Deployment through ARM Template Fails: The specified argument 'NewDomain' was not recognized

[vhusker]

I am deploying a VM through an ARM Template using the DSC Extension. I am using the xADDomain resource to build the domain. When doing so the domain is built (and I can login as a domain user), but the deployment throws an error at the end and Server Manager still thinks that I need to promote the server to a DC. Server OS is 2016. xActiveDirectory Module Version is 2.14.0.0.

PSVersionTable:

Name                           Value                                                                                                                           
----                           -----                                                                                                                           
PSVersion                      5.1.14393.206                                                                                                                   
PSEdition                      Desktop                                                                                                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                         
BuildVersion                   10.0.14393.206                                                                                                                  
CLRVersion                     4.0.30319.42000                                                                                                                 
WSManStackVersion              3.0                                                                                                                             
PSRemotingProtocolVersion      2.3                                                                                                                             
SerializationVersion           1.1.0.1 

Deployment Failure from Azure Portal:

{
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "VMExtensionProvisioningError",
        "message": "VM has reported a failure when processing extension 'Microsoft.PowerShell.DSC'. Error message: \"DSC Configuration 'FirstDC' completed with error(s). Following are the first few: Verification of prerequisites for Domain Controller promotion failed. The specified argument 'NewDomain' was not recognized.\r\n The PowerShell DSC resource '[xADDomain]BuildDomain' with SourceInfo 'C:\\Packages\\Plugins\\Microsoft.Powershell.DSC\\2.20.0.0\\DSCWork\\FirstDCAzure.ps1.0\\FirstDCAzure.ps1::53::9::xADDomain' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. The SendConfigurationApply function did not succeed.\"."
      }
    ]
  }
}

Event Log Error:

Job {AD7F737F-B1DF-11E6-A941-000D3A9339BA} : 
MIResult: 1
Error Message: Verification of prerequisites for Domain Controller promotion failed. The specified argument 'NewDomain' was not recognized.

Message ID: Test.VerifyDcPromoCore.DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSForestCommand
Error Category: 0
Error Code: 1
Error Type: MI

DSC Extension in the ARM Template. Should also mention here that when I tried to use a parameter of type string for the domain name, it was failing to pass through to DSC and was throwing an error that the domain name was in an invalid format.:

{
			"type": "Microsoft.Compute/virtualMachines/extensions",
			"name": "[concat(variables('vmName1'), '/Microsoft.PowerShell.DSC')]",
			"apiVersion": "2015-06-15",
			"location": "[parameters('location')]",
			"dependsOn": [
				"[concat('Microsoft.Compute/virtualMachines/', variables('vmName1'))]"
			],
			"properties": {
				"publisher": "Microsoft.Powershell",
				"type": "DSC",
				"typeHandlerVersion": "2.20",
				"settings": {
					"wmfVersion": "latest",
					"configuration":{
						"url": "[variables('modulesURL')]",
						"script": "[variables('dscScript')]",
						"function": "[variables('dscFunction')]"
					},
					"configurationArguments":{
						"domainName": "valhalla.com"
					},
					"privacy":{
						"dataCollection": "enable"
					}
				},
				"protectedSettings": {
					"configurationArguments":{
						"AdminCreds":{
							"userName": "parameters[('adminUsername')]",
							"password": "parameters[('adminPassword')]"
						}
					}
					
				}
			}
		}

DSC Configuration:

xADDomain BuildDomain
{
            DomainName = $DomainName

            DomainAdministratorCredential = $DomainCreds
            SafemodeAdministratorPassword = $DomainCreds
            DependsOn = "[WindowsFeature]ADDSInstall"
        }

[oradcliffe]

If you run this with Server2012R2 does it work?

[oradcliffe]

Also for reference, here's what my DSC resource for my first domain looks like:

{
"name": "CreateFirstDC",
"type": "extensions",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('GTM-DC01Name'))]"
],
"tags": {
"displayName": "DC01DSC"
},
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.9",
"autoUpgradeMinorVersion": true,
"settings": {
"wmfVersion": "latest",
"configuration": {
"url": "[variables('DSCURL')]",
"script": "[variables('DC01DSCscript')]",
"function": "[variables('DC01DSCfunction')]"
},
"configurationArguments": {
"DomainName": "[parameters('domainName')]",
"Admincreds": {
"Username": "[parameters('GTM-DC01AdminUserName')]",
"Password": "PrivateSettingsRef:AdminPassword"
}
}
},
"protectedSettings": {
"Items": {
"AdminPassword": "[parameters('GTM-DC01AdminPasswordnonsecure')"
}
}
}
}

