ADDomain: ARM template deployment fails due to ActiveDirectoryDsc resource ADDomain throwing an error on first reboot after a DC Promo.

[mitch-meade]

Details of the scenario you tried and the problem that is occurring

ARM template deployment fails due to ActiveDirectoryDsc resource ADDomain throwing an error on first reboot after a DC Promo. The DC promo completes but the error breaks the ARM template in progress. This is a reoccurrence of previously closed issues, #127 and #73.
Server is 2016 and ActiveDirectoryDsc module version is 5.0.0.0.
Verification of prerequisites for Domain Controller promotion failed. The specified argument \u0027NewDomain\u0027 was not recognized.
The promo completed file isn’t being created in C:\Windows\Temp<fqdn>.ADDomain.completed

Verbose logs showing the problem

{
    "Exception":  {
                      "Message":  "PowerShell DSC resource MSFT_ADDomain  failed to execute Set-TargetResource functionality with error message: The running command stopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Verification of prerequisites for Domain Controller promotion failed. The specified argument \u0027NewDomain\u0027 was not recognized.\r\n ",
                      "Data":  {

                               },
                      "InnerException":  {
                                             "ErrorRecord":  "Verification of prerequisites for Domain Controller promotion failed. The specified argument \u0027NewDomain\u0027 was not recognized.\r\n",
                                             "WasThrownFromThrowStatement":  false,
                                             "Message":  "The running command stopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Verification of prerequisites for Domain Controller promotion failed. The specified argument \u0027NewDomain\u0027 was not recognized.\r\n",
                                             "Data":  "System.Collections.ListDictionaryInternal",
                                             "InnerException":  null,
                                             "TargetSite":  "System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] Invoke(System.Collections.IEnumerable)",
                                             "StackTrace":  "   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)\r\n   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)\r\n   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)\r\n   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)\r\n   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.ExecuteCommand(PowerShell powerShell, ResourceModuleInfo resInfo, String operationCmd, List`1 acceptedProperties, CimInstance nonResourcePropeties, CimInstance resourceConfiguration, LCMDebugMode debugMode, PSInvocationSettings pSInvocationSettings, UInt32\u0026 resultStatusHandle, Collection`1\u0026 result, ErrorRecord\u0026 errorRecord, PSModuleInfo localRunSpaceModuleInfo)",
                                             "HelpLink":  null,
                                             "Source":  "System.Management.Automation",
                                             "HResult":  -2146233087
                                         },
                      "TargetSite":  null,
                      "StackTrace":  null,
                      "HelpLink":  null,
                      "Source":  null,
                      "HResult":  -2146233079
                  },
    "TargetObject":  null,
    "CategoryInfo":  {
                         "Category":  7,
                         "Activity":  "",
                         "Reason":  "InvalidOperationException",
                         "TargetName":  "",
                         "TargetType":  ""
                     },
    "FullyQualifiedErrorId":  "ProviderOperationExecutionFailure",
    "ErrorDetails":  null,
    "InvocationInfo":  null,
    "ScriptStackTrace":  null,
    "PipelineIterationInfo":  [

                              ]
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

ADDomain newDomain
{
DomainName                    = $DomainName
Credential                    = $LocalAdmin			
SafeModeAdministratorPassword = $safemodeAdminCred
ForestMode                    = 'WinThreshold'
DependsOn                     = @('[WindowsFeature]AD-Domain-Services','[WindowsFeature]DNS')
}

The operating system the target node is running

Windows Server 2016 running in Azure

Version and build of PowerShell the target node is running

PSVersion                      5.1.14393.3383                                                                                                                                                                                                                    
PSEdition                      Desktop                                                                                                                                                                                                                           
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                           
BuildVersion                   10.0.14393.3383                                                                                                                                                                                                                   
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                                   
WSManStackVersion              3.0                                                                                                                                                                                                                               
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                               
SerializationVersion           1.1.0.1      

Version of the DSC module that was used

5.0.0 ActiveDirectoryDsc

[X-Guardian]

Hi @mitch-meade, thanks for raising this issue. I had a look at the old issues that you referenced and the retry code in the PR that resolved them is still present in the module.
Can you post the DSC verbose message logs for this run so that we can investigate this further? They will be in C:\Windows\System32\Configuration\ConfigurationStatus , with a suffix of .details.json. There will be two that we are interested in, one before the reboot, and one after.

