search

dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
344 stars 142 forks source link

ADKDSKey Resource does does not work #648

Closed raandree closed 2 years ago

raandree commented 3 years ago

Details of the scenario you tried and the problem that is occurring

When trying to create a KDS key, the error "String was not recognized as a valid DateTime" is thrown on machines with culture en-us and de-de.

Verbose logs showing the problem

VERBOSE: [JDC1]:                            [[ADKDSKey]Integration_Test] Operation 'Enumerate CimInstances' complete.
VERBOSE: [JDC1]:                            [[ADKDSKey]Integration_Test] Checking if the user 'NT AUTHORITY\SYSTEM' has valid Domain Admin permissions. (KDSK0019)
VERBOSE: [JDC1]:                            [[ADKDSKey]Integration_Test] Checking if the node 'JDC1' is a Domain Controller. The node has a product type of '2'. If the product type is 2, then it is a domain controller. (KDSK0020)
      [-] Should compile and apply the MOF without throwing 4.71s
        Expected no exception to be thrown, but an exception "Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."" was thrown from C:\ActiveDirectoryDsc\tests\Integration\MSFT_ADKDSKey.Integration.Tests.ps1:52 char:21
            + ...               Start-DscConfiguration @startDscConfigurationParameters
            +                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
        53:                 } | Should -Not -Throw
        at <ScriptBlock>, C:\ActiveDirectoryDsc\tests\Integration\MSFT_ADKDSKey.Integration.Tests.ps1: line 34
VERBOSE: An LCM method call arrived from computer JDC1 with user sid S-1-5-21-390713990-3731729705-4053435951-1000.
WARNING: [JDC1]:                            [] The GET operation will be carried against a pending configuration since the latest configuration has not converged yet.

Suggested solution to the issue

Not throwing the conversion error.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

The issue can be reproduced when running the integration tests for that resource.

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

WMF51

Version of the DSC module that was used

6.0.1

X-Guardian commented 3 years ago

@raandree, can you post the output of Get-KdsRootKey so that we can see what values are in the EffectiveTime properties of your keys.

raandree commented 3 years ago

@X-Guardian, the error is as mentioned earlier:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root
/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer JDC1 with user sid S-1-5-21-2514724818-3467446060-1973334297-1000.
VERBOSE: [JDC1]: LCM:  [ Start  Set      ]
VERBOSE: [JDC1]: LCM:  [ Start  Resource ]  [[ADKDSKey]ExampleKDSRootKey]
VERBOSE: [JDC1]: LCM:  [ Start  Test     ]  [[ADKDSKey]ExampleKDSRootKey]
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Retrieving KDS Root Key with effective date of '01/01/2027 00:00'. (KDSK0001)
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'classNa
me' = Win32_OperatingSystem'.
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Operation 'Enumerate CimInstances' complete.
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Checking if the user 'NT AUTHORITY\SYSTEM' has valid Domain Admin permissions. (KDSK0019)
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Checking if the node 'JDC1' is a Domain Controller. The node has a product type of '2'. If the product type 
is 2, then it is a domain controller. (KDSK0020)
Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime."
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : FormatException
    + PSComputerName        : localhost

VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Found KDS Root Key with the effective date of '01/01/2027 00:00'. (KDSK0010)
WARNING: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Found more than one KDS Root Keys. This shouldn't be an issue, but having only one key per domain is recomme
nded. (KDSK0009)
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] Retrieved the root domain distinguished name of 'DC=contoso,DC=com'. (KDSK0021)
VERBOSE: [JDC1]:                            [[ADKDSKey]ExampleKDSRootKey] KDS Root Key with the effective date of '01/01/2027 00:00' is in the desired state. (KDSK0015)
VERBOSE: [JDC1]: LCM:  [ End    Test     ]  [[ADKDSKey]ExampleKDSRootKey]  in 1.3280 seconds.
The PowerShell DSC resource '[ADKDSKey]ExampleKDSRootKey' with SourceInfo 'C:\Users\Install\Desktop\Untitled1.ps1::7::9::ADKDSKey' threw one or more non-terminating errors while 
running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [JDC1]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 6.161 seconds

The configuration I use is:

Configuration ADKDSKey_CreateKDSRootKey_Config
{
    Import-DscResource -Module ActiveDirectoryDsc

    Node localhost
    {
        ADKDSKey 'ExampleKDSRootKey'
        {
            Ensure        = 'Present'
            EffectiveTime = '01/01/2025 00:00'
            # Date must be set to at time in the future
        }
    }
}

ADKDSKey_CreateKDSRootKey_Config -OutputPath C:\DSC
Start-DscConfiguration -Path C:\DSC -Wait -Verbose

These are the keys:

PS C:\Users\Install> Get-KdsRootKey

AttributeOfWrongFormat : 
KeyValue               : {158, 111, 148, 234...}
EffectiveTime          : 13.03.2021 08:13:05
CreationTime           : 13.03.2021 18:13:05
IsFormatValid          : True
DomainController       : CN=JDC1,OU=Domain Controllers,DC=contoso,DC=com
ServerConfiguration    : Microsoft.KeyDistributionService.Cmdlets.KdsServerConfiguration
KeyId                  : b17641bf-f9ab-0f53-77ae-e4ce72edb3a7
VersionNumber          : 1

AttributeOfWrongFormat : 
KeyValue               : {141, 122, 108, 178...}
EffectiveTime          : 01.01.2027 00:00:00
CreationTime           : 29.05.2021 18:53:24
IsFormatValid          : True
DomainController       : CN=JDC1,OU=Domain Controllers,DC=contoso,DC=com
ServerConfiguration    : Microsoft.KeyDistributionService.Cmdlets.KdsServerConfiguration
KeyId                  : daa36f7c-431b-e1c4-e05f-220b3d2bf43c
VersionNumber          : 1

Most importantly, the EffectiveTime property is a DateTime object already. Why would you need to run the Parse method on a DateTime object?