[oradcliffe]

And here is my actual DSC file:

configuration CreateFirstDC
{
param
(
[Parameter(Mandatory)]
[String]$DomainName,

    [Parameter(Mandatory)]
    [System.Management.Automation.PSCredential]$Admincreds
) 

Import-DscResource -ModuleName xActiveDirectory, xNetworking, xPendingReboot
[System.Management.Automation.PSCredential ]$DomainCreds = New-Object System.Management.Automation.PSCredential ("${DomainName}\$($Admincreds.UserName)", $Admincreds.Password)

Node localhost
{
    LocalConfigurationManager            
    {            
        ActionAfterReboot = 'ContinueConfiguration'            
        ConfigurationMode = 'ApplyAndAutoCorrect'            
        RebootNodeIfNeeded = $true            
    } 

    WindowsFeature DNS 
    { 
        Ensure = "Present" 
        Name = "DNS"
    }

    WindowsFeature DNSTools
    {
        Ensure = "Present"
        Name = "RSAT-DNS-Server"
        DependsOn = "[WindowsFeature]DNS"
    }

    xDnsServerAddress DnsServerAddress 
    { 
        Address        = '127.0.0.1' 
        InterfaceAlias = 'Ethernet 2'
        AddressFamily  = 'IPv4'
        DependsOn = "[WindowsFeature]DNS"
    }

    WindowsFeature ADDSInstall 
    { 
        Ensure = "Present" 
        Name = "AD-Domain-Services"
    }  

    xADDomain FirstDS 
    {
        DomainName = $DomainName
        DomainAdministratorCredential = $DomainCreds
        SafemodeAdministratorPassword = $DomainCreds
        DependsOn = "[WindowsFeature]ADDSInstall","[xDnsServerAddress]DnsServerAddress"
    }

    WindowsFeature ADDSTools            
    {
        Ensure = "Present"
        Name = "RSAT-ADDS"
        DependsOn = "[WindowsFeature]ADDSInstall"          
    }

    xPendingReboot Reboot1
    { 
        Name = "RebootServer"
        DependsOn = "[xADDomain]FirstDS"
    }

}
}

[vhusker]

I got a different but similar error when I changed the SKU to 2012-R2-Datacenter. Going to take a look at the other two things you posted this weekend and see if I can figure out what I am doing wrong.

[vhusker]

Also, where are you getting the typeHandlerVersion of 2.9 from? When I look here: https://blogs.msdn.microsoft.com/powershell/2014/11/20/release-history-for-the-azure-dsc-extension/ the highest one listed is 2.20. Two separate things?

[oradcliffe]

Oh thanks for the catch, I think that's a typo. It's meant to be 2.19 but I'll update to 2.20. It's funny that that still works. Let me know where you get with this - I am struggling getting another DSC extension to work for adding a second domain controller to the domain.

[vhusker]

I messed around with this some more this morning and here is what I know. My DSC Configuration is exactly like yours. If I use extension 2.19 or 2.20 with Server 2016 and xADDomain version 2.14 or 2.13 I get the error referenced in the original post. If I try it with extension 2.19 or 2.20 with Server 2012 and xADDomain version 2.14 or 2.13 I get a different error (forgot to write it down and I don't remember). All the windows features get installed and the DNS on the NIC gets set to 127.0.0.1 The only thing that fails is the DC Promo. I am trying to use th domain name "Valhalla.com". That's the only thing I can think to change that I haven't done yet. Any other ideas?

[oradcliffe]

Your LCM settings are the same as mine and the actual dependencies are all the same? I had an issue with DC promo initially but I was using the xADWaitfordomain resource and that was failing - turned out I didn't need it.

[vhusker]

Yes. I re-ordered everything so it was in the same order as yours. I also had the xADWaitForDomain resource and got rid of it after seeing your Configuration. I will double check everything tonight and post it on here so you can take a look and see if I am missing something obvious since I've been staring at it so long.

[vhusker]

I attempted to deploy your DSC Configuration this morning, and I received the exact same error message I was getting with mine. So, I am not sure what you are doing to get yours to work. Ideas?

[oradcliffe]

My config from my GitHub? The only issue with that would be the way my passwords are stored - in the parameters file you'll see that they are referenced from a key vault that only I have access to, so you'd have to edit that to use something else before deployment would work, but otherwise it should. At least the master branch should; the other branches I'm using to figure out adding another domain controller. I'm not really able to look much at it though this weekend since I'm away and only have my phone. Let me know if you need some help figuring out what to change to get my stuff to deploy for you though and I'll try to check it out.