[mitch-meade]

logs attached... Thanks for looking at this...

before reboot 2-5-2020 358pm {B1AABD1D-4871-11EA-A80E-000D3A075975}-0.details.json.txt

after reboot 2-5-2020 at 400pm {A44A8F4B-4873-11EA-A80F-000D3A075975}-0.details.json.txt

[mitch-meade]

The next LCM cycle was successful… Ignore the File resource, attempted to manually create the tracking file, this will be removed.

Subsequent reboot 2-5-2020 at 409 pm {E6AFFA73-4874-11EA-A80F-000D3A075975}-0.details.json.txt

[X-Guardian]

Hi @mitch-meade, thanks for these logs. As you have figured out, the problem is the tracking file that is written at the end of the Set-TargetResource function not being there after reboot when the Get-TargetResource function then looks for it.
Can you test by creating a file in c:\windows\temp on the instance, rebooting it and seeing if it is still there? (I'm wondering if there is a policy to clear the temp directory that is causing this)

[mitch-meade]

No policy to clear the system temp location on startup...

I added a file resource to create this tracking file as a futile attempt at working around this problem but this resource never gets evaluated before the reboot as the ADDomain resource is rebooting the machine. As you can see, I have a Pending Reboot resource as well and this never triggers ether.

I monitored the C:\Windows\Temp folder during the configuration run and the tracking file never gets created. What would prohibit this tracking file from being created?

[mitch-meade]

Certification, it never gets created before the ADDomain resource does the first reboot. The File resource did create the tracking file at 4:09 PM and it’s still there now.

[mitch-meade]

I watched this folder during this run and it never was created before the initial reboot by ADDomain.

[X-Guardian]

OK, can you check what the system Temp variable is set to on the machine :

(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment').Temp

[mitch-meade]

It is...

[X-Guardian]

OK, we need to know exactly where the function is trying to write the tracking file to and read the tracking file from. Can you edit your source of the ActiveDirectoryDsc module and modiify the DSCResource\MSFT_ADDomain\MSFT_ADDomain.psm1 file with the following code:

In the Get-TargetResource function, change:

$domainShouldExist = Test-Path -Path (Get-TrackingFilename -DomainName $DomainName)

to

$trackingFileName = Get-TrackingFilename -DomainName $DomainName
Write-Verbose -Message ('Checking for tracking file: {0}' -f $trackingFileName)
$domainShouldExist = Test-Path -Path $trackingFileName

In the Set-TargetResource function, change:

'Finished' | Out-File -FilePath (Get-TrackingFilename -DomainName $DomainName) -Force

to:

$trackingFileName = Get-TrackingFilename -DomainName $DomainName
Write-Verbose -Message ('Writing tracking file: {0}' -f $trackingFileName)
'Finished' | Out-File -FilePath $trackingFileName -Force

Then re-run the DSC and we should see from the log the path that the tracking file is written to and being read from.

[mitch-meade]

  {"time": "2020-02-07T06:29:56.504-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Resource ]  [[ADDomain]ADDomain]  "},
  {"time": "2020-02-07T06:29:56.504-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Test     ]  [[ADDomain]ADDomain]  "},
  {"time": "2020-02-07T06:29:56.599-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]ADDomain] Checking for tracking file: C:\\windows\\TEMP\\cjPSTest5.local.nc.ADDomain.completed"},
  {"time": "2020-02-07T06:29:56.629-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]ADDomain] Computer is a domain member; querying domain 'cjPSTest5.local.nc' using local credential. (ADD0003)"},
  {"time": "2020-02-07T06:29:57.161-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]ADDomain] Active Directory domain 'cjPSTest5.local.nc' found. (ADD0005)"},
  {"time": "2020-02-07T06:29:57.207-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]ADDomain] The domain exists but the tracking file 'C:\\windows\\TEMP\\cjPSTest5.local.nc.ADDomain.completed' could not be found. This can make the resource try to recreate the domain in some circumstances, for example if LCM is quicker to start than the domain is when the node restarts. Please recreate the tracking file by running `'Finished' | Out-File -FilePath 'C:\\windows\\TEMP\\cjPSTest5.local.nc.ADDomain.completed' -Force`. (ADD0017)"},
  {"time": "2020-02-07T06:29:57.207-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]ADDomain] The domain 'cjPSTest5.local.nc' is in the desired state. (ADD0012)"},
  {"time": "2020-02-07T06:29:57.207-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Test     ]  [[ADDomain]ADDomain]  in 0.7030 seconds."},
  {"time": "2020-02-07T06:29:57.207-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Skip   Set      ]  [[ADDomain]ADDomain]  "},
  {"time": "2020-02-07T06:29:57.207-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Resource ]  [[ADDomain]ADDomain]  "},

[mitch-meade]

Did you want the configuration ran from a clean machine?

