azure 在创建新AD林和域期间重新启动后,带有DSC扩展的ARM模板失败,并出现安全错误

ej83mcc0  于 2022-12-14  发布在  其他
关注(0)|答案(3)|浏览(155)

几个月来,我一直可靠地使用ARM模板来创建主域控制器和备份域控制器(基于快速入门模板中的“active-directory-new-domain-ha-2-dc”)。
问题出在主DC上。xADDomain DSC资源触发重新启动,如第一个DSC日志的摘录所示:

VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]: LCM:  [ End    Resource 
]  [[xADDomain]FirstDS]
VERBOSE: [2020-05-22 15:22:17Z] [VERBOSE] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.
VERBOSE: [2020-05-22 15:22:17Z] [WARNING] [tipaADPDC]:                         
   [] A reboot is required to progress further. Please reboot the system. 
Configuration will not be continued after the reboot. To continue 
configuration, use Start-DscConfiguration -UseExisting after reboot.

重新启动后,在第二个DSC日志中可以看到以下安全错误:

VERBOSE: [2020-05-22 15:23:28Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-05-22 15:23:28Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-05-22 15:23:29Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-05-22 15:23:29Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.

由于没有对ARM模板或DSC资源进行任何更改,我认为这是由于部署选择了某个最新版本。
我尝试过的事情:
1.使用DSC 2.76代替2.80
1.使用WMF 5.0而不是5.1
1.使用Windows Server 2019-Datacenter而不是2016(似乎自20190603以来没有更新2016映像)。
我还研究了如何防止DSC在重新启动后重新启动(没有更多的资源要处理)。但是,我认为由于第一个DSC日志中的以下条目,已经进行了这些设置:

VERBOSE: [2020-05-22 15:18:42Z] WMF 5 or newer, Injecting RebootNodeIfNeeded = 
False and ActionAfterReboot = "StopConfiguration"

VERBOSE: [2020-05-22 15:18:47Z] Get-DscLocalConfigurationManager: 
ActionAfterReboot              : StopConfiguration
RebootNodeIfNeeded             : False

我被卡住了。有人有什么主意吗?谢谢。

yruzcnhs

yruzcnhs1#

最近遇到了类似的问题。有点不同的是,我使用的不是xADDomain,而是ActiveDirectoryDsc。当我将操作系统升级到Windows Server 2019-Datacenter时,错误消失了。
一个潜在的根本原因可能是2016年至2019年之间的Powershell版本。

  1. Windows Server 2016操作系统
VERBOSE: [2020-06-01 03:47:34Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:47:34Z] Retrieving system information ...
VERBOSE: [2020-06-01 03:47:40Z]     OS Version : 10.0
VERBOSE: [2020-06-01 03:47:40Z]     Server OS  : True
VERBOSE: [2020-06-01 03:47:40Z]     64-bit OS  : True
VERBOSE: [2020-06-01 03:47:40Z]     PS Version : 5.1.14393.3471
VERBOSE: [2020-06-01 03:47:40Z] Validating user provided settings for the DSC 
Extension Handler ...

重启后

VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:53:05Z] Will continue the existing configuration. 
Executing Start-DscConfiguration with -UseExisting option ...
VERBOSE: [2020-06-01 03:53:05Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Perform operation 'Invoke CimMethod' 
with following parameters, ''methodName' = ApplyConfiguration,'className' = 
MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 03:53:07Z] [ERROR] WinRM cannot process the request. The 
following error with errorcode 0x80090350 occurred while using Negotiate 
authentication: An unknown security error occurred.  

 Possible causes are:

  -The user name or password specified are invalid.

  -Kerberos is used when no authentication method and no user name are 
specified.

  -Kerberos accepts domain user names, but not local user names.

  -The Service Principal Name (SPN) for the remote computer name and port does 
not exist.

  -The client and remote computers are in different domains and there is no 
trust between the two domains.

 After checking for the above issues, try the following:

  -Check the Event Viewer for events related to authentication.

  -Change the authentication method; add the destination computer to the WinRM 
TrustedHosts configuration setting or use HTTPS transport.

 Note that computers in the TrustedHosts list might not be authenticated.

   -For more information about WinRM configuration, run the following command: 
winrm help config.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Operation 'Invoke CimMethod' 
complete.
VERBOSE: [2020-06-01 03:53:07Z] [VERBOSE] Time taken for configuration job to 
complete is 0.039 seconds
  1. Windows Server 2019操作系统
VERBOSE: [2020-06-01 08:33:17Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:33:18Z] Retrieving system information ...
VERBOSE: [2020-06-01 08:33:22Z]     OS Version : 10.0
VERBOSE: [2020-06-01 08:33:22Z]     Server OS  : True
VERBOSE: [2020-06-01 08:33:22Z]     64-bit OS  : True
VERBOSE: [2020-06-01 08:33:22Z]     PS Version : 5.1.17763.1007
VERBOSE: [2020-06-01 08:33:22Z] Validating user provided settings for the DSC Extension Handler ...

重启后

VERBOSE: [2020-06-01 08:38:49Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:38:49Z] Will continue the existing configuration. Executing Start-DscConfiguration with 
-UseExisting option ...
VERBOSE: [2020-06-01 08:38:50Z] Settings handler status to 'transitioning' 
(C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\Status\0.status)
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] Perform operation 'Invoke CimMethod' with following parameters, ''methodName'
 = ApplyConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = 
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: [2020-06-01 08:38:51Z] [VERBOSE] An LCM method call arrived from computer adPDC with user sid S-1-5-18.
dldeef67

dldeef672#

我们遇到了同样的问题。我们意识到这个问题只发生在一些特定类型的VM与win_2016Datacenter。

  • 使用VM类型“Standard_F4s_v2”重现此问题
  • 但其他虚拟机(如“Standard_DS2_v2”)不会发生此问题

我不确定你使用的是哪种类型的虚拟机,作为一种解决方案,你可以尝试使用不同的虚拟机类型。

2ledvvac

2ledvvac3#

此处描述了相同的问题:DSC配置“AD”已完成,但有个错误。以下是前几个错误:WinRM无法处理该请求
我的解决方案是在创建VM之后、运行PowerShellDSC之前运行以下CMDlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WindowsAzureGuestAgent" -Name DependOnService -Type MultiString -Value DNS

我将以下内容添加到我的二头肌文件中:

resource setScript 'Microsoft.Compute/virtualMachines/runCommands@2021-07-01' = {
  name: 'RunCommand'
  location: location
  parent: vm
  properties: {
    asyncExecution: false
    source: {
      script: 'Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\WindowsAzureGuestAgent" -Name DependOnService -Type MultiString -Value DNS'
    }
  timeoutInSeconds: 30
  }
}

父级是“Microsoft.Compute/virtualMachines@2021-03-01”资源。存在依赖于此“runCommand”资源的后续PowerShellDSC VM扩展资源。因此,创建VM,运行Set-ItemProperty命令,然后运行PowerShell DSC配置。然后,AD域创建工作正常。
CMDlet将Windows Azure访客代理服务设置为在启动之前等待DNS服务器服务。假设没有此设置,Windows Azure访客代理服务将在DNS和名称解析失败之前启动,这会导致WinRM出错。不一致的服务启动顺序也可能解释了不同VM大小的不同体验。

相关问题