search

dsccommunity / xRemoteDesktopSessionHost

This module contains DSC resources for the management and configuration of Microsoft Remote Desktop Session Host (RDSH).
MIT License
35 stars 47 forks source link

[xRDSessionCollection] 'fails' when RD configuration settings are applied via GPO #105

Closed uw-dc closed 1 year ago

uw-dc commented 1 year ago

Problem description

I'm resurrecting issue #34 here, with a proposal on how we should work around it in the suggested solution. I'm happy to raise a PR for the change.

I've experienced the same thing creating a new RDSessionCollection where certain group policy settings are applied to the session hosts in the collection.

As it stands, this problem means DSC has to be applied at least twice in order to stand up a working RDS deployment which adds to the delay.

Thanks.

Verbose logs

{"time": "2022-09-06T13:40:47.562+01:00", "type": "verbose", "message": "[RDS-BK1]: LCM:  [ Start  Resource ]  [[xRDSessionCollection]collection FooBar Collection]  "},
  {"time": "2022-09-06T13:40:47.587+01:00", "type": "verbose", "message": "[RDS-BK1]: LCM:  [ Start  Test     ]  [[xRDSessionCollection]collection FooBar Collection]  "},
  {"time": "2022-09-06T13:40:48.431+01:00", "type": "verbose", "message": "[RDS-BK1]:                            [[xRDSessionCollection]collection FooBar Collection] Checking for existence of RDSH collection."},
  {"time": "2022-09-06T13:40:48.432+01:00", "type": "verbose", "message": "[RDS-BK1]:                            [[xRDSessionCollection]collection FooBar Collection] Getting information about RDSH collection."},
  {"time": "2022-09-06T13:40:50.326+01:00", "type": "verbose", "message": "[RDS-BK1]: LCM:  [ End    Test     ]  [[xRDSessionCollection]collection FooBar Collection]  in 2.7400 seconds."},
  {"time": "2022-09-06T13:40:50.326+01:00", "type": "verbose", "message": "[RDS-BK1]: LCM:  [ Start  Set      ]  [[xRDSessionCollection]collection FooBar Collection]  "},
  {"time": "2022-09-06T13:40:51.660+01:00", "type": "verbose", "message": "[RDS-BK1]:                            [[xRDSessionCollection]collection FooBar Collection] Creating a new RDSH collection."},
  {"time": "2022-09-06T13:41:03.835+01:00", "type": "error", "message": "The property SecurityLayer is configured by using Group Policy settings. Use the Group Policy Management Console to configure this property."},
  {"time": "2022-09-06T13:41:03.975+01:00", "type": "error", "message": "The property EncryptionLevel is configured by using Group Policy settings. Use the Group Policy Management Console to configure this property."},
  {"time": "2022-09-06T13:44:19.341+01:00", "type": "error", "message": "The property UserAuthenticationRequired is configured by using Group Policy settings. Use the Group Policy Management Console to configure this property."},
  {"time": "2022-09-06T13:44:19.521+01:00", "type": "verbose", "message": "[RDS-BK1]: LCM:  [ End    Set      ]  [[xRDSessionCollection]collection FooBar Collection]  in 209.1950 seconds."},
  {"time": "2022-09-06T13:44:19.526+01:00", "type": "error", "message": "The PowerShell DSC resource '[xRDSessionCollection]collection FooBar Collection' with SourceInfo 'D:\\DscService\\Build\\Modules\\tpRDSConfig\\0.1.0.130\\tpRDSConfig.psm1::391::9::xRDSessionCollection' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details."},

DSC configuration

xRDSessionCollection "collection $($collection.CollectionName)" {
            CollectionName       = $collection.CollectionName
            SessionHost          = $collection.SessionHost[0]
            ConnectionBroker     = $ConnectionBroker
            PsDscRunAsCredential = $RDSDeploymentCredential
            DependsOn            = "[xRDSessionDeployment]RdsDeployment"
        }

Suggested solution

Could we add -ErrorAction SilentlyContinue to the call into New-RDSessionCollection and then afterwards, check for the presence of the new RDSessionCollection and return success or fail based on whether or not it was created?

Operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.2931
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.2931
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

xRemoteDesktopSessionHost version

Name                      Version Path
----                      ------- ----
xRemoteDesktopSessionHost 2.1.0   C:\Program Files\WindowsPowerShell\Modules\xRemoteDesktopSessionHost\2.1.0\xRemoteDesktopSessionHost.psd1
uw-dc commented 1 year ago

I was looking to start work on a fix for this, however I'm confused about the differing behavour of Set-TargetResource when the resource is run on a server that is not the Connection Broker.

In that situation, the resource will try and add the specified Session Host to the Session Collection, irrespective of whether or not the Session Collection exists. It seems to me that Get-TargetResource and Test-TargetResource do the same thing, irrespective of where the module is run, and are thus inconsistent.

The very fact that the Set is running means that the Get and consequently the Test has determined that the Session Collection does not exist.

I've just checked the definition of Add-RDSessionHost and that looks to return an error if the Session Collection does not exist.

The only conclusion I can reach here, is that this logic is flawed? Should I remove the condition and instead add validation to ensure the host the resource is running on is the $ConnectionBroker ?

This is an excerpt from Add-RDSessionHost:

    $rdshCollection = Get-SessionCollectionFromName $CollectionName $ConnectionBroker
    if ( $rdshCollection -eq $null )
    {
        Write-Error (Get-ResourceString RDSHCollectionNotFound $CollectionName)
        return
    }