[X-Guardian]

Yes please, we need to see the Set-TargetResource verbose log to see where it is writing the tracking file to in the first place.

[mitch-meade]

Looks like the Temp path is pointing to the system profile (C:\windows\system32\config\systemprofile\AppData\Local\Temp) before the server becomes a Domain Controller. I create the Temp folder in the System profile because the absence of this folder breaks some other chocolatey processes.

  {"time": "2020-02-07T08:11:34.059-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Resource ]  [[File]SystemProfileTemp]  "},
  {"time": "2020-02-07T08:11:34.059-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Test     ]  [[File]SystemProfileTemp]  "},
  {"time": "2020-02-07T08:11:34.059-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[File]SystemProfileTemp] The system cannot find the file specified.\r\n"},
  {"time": "2020-02-07T08:11:34.059-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[File]SystemProfileTemp] The related file/directory is: C:\\windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp. "},
  {"time": "2020-02-07T08:11:34.075-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Test     ]  [[File]SystemProfileTemp]  in 0.0160 seconds."},
  {"time": "2020-02-07T08:11:34.075-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Set      ]  [[File]SystemProfileTemp]  "},
  {"time": "2020-02-07T08:11:34.075-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[File]SystemProfileTemp] The system cannot find the file specified.\r\n"},
  {"time": "2020-02-07T08:11:34.075-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[File]SystemProfileTemp] The related file/directory is: C:\\windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp. "},
  {"time": "2020-02-07T08:11:34.090-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Set      ]  [[File]SystemProfileTemp]  in 0.0150 seconds."},
  {"time": "2020-02-07T08:11:34.090-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Resource ]  [[File]SystemProfileTemp]  "},

Here is the ADDomain section prior to the reboot.

