search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

ADFSFarm: Test-Targetresource fails trying to use domain name as NetBIOS name #73

Open Vagabond80 opened 1 year ago

Vagabond80 commented 1 year ago

Details of the scenario you tried and the problem that is occurring

I am using DSC to setup a lab server including ADDS, ADCS and ADFS on a single machine. Setting up the ADFS throws an error after the first reboot during the teststage. It complains about an unkown NetBIOS name and seems to use the domain name as a query, which fails.

Verbose logs showing the problem

Set completes with a couple of warnings.

LCM:  [ Start  Resource ]  [[WindowsFeature]ADFSInstall]  "},
LCM:  [ Start  Test     ]  [[WindowsFeature]ADFSInstall]  "},
                           [[WindowsFeature]ADFSInstall] The operation 'Get-WindowsFeature' started: ADFS-Federation"},
                           [[WindowsFeature]ADFSInstall] The operation 'Get-WindowsFeature' succeeded: ADFS-Federation"},
LCM:  [ End    Test     ]  [[WindowsFeature]ADFSInstall]  in 0.2190 seconds."},
LCM:  [ Skip   Set      ]  [[WindowsFeature]ADFSInstall]  "},
LCM:  [ End    Resource ]  [[WindowsFeature]ADFSInstall]  "},
LCM:  [ Start  Resource ]  [[AdfsFarm]ADFSLab]  "},
LCM:  [ Start  Test     ]  [[AdfsFarm]ADFSLab]  "},
                           [[AdfsFarm]ADFSLab] Testing 'adfs.lab.local'. (FRM002)"},
                           [[AdfsFarm]ADFSLab] Getting 'adfs.lab.local'. (FRM001)"},
                           [[AdfsFarm]ADFSLab] 'adfs.lab.local' is absent but should be present. (FRM007)"},
LCM:  [ End    Test     ]  [[AdfsFarm]ADFSLab]  in 0.0630 seconds."},
LCM:  [ Start  Set      ]  [[AdfsFarm]ADFSLab]  "},
                           [[AdfsFarm]ADFSLab] Setting 'adfs.lab.local'. (FRM003)"},
                           [[AdfsFarm]ADFSLab] Getting 'adfs.lab.local'. (FRM001)"},
                           [[AdfsFarm]ADFSLab] Installing 'adfs.lab.local'. (FRM004)"},
                           [[AdfsFarm]ADFSLab] A machine restart is required to complete ADFS service configuration. For more information, see: http://go.microsoft.com/fwlink/?LinkId=798725"},
                           [[AdfsFarm]ADFSLab] The SSL certificate subject alternative names do not support host name 'certauth.adfs.lab.local'. Configuring certificate authentication binding on port '49443' and hostname 'adfs.lab.local'."},
                           [[AdfsFarm]ADFSLab] The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954."},
                           [[AdfsFarm]ADFSLab] 'adfs.lab.local' has been installed successfully. A reboot is now required. (FRM005)"},
LCM:  [ End    Set      ]  [[AdfsFarm]ADFSLab]  in 26.4210 seconds."},
LCM:  [ End    Resource ]  [[AdfsFarm]ADFSLab]  "},
                           [] A reboot is scheduled to progress further. Configuration will be continued after the reboot."},
                           [] A reboot is scheduled to progress further. Configuration will be continued after the reboot."},
                           [] Consistency check completed."}

After reboot it picks up but fails the test and exits. 

"type": "verbose", "message": "[WIN-I0BA3HA4226]: LCM:  [ Start  Resource ]  [[AdfsFarm]ADFSLab]  "},
"type": "verbose", "message": "[WIN-I0BA3HA4226]: LCM:  [ Start  Test     ]  [[AdfsFarm]ADFSLab]  "},
"type": "verbose", "message": "[WIN-I0BA3HA4226]:                            [[AdfsFarm]ADFSLab] Testing 'adfs.lab.local'. (FRM002)"},
"type": "verbose", "message": "[WIN-I0BA3HA4226]:                            [[AdfsFarm]ADFSLab] Getting 'adfs.lab.local'. (FRM001)"},
"type": "verbose", "message": "[WIN-I0BA3HA4226]: LCM:  [ End    Test     ]  [[AdfsFarm]ADFSLab]  in 1.0000 seconds."},
"type": "error", "message": "PowerShell DSC resource MSFT_AdfsFarm  failed to execute Test-TargetResource functionality with error message: The Active Directory NetBIOS name is unknown. (ADFSCOMMON0018)\r\nParameter name: lab.local "},