…

On Fri, Nov 25, 2016, 12:09 PM Jacob Benson ***@***.***> wrote: I attempted to deploy your DSC Configuration this morning, and I received the exact same error message I was getting with mine. So, I am not sure what you are doing to get yours to work. Ideas? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#127 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AKLijZCq6taqUfF6lPeNLJAFBwNLejrHks5rByRjgaJpZM4K7L17> .

[vhusker]

Update: The domain did get built (the server shows up as a DC in AD) and I can login to the server using the domain\username that I specified in the ARM template. Server Manager doesn't think so, but I think that's a known thing that the GUI does when building a domain through DSC (please correct me if I am wrong). When I try to go through the "promote this server to a domain controller task' it comes back and says that it's already a DC.

The error is non-terminating, which is nice, but I think it's clear at this point that something is broken somewhere.

Relevant Event Logs:
`Job {E9BB262B-B323-11E6-A941-000D3A927748} :
This event indicates that a non-terminating error was thrown when DSCEngine was executing Set-TargetResource on MSFT_xADDomain DSC resource. FullyQualifiedErrorId is Test.VerifyDcPromoCore.DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSForestCommand. Error Message is Verification of prerequisites for Domain Controller promotion failed. The specified argument 'NewDomain' was not recognized.
.

Job {E9BB262B-B323-11E6-A941-000D3A927748} :
MIResult: 1
Error Message: Verification of prerequisites for Domain Controller promotion failed. The specified argument 'NewDomain' was not recognized.

Message ID: Test.VerifyDcPromoCore.DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSForestCommand
Error Category: 0
Error Code: 1
Error Type: MI`

[oradcliffe]

So in server manager it looks like it still needs you to promote the domain controller? I don't see that when deploying from my master template, but it's been like a week since I've used it so maybe something changed? I recently had to change the Ethernet adapter name because the alias changed from Ethernet to Ethernet 2 and I'm not sure why, but other than that everything's been solid.

[vhusker]

After much testing, I can definitively say that this is an issue only with the 2016-Datacenter SKU (both versions). It works fine with all 2012-R2-Datacenter SKUs. I tested both DSC extension version 2.19 and 2.20

[oradcliffe]

Nice, well I am glad you got it working. Did you happen to figure out anything about how credentials are handled when they're pushed to a DSC config? I don't think the DSC config is actually using any credentials at all when standing up that first domain controller; I think it's using the first user's (local admin) account.

The reason I think this is because now that I am working on adding a second domain controller, and wanting to use credentials to do so, I can't get the DSC config to work, except in the case that I use this in my DSC config:

"configurationArguments": {
"DomainName": "[parameters('domainName')]",
"Admincreds": {
"Username": "radcliffe",
"Password": "Pa$$w0rd"

Notice here I am not using any protected settings, and indeed if I replace that Pa$$w0rd with:

"settings": {
"wmfVersion": "latest",
"configuration": {
"url": "[variables('DSCURL')]",
"script": "[variables('DC02DSCscript')]",
"function": "[variables('DC02DSCfunction')]"
},
"configurationArguments": {
"DomainName": "[parameters('domainName')]",
"Admincreds": {
"Username": "radcliffe",
"Password": "PrivateSettingsRef:AdminPasswordDC02"
}
}
},
"protectedSettings": {
"Items": {
"AdminPasswordDC02": "Pa$$w0rd"
}
}

This fails every time, saying that the domain cannot be found. It does a domain check when you're adding a second domain controller to a domain, and for that it needs domain credentials. The first DC doesn't need domain credentials, since the domain doesn't exist yet.

Do you have any ideas about this? I have been asking these kinds of questions for weeks around here and powershell.org but I haven't seen anything too helpful, and when I look at other people's examples, those supposedly work doing the same thing I am doing.

[oradcliffe]

Oh hey, it looks like there is a version 2.21 that we can use.. but I am not sure what difference the publisher of the extension makes.

For instance, logged in with my Azure account added to powershell, I can run a Get-AzureVMAvailableExtension - which returns a lot of stuff.

If we save that as like, $extensions, then $extensions.ExtensionName will show us there are several DSC extensions available.

If we save that as a variable, so like "$dsc = $extensions | Where-Object -Property ExtensionName -EQ 'DSC' " then we can get all the versions available by using:

$dsc.version - that returns six values:

2.20
2.19
1.0
2.21
2.20
2.21

We can save that as a variable too, to get the publisher of those extensions that are version 2.21 -
$latest = $dsc | where-object -property version -eq 2.21

Then $latest.publisher returns:
Microsoft.Powershell.Nano
Microsoft.Powershell.Test.Edp

And I am not sure what those are. Either way, I don't think it's going to help me.