  {"time": "2020-02-07T08:14:57.819-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Resource ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-07T08:14:57.819-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Test     ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-07T08:14:57.960-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Checking for tracking file: C:\\windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\cjPSTest5.local.nc.ADDomain.completed"},
  {"time": "2020-02-07T08:14:58.007-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Computer is a workgroup member; querying for domain 'cjPSTest5.local.nc' using supplied credential. (ADD0004)"},
  {"time": "2020-02-07T08:14:58.804-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Active Directory domain 'cjPSTest5.local.nc' cannot be found. (ADD0006)"},
  {"time": "2020-02-07T08:14:58.819-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Expected to find the domain 'cjPSTest5.local.nc', but it was not found. (ADD0016)"},
  {"time": "2020-02-07T08:14:58.819-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] The domain 'cjPSTest5.local.nc' is NOT in the desired state. (ADD0013)"},
  {"time": "2020-02-07T08:14:58.819-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Test     ]  [[ADDomain]newDomain]  in 1.0000 seconds."},
  {"time": "2020-02-07T08:14:58.819-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Set      ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-07T08:14:58.851-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Checking for tracking file: C:\\windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\cjPSTest5.local.nc.ADDomain.completed"},
  {"time": "2020-02-07T08:14:58.866-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Computer is a workgroup member; querying for domain 'cjPSTest5.local.nc' using supplied credential. (ADD0004)"},
  {"time": "2020-02-07T08:14:58.866-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Active Directory domain 'cjPSTest5.local.nc' cannot be found. (ADD0006)"},
  {"time": "2020-02-07T08:14:58.866-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Creating AD forest 'cjPSTest5.local.nc'. (ADD0009)"},
  {"time": "2020-02-07T08:14:59.023-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Active Directory Domain Services Setup\n"},
  {"time": "2020-02-07T08:14:59.023-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Validating environment and parameters..."},
  {"time": "2020-02-07T08:14:59.554-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Windows Server 2016 domain controllers have a default for the security setting named \"Allow cryptography algorithms compatible with Windows NT 4.0\" that prevents weaker cryptography algorithms when establishing security channel sessions.\r\n\r\nFor more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).\r\n\r\n"},
  {"time": "2020-02-07T08:15:04.673-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.\r\n\r\n"},
  {"time": "2020-02-07T08:15:11.613-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain \"cjPSTest5.local.nc\". Otherwise, no action is required.\r\n\r\n"},
  {"time": "2020-02-07T08:15:11.613-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] ----------------------------------------"},
  {"time": "2020-02-07T08:15:11.613-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] The following actions will be performed:"},
  {"time": "2020-02-07T08:15:11.613-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Configure this server as the first Active Directory domain controller in a new forest.\r\n\r\nThe new domain name is \"cjPSTest5.local.nc\". This is also the name of the new forest.\r\n\r\nThe NetBIOS name of the domain is \"CJPSTEST5\".\r\n\r\nForest Functional Level: Windows Server 2016\r\n\r\nDomain Functional Level: Windows Server 2016\r\n\r\nSite: Default-First-Site-Name\r\n\r\nAdditional Options:\r\n  Read-only domain controller: \"No\"\r\n  Global catalog: Yes\r\n  DNS Server: Yes\r\n\r\nCreate DNS Delegation: No\r\n\r\nDatabase folder: C:\\windows\\NTDS\r\nLog file folder: C:\\windows\\NTDS\r\nSYSVOL folder: C:\\windows\\SYSVOL\r\n\r\nThe DNS Server service will be configured on this computer.\r\nThis computer will be configured to use this DNS server as its preferred DNS server.\r\n\r\nThe password of the new domain Administrator will be the same as the password of the local Administrator of this computer."},
  {"time": "2020-02-07T08:15:11.613-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] ----------------------------------------"},
  {"time": "2020-02-07T08:15:11.644-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Active Directory Domain Services Setup\n"},
  {"time": "2020-02-07T08:15:11.644-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Validating environment and parameters..."},
  {"time": "2020-02-07T08:15:12.144-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Windows Server 2016 domain controllers have a default for the security setting named \"Allow cryptography algorithms compatible with Windows NT 4.0\" that prevents weaker cryptography algorithms when establishing security channel sessions.\r\n\r\nFor more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).\r\n\r\n"},
  {"time": "2020-02-07T08:15:12.191-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.\r\n\r\n"},
  {"time": "2020-02-07T08:15:18.607-8:00", "type": "warning", "message": "[cwmgr1]:                            [[ADDomain]newDomain] A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain \"cjPSTest5.local.nc\". Otherwise, no action is required.\r\n\r\n"},
  {"time": "2020-02-07T08:15:18.607-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] ----------------------------------------"},
  {"time": "2020-02-07T08:15:18.607-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] The following actions will be performed:"},
  {"time": "2020-02-07T08:15:18.607-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Configure this server as the first Active Directory domain controller in a new forest.\r\n\r\nThe new domain name is \"cjPSTest5.local.nc\". This is also the name of the new forest.\r\n\r\nThe NetBIOS name of the domain is \"CJPSTEST5\".\r\n\r\nForest Functional Level: Windows Server 2016\r\n\r\nDomain Functional Level: Windows Server 2016\r\n\r\nSite: Default-First-Site-Name\r\n\r\nAdditional Options:\r\n  Read-only domain controller: \"No\"\r\n  Global catalog: Yes\r\n  DNS Server: Yes\r\n\r\nCreate DNS Delegation: No\r\n\r\nDatabase folder: C:\\windows\\NTDS\r\nLog file folder: C:\\windows\\NTDS\r\nSYSVOL folder: C:\\windows\\SYSVOL\r\n\r\nThe DNS Server service will be configured on this computer.\r\nThis computer will be configured to use this DNS server as its preferred DNS server.\r\n\r\nThe password of the new domain Administrator will be the same as the password of the local Administrator of this computer."},
  {"time": "2020-02-07T08:15:18.607-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] ----------------------------------------"},
  {"time": "2020-02-07T08:15:18.922-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Press CTRL-C to: Cancel"},
  {"time": "2020-02-07T08:15:37.068-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Active Directory Domain Services is now installed on this computer for the domain \"cjPSTest5.local.nc\".\r\n\r\nThis Active Directory domain controller is assigned to the site \"Default-First-Site-Name\". You can manage sites with the Active Directory Sites and Services administrative tool."},
  {"time": "2020-02-07T08:15:37.083-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] AD forest 'cjPSTest5.local.nc' created. (ADD0010)"},
  {"time": "2020-02-07T08:15:37.083-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Writing tracking file: C:\\windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\cjPSTest5.local.nc.ADDomain.completed"},
  {"time": "2020-02-07T08:15:37.083-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Set      ]  [[ADDomain]newDomain]  in 38.2640 seconds."},
  {"time": "2020-02-07T08:15:37.099-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Resource ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-07T08:15:37.099-8:00", "type": "verbose", "message": "[cwmgr1]:                            [] A reboot is required to progress further. Please reboot the system."},
  {"time": "2020-02-07T08:15:37.099-8:00", "type": "warning", "message": "[cwmgr1]:                            [] A reboot is required to progress further. Please reboot the system."},
  {"time": "2020-02-07T08:15:37.115-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Set      ]      "},
  {"time": "2020-02-07T08:15:37.115-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Set      ]    in  330.8310 seconds."}

I bet me creating the temp folder in the system profile is having an effect on the resource. The Temp folder in the system profile fixes many processes so its kind of a standard add for any automated builds I do...