Suggested solution to the issue

I am very new to DSC and have not found any hint on how the NetBIOS name is acquired in this instance. The Parameter name it shows i the actual domain lab.local, the NetBIOS name would be lab. I cannot rule out that I made a configuration mistake.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

configuration ADFSInstallation {
    param (
        [Parameter(Mandatory)]
        [String]$DomainName,

        [Parameter(Mandatory)]
        [System.Management.Automation.PSCredential]$AdminCreds,

        [Int]$RetryCount = 60,
        [Int]$RetryIntervalSec = 5
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName xActiveDirectory -ModuleVersion 3.0.0.0
    Import-DscResource -ModuleName xAdcsDeployment -ModuleVersion 1.4.0.0
    Import-DscResource -ModuleName ADCSTemplate -ModuleVersion 1.0.1.0
    Import-DscResource -ModuleName AdfsDsc -ModuleVersion 1.3.2
    Import-DscResource -ModuleName xNetworking -ModuleVersion 5.7.0.0
    Import-DscResource -ModuleName CertificateDsc -ModuleVersion 5.1.0

    [System.Management.Automation.PSCredential]$DomainCreds = New-Object System.Management.Automation.PSCredential ("$DomainName\$($AdminCreds.UserName)", $AdminCreds.Password)
    [System.Management.Automation.PSCredential]$svcCreds = New-Object System.Management.Automation.PSCredential ("$DomainName\adfs-svc", $AdminCreds.Password)

    Node $AllNodes.NodeName {

        LocalConfigurationManager
        {
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationMode = 'ApplyOnly'
            RebootNodeIfNeeded = $true
            AllowModuleOverWrite = $true
        }        

        WindowsFeature ADDSInstall 
        { 
            Ensure = 'Present'
            Name = 'AD-Domain-Services'
        }  

        WindowsFeature ADDSPowerShell
        { 
            Ensure = 'Present' 
            Name = 'RSAT-AD-PowerShell'
        }

        # Optional GUI tools
        WindowsFeature ADDSTools
        { 
            Ensure = 'Present' 
            Name = 'RSAT-ADDS'
        }

        # Install the DNS Server role
        WindowsFeature DNSInstall {
            Ensure = 'Present'
            Name = 'DNS'
        }

        WindowsFeature DNSTools {
            Ensure = 'Present'
            Name = 'RSAT-DNS-Server'
        }

        # Configure the DNS Server
        xDnsServerAddress DNSConfiguration {
            Address = '127.0.0.1'
            AddressFamily = 'IPv4'
            InterfaceAlias = (Get-NetIPAddress | Where-Object { $_.AddressFamily -eq 'IPv4' -and $_.InterfaceIndex -eq (Get-NetRoute -DestinationPrefix '0.0.0.0/0').InterfaceIndex }).InterfaceAlias
            DependsOn = '[WindowsFeature]DNSInstall'
        }

        xADDomain FirstDS 
        {
            DomainName = $DomainName
            DomainAdministratorCredential = $DomainCreds
            SafemodeAdministratorPassword = $DomainCreds
            DomainNetbiosName = ($DomainName -split '\.')[0]
            DependsOn = "[WindowsFeature]ADDSInstall"
        }

        xWaitForADDomain DscForestWait
        {
            DomainName = $DomainName
            DomainUserCredential = $DomainCreds
            RetryCount = $RetryCount
            RetryIntervalSec = $RetryIntervalSec
            DependsOn = "[xADDomain]FirstDS"
        } 

        xADRecycleBin RecycleBin
        {
           EnterpriseAdministratorCredential = $DomainCreds
           ForestFQDN = $DomainName
           DependsOn = '[xWaitForADDomain]DscForestWait'
        }

        ### USERS ###
        $DomainRoot = "DC=$($DomainName -replace '\.',',DC=')"
        $DependsOn_User = @()
        $Users = $ConfigurationData.NonNodeData.UserData | ConvertFrom-CSV
        ForEach ($User in $Users) {

            xADUser "NewADUser_$($User.UserName)"
            {
                DomainName = $DomainName
                Ensure = 'Present'
                UserName = $User.UserName
                UserPrincipalName = "$($User.UserName)@$($DomainName)"
                GivenName = $User.FirstName
                Surname = $User.LastName
                EmailAddress = "$($User.UserName)@$($DomainName)"
                DisplayName = "$($User.FirstName) $($User.LastName)"
                Path = "CN=Users,$($DomainRoot)"
                Enabled = $true
                Department = $User.Department
                PasswordAuthentication = 'Negotiate'
                Password = New-Object -TypeName PSCredential -ArgumentList 'JustPassword', (ConvertTo-SecureString -String $User.Password -AsPlainText -Force)
                DependsOn = '[xADRecycleBin]RecycleBin'
            }
            $DependsOn_User += "[xADUser]NewADUser_$($User.UserName)"
        }

