mitigation is to name any one of the partial configurations that contains encrypted credentials, such that it is the partial configuration name is the first one that comes in alphabetical order compared to other partial configuration’s name.’

Further Explanation from Microsoft:
‘Every DSC document (.mof file) contains information about if passwords in that document is encrypted. In partial configuration scenario there are many DSC documents (one for each partion configuration) and each document contains information about itself.
When DSC has all the documents available, the way DSC processes these documents is that it is only using the first document to determine if passwords should be encrypted or not ignoring the rest of the documents. The way DSC determines first document is based on the result of ‘dir’ on folder C:\windows\system32\configuration\partialconfiguration, the first entry in the results translates to first document’

More reason not to use partials :slight_smile: