Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADOrganizationalUnit : Removing Credential from the list of desired values to compare #624

Closed
jmos5156 opened this issue Aug 7, 2020 · 1 comment · Fixed by #623
Closed

ADOrganizationalUnit : Removing Credential from the list of desired values to compare #624

jmos5156 opened this issue Aug 7, 2020 · 1 comment · Fixed by #623
Labels
bug The issue is a bug.

Comments

@jmos5156
Copy link
Contributor

jmos5156 commented Aug 7, 2020

Details of the scenario you tried and the problem that is occurring

When using resource: ADOrganizationalUnit, with a credential parameter, DSC will use the Credential as part of the DesiredValues (Compare-ResourcePropertyState function) when evaluating the state of an OU during the Test-TargetResource. In the event that the OU exists, this forces a re-evaluation of all the passed parameters through the Get-TargetResource which returns a hashtable not containing a Credential value. Therefore, triggers a Set-TargetResource to add OU's when they already exist and are in the desired state.

Verbose logs showing the problem

The output error is similar to this

18:44:13 - Resource Microsoft.Compute/virtualMachines/extensions 'testDCSrv/DSC' failed with message '{
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "VMExtensionProvisioningError",
        "message": "VM has reported a failure when processing extension 'DSC'. Error message: \"DSC Configuration 'DomainController' completed with error(s). Following are the first few: PowerShell DSC resource 
MSFT_ADOrganizationalUnit  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error updating OU 'testOU'. (ADOU0016) ---> 
Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> System.ServiceModel.FaultException: Bad AttributeTypeAndValue or Change found inside the request.\r\n   --- End of inner exception stack trace ---\r\n   
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault 
adwsFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)\r\n   at 
Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle handle, ADModifyRequest request)\r\n   at 
Microsoft.ActiveDirectory.Management.ADActiveObject.Update()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\r\n   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_ADOrganizationalUnit  failed to execute Set-TargetResource functionality 
with error message: System.InvalidOperationException: Error updating OU 'computers'. (ADOU0016) ---> Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> System.ServiceModel.FaultException: Bad 
AttributeTypeAndValue or Change found inside the request.\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, 
FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)\r\n   at 
Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle 
handle, ADModifyRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADActiveObject.Update()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\r\n   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_ADOrganizationalUnit  failed to execute Set-TargetResource functionality 
with error message: System.InvalidOperationException: Error updating OU 'sql'. (ADOU0016) ---> Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> System.ServiceModel.FaultException: Bad 
AttributeTypeAndValue or Change found inside the request.\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, 
FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)\r\n   at 
Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle 
handle, ADModifyRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADActiveObject.Update()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at 
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\r\n   --- End of inner exception stack trace --- \"\r\n\r\nMore information on troubleshooting is available at 
https://aka.ms/VMExtensionDSCWindowsTroubleshoot "
      }
    ]
  }
}'
    + CategoryInfo          : NotSpecified: (:) [], Exception
    + FullyQualifiedErrorId : 
 
18:44:13 - VM has reported a failure when processing extension 'DSC'. Error message: "DSC Configuration 'DomainController' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ADOrganizationalUnit  
failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error updating OU 'testOU'. (ADOU0016) ---> Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> 
System.ServiceModel.FaultException: Bad AttributeTypeAndValue or Change found inside the request.
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle handle, ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADActiveObject.Update()
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_ADOrganizationalUnit  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error updating OU 
'computers'. (ADOU0016) ---> Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> System.ServiceModel.FaultException: Bad AttributeTypeAndValue or Change found inside the request.
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle handle, ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADActiveObject.Update()
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_ADOrganizationalUnit  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error updating OU 'sql'. 
(ADOU0016) ---> Microsoft.ActiveDirectory.Management.ADInvalidOperationException: replace ---> System.ServiceModel.FaultException: Bad AttributeTypeAndValue or Change found inside the request.
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForFaultDetail(FaultDetail faultDetail, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(AdwsFault adwsFault, FaultException faultException)
   at Microsoft.ActiveDirectory.Management.AdwsConnection.Modify(ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADSyncOperations.Modify(ADSessionHandle handle, ADModifyRequest request)
   at Microsoft.ActiveDirectory.Management.ADActiveObject.Update()
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.SetFromIdentity(O identity)
   at Microsoft.ActiveDirectory.Management.Commands.ADSetCmdletBase`3.ADSetCmdletBaseProcessCSRoutine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
   --- End of inner exception stack trace --- "
More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot 
    + CategoryInfo          : NotSpecified: (:) [], Exception
    + FullyQualifiedErrorId : 
 
18:44:13 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
    + CategoryInfo          : NotSpecified: (:) [], Exception
    + FullyQualifiedErrorId : 
 
18:44:13 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
    + CategoryInfo          : NotSpecified: (:) [], Exception
    + FullyQualifiedErrorId :

Suggested solution to the issue

Seeing as the Credential does not form part of the desired state but rather is used to enact a change via an authorized account this does not need to form part of the desired values when determining the state of the OU. If the credential is not passed when using the ADOrganizationalUnit then the process works as expected. If it is passed it should be removed from the array of DesiredValues passed to the Compare-ResourcePropertyState function.

PR has been submitted here #623

The DSC configuration that is used to reproduce the issue (as detailed as possible)

            ADOrganizationalUnit "testOU" {
                Ensure     = "Present"
                Name       = "test"
                Path           = "dc=test,dc=com"
                Credential = $Credential
            }

The operating system the target node is running

OsName : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.3808.amd64fre.rs1_release.200707-2105
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

PS C:\windows\system32> $PSVersionTable

Name Value

PSVersion 5.1.14393.3471
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.3471
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

ActiveDirectoryDsc - 6.0.1
@jmos5156 jmos5156 mentioned this issue Aug 8, 2020
Merged
9 tasks
@johlju johlju added bug The issue is a bug. in progress The issue is being actively worked on by someone. labels Aug 9, 2020
@X-Guardian X-Guardian removed the in progress The issue is being actively worked on by someone. label Oct 10, 2020
@powertim
Copy link

Hi,

I'm still having the issue with version 6.2.0-preview0001 although it's marked as fixed in the release notes...

@svenboll svenboll mentioned this issue Aug 20, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
4 participants
@johlju @powertim @X-Guardian @jmos5156