        ### GROUPS ###
        ForEach ($ADGroup in $ConfigurationData.NonNodeData.Groups) {
            xADGroup "NewADGroup_$ADGroup"
            {
                GroupName = "G_$ADGroup"
                GroupScope = 'Global'
                Description = "Global group for $ADGroup"
                Category = 'Security'
                Members = ($Users | Where-Object {$_.Department -eq $ADGroup}).UserName
                Path = "CN=Users,$($DomainRoot)"
                Ensure = 'Present'
                DependsOn = $DependsOn_User
            }
        }

        # Install Active Directory Certificate Services (ADCS)
        WindowsFeature ADCS-Cert-Authority
        {
            Ensure = 'Present'
            Name = 'ADCS-Cert-Authority'
            DependsOn = '[xADRecycleBin]RecycleBin'
        }

        WindowsFeature ADCS-Web-Enrollment
        {
            Ensure = 'Present'
            Name = 'ADCS-Web-Enrollment'
            DependsOn = '[xADRecycleBin]RecycleBin'
        }

        WindowsFeature RSAT-ADCS
        {
            Ensure = 'Present'
            Name = 'RSAT-ADCS'
            DependsOn = '[xADRecycleBin]RecycleBin'
        }

        xADCSCertificationAuthority ADCS
        {
            Ensure = 'Present'
            Credential = $DomainCreds
            CAType = 'EnterpriseRootCA'
            DependsOn = '[WindowsFeature]ADCS-Cert-Authority'              
        }

        xADCSWebEnrollment CertSrv
        {
            IsSingleInstance = 'Yes'
            Ensure = 'Present'
            Credential = $DomainCreds
            DependsOn = '[xADCSCertificationAuthority]ADCS'
        }

        # Create ADFS Template
        ADCSTemplate ADFSTemplate
        {
            Ensure = 'Present'
            DisplayName = 'ADFS Template'
            JSON = $ConfigurationData.NonNodeData.JSON_ADFS
            Publish = $true
            Identity = "$DomainName\Domain Computers", "$DomainName\Domain Controllers"
            AutoEnroll = $true
            PsDscRunAsCredential = $DomainCreds
            DependsOn = '[xADCSWebEnrollment]CertSrv'
        }

        # Create Service Account for ADFS
        xADUser 'adfs-svc'
        {
            Ensure      = 'Present'
            UserName    = 'adfs-svc'
            UserPrincipalName = "adfs-svc@$($DomainName)"
            PasswordAuthentication = 'Negotiate'
            Password    = $AdminCreds
            DomainName  = $DomainName
            Path        = "CN=Users,$($DomainRoot)"
            ChangePasswordAtLogon   = $false
            CannotChangePassword    = $true
            PasswordNeverExpires    = $true
            DependsOn = '[xADRecycleBin]RecycleBin'
        }

        # Generate Certificate
        CertReq ADFSCert
        {
            Subject = "adfs.$($DomainName)"
            SubjectAltName  = "dns=adfs.$($DomainName)"
            CertificateTemplate = "ADFSTemplate"
            DependsOn = '[ADCSTemplate]ADFSTemplate'
            #FriendlyName = "Cert for ADFS"
        }

        # Install Active Directory Federation Services (ADFS)
        WindowsFeature ADFSInstall 
        {
            Ensure = 'Present'
            Name = 'ADFS-Federation'
            DependsOn = '[CertReq]ADFSCert'
        }

        # Configure ADFS
        AdfsFarm ADFSLab
        {
            FederationServiceName = "adfs.$($DomainName)"
            FederationServiceDisplayName = "Test ADFS"
            CertificateDnsName = "adfs.$($DomainName)"
            ServiceAccountCredential = $svcCreds
            Credential = $DomainCreds
            DependsOn = '[WindowsFeature]ADFSInstall'
        }

        AdfsProperties ADFSLabProperties
        {
            FederationServiceName = "adfs.$($DomainName)"
            EnableIdPInitiatedSignonPage = $true
            DependsOn = '[AdfsFarm]ADFSLab'
        }

    }
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.1794.amd64fre.rs1_release.171008-1615
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14393.1884
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.1884
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

1.3.2