{4D92158C-49C4-11EA-A80F-000D3AF7BA82}-0.details.json.txt

[X-Guardian]

OK, well its good to know what the problem is.

My opinion is that the resource shouldn't write the file to $env:Temp, but to $env:ProgramData instead, then we can avoid this issue.

[mitch-meade]

Or another “natural” trigger, i.e. a file or registry value that exists after the domain controller was promoted.

[mitch-meade]

I’ll take a snapshot right before the promo and again after to find a good trigger.

[X-Guardian]

Need to make sure the trigger is consistent from Server 2012 to Server 2019.

[mitch-meade]

Might be able to pull that off...

[mitch-meade]

How about something like this? Validated on 2012R2, 2016 and 2019...

function testPromo ([string] $fqdn) {
    $sysVolPath = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Services\Netlogon\Parameters).SysVol
    if (![string]::IsNullOrEmpty($sysVolPath)) {
        if (Test-Path $(Join-Path -Path $sysVolPath -ChildPath $fqdn)) {
            return $true
            } else {return $false} 
        } else {return $false}
    }

testPromo 'test2012R2.local.nc'

[mitch-meade]

Both the registry value and file path are populated after the DC promotion and before the first reboot.

[X-Guardian]

Great find @mitch-meade! Definitely the way to go rather than the tracking file.

I'm wondering whether we need to test the sysvol path though, or whether just the existence of the sysvol reg item is enough?

Looking at the current Get-TargetResource function of the ADDomain resource, it could really do with some refactoring too if we are going to make this change. Would you like to raise a PR?

[X-Guardian]

I'm working on a PR that will refactor the ADDomain resource Get-TargetResource function and include this change to replace the tracking file with the NetLogon SysVol registry check.

[mitch-meade]

So... I'd like to become more involved but I don't even know what a PR is,.. LOL Just too busy. Can you point me to documentation how I can contribute?

[X-Guardian]

A PR is a GitHub 'Pull Request'. Have a read of the DSC Community Getting Started as a Contributor.

[mitch-meade]

Attempted the Resource in 6.0.0-preview0001.
Another error occurred after the machine was promoted during the first boot.
Subsequent configuration evaluations succeeded…

"time": "2020-02-14T16:52:50.425-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Resource ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-14T16:52:50.425-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ Start  Test     ]  [[ADDomain]newDomain]  "},
  {"time": "2020-02-14T16:52:50.519-8:00", "type": "verbose", "message": "[cwmgr1]:                            [[ADDomain]newDomain] Querying for domain 'cjPSTest5.local.nc'. (ADD0001)"},
  {"time": "2020-02-14T16:52:52.316-8:00", "type": "verbose", "message": "[cwmgr1]: LCM:  [ End    Test     ]  [[ADDomain]newDomain]  in 1.8910 seconds."},
  {"time": "2020-02-14T16:52:52.316-8:00", "type": "error", "message": "PowerShell DSC resource MSFT_ADDomain  failed to execute Test-TargetResource functionality with error message: System.InvalidOperationException: Error getting AD domain 'cjPSTest5.local.nc'. (ADD0013) ---> System.ArgumentException: Server instance not found on the given port. ---> System.ServiceModel.FaultException: The operation failed because of a bad parameter.\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.SearchAnObject(ADSearchRequest request)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.Search(ADSearchRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Search(ADSessionHandle handle, ADSearchRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADObjectSearcher.GetRootDSE()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetRootDSE()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetConnectedStore()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.GetCmdletSessionInfo()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase`3.ADGetCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\r\n   --- End of inner exception stack trace --- "},
  {"time": "2020-02-14T16:52:52.425-8:00", "type": "verbose", "message": "[cwmgr1]:                            [] Consistency check completed."}

[X-Guardian]

Hi @mitch-meade, can you raise a new issue for this error please?