[vhusker]

I got a second server to join my domain via ARM/DSC. If you want to continue this conversation hit me up on twitter @vhusker

[oradcliffe]

Hey I sent you a message there, but I also have a thread open on Powershell.org if you want to check it out - https://powershell.org/forums/topic/dsc-azure-templates-and-key-vaults/#post-59218

[oradcliffe]

@vhusker This guy is using typehandlerversion 2.8 - https://blog.kloud.com.au/2016/01/11/easy-debugging-of-powershell-dsc-for-azure-virtual-machines/

[oradcliffe]

Also, this is still applicable - https://blogs.msdn.microsoft.com/powershell/2014/11/20/release-history-for-the-azure-dsc-extension/

[kwirkykat]

@vhusker @oradcliffe This may be the same issue as #73 (the original error message looks similar).
Just released version 2.16.0.0 which should have a fix for that issue. Let me know if it helps with this issue too

[vhusker]

Nice. That does look to be the same issue (with a much more technical explanation). I will try out my ARM template with Server 2016 and this version of the AD extension and let you know in the next couple of days.

[vhusker]

Tried my template just now with a Server 2016 DC and module version 2.16.0.0. The domain creation completed successfully, but every DSC Configuration for each of the 4 other servers all failed with the same error message:
New-AzureRMResourceGroupDeployment : 10:22:54 AM - Resource Microsoft.Compute/virtualMachines 'myvm01' failed with message '{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'Microsoft.PowerShell.DSC'. Error message: "DSC Configuration 'BuildGateway' completed with error(s).
Following are the first few: PowerShell DSC resource MSFT_xWaitForADDomain failed to execute Set-TargetResource functionality with error message: Domain 'mydomain.com' NOT
found after 20 attempts. The SendConfigurationApply function did not succeed."."

However, each of those servers joined the domain, and completed the rest of their DSC Configuration (firewall rules were set, IP addresses were assigned, etc).

[vhusker]

Just tested my ARM template with a 2012R2 DC, everything completed fine with no errors.

[oradcliffe]

@kwirkykat Thanks! I will give it a shot with 2016 and the new module version as soon as I can and update here.

[kwirkykat]

@vhusker Maybe xWaitForADDomain just needs to be able to retry more/longer? So far my experience with Active Directory on Server 2016 is that it seems to take a lot longer for everything to complete

[vhusker]

Interesting. I can test this some more I suppose. In the DSC Configs I have RetryCount=20 and RetryIntervalSec=30.

[MathijsHofkens]

I have the same issue as provided above. Did the test while increasing retryintervalsec to 60, but this doesn't change anything, still having the same issue:

Error message
PowerShell DSC resource MSFT_xWaitForADDomain failed to execute Set-TargetResource functionality with error message: Domain 'contoso.com' NOT found after 20 attempts.

xActivedirectory version: 2.16

• Windows Server 2016

[oradcliffe]

@MathijsHofkens I think this is the same problem I was having, and it seemed to be a credential issue that I never resolved. Can you post your code? One way I was confirming that it was a credential issue was using a custom DSC resource:

`# This Script ParametersFile is for troubleshooting passing credentials into the second domain controller from the ARM template
# It shows that when passing credentials in from the DSC resource in the ARM template, if you use the ProtectedSettingsRef, the DSC
# resource does not get the correct password

        Script ParametersFile 
        {
            GetScript = {
                @{ Result = (Get-Content 'C:\creds.txt') }
            }
            TestScript = {
                Test-Path 'C:\creds.txt'
            }
            SetScript = {
                "Domain: $using:DomainName" | Out-File 'C:\creds.txt'
                "Admincreds.username: $($using:Admincreds.UserName)" | Out-File 'C:\creds.txt' -Append
                "Admincreds.password.length: $($using:Admincreds.Password.Length)" | Out-File 'C:\creds.txt' -Append
                "Domaincreds.username: $($using:DomainCreds.UserName)" | Out-File 'C:\creds.txt' -Append
                "Domaincreds.password.length: $($using:DomainCreds.Password.Length)" | Out-File 'C:\creds.txt' -Append
            }
        }`

You may need to modify that, but could you try that and see if that points you towards a cred issue as well?

PS sorry about the formatting - I am terrible at this.

[johlju]

I'm closing this as the initial issue was solved in PR #137