search

rgl / windows-domain-controller-vagrant

Example Windows Domain Controller
140 stars 35 forks source link

Fails when running under libvirt #6

Closed roblabla closed 3 years ago

roblabla commented 3 years ago

Hello,

The current master branch is failing to install properly when using a libvirt host, failing in domain-controller-configure.ps1, line 27:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) | Out-Null

with the following error: 

The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

powershell -ExecutionPolicy Bypass -OutputFormat Text -file "C:\tmp\vagrant-shell.ps1" domain-controller-configure.ps1

Stdout from the command:

Running C:\vagrant\provision\domain-controller-configure.ps1...
ERROR: The request is not supported. (Exception from HRESULT: 0x80070032)
ERROR: at <ScriptBlock>, C:\vagrant\provision\domain-controller-configure.ps1: line 27
ERROR: at <ScriptBlock>, C:\tmp\vagrant-shell.ps1: line 51
ERROR EXCEPTION: System.Runtime.InteropServices.COMException (0x80070032): The request is not supported. (Exception from HRESULT: 0x80070032)
ERROR EXCEPTION:    at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)

Building from 29c54af3736a229f4215cb52abd0336cf66c2bae works properly.

rgl commented 3 years ago

I never encountered that error. Maybe something in windows is not yet ready for that operation? perhaps this is happening because your machine is faster than mine and that's why I never seen that. Can you add a Start-Sleep -Seconds 60 before that line and try again? or maybe try executing it in a loop until it works?

roblabla commented 3 years ago

Tried adding a sleep, it didn't fix the problem.

I googled the error a bit. According to the internet, this error occurs when running Add-KdsRootKey from an account that isn't in the Domain Admins group, or when running powershell without elevation.

So I put a large sleep in the script so I could log into the machine and check what privileges the script was running as, and sure enough, it is running as Vagrant, which is in EXAMPLE\Domain Users, but not in EXAMPLE\Domain Admins

Screenshot of groups from process hacker ![image](https://user-images.githubusercontent.com/1069318/106880905-351f9580-66dd-11eb-901e-4e7a76434494.png)

After adding vagrant to the Domain Admins group, and logging off then back on, the command worked properly. I'm currently incorporating this change, I'll submit a PR as soon as I have it working.