Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add xProvisionODJ Resource #84

Closed
PlagueHO opened this issue Apr 7, 2016 · 10 comments
Closed

Add xProvisionODJ Resource #84

PlagueHO opened this issue Apr 7, 2016 · 10 comments
Labels
enhancement The issue is an enhancement request.

Comments

@PlagueHO
Copy link
Member

PlagueHO commented Apr 7, 2016

Create a new resource for provisioning a computer in AD for ODJ. The ODJ file created can then be consumed by the xOfflineDomainJoin resource I've just submitted to xComputerManagement.

The main purpose of this is to allow automated provisioning of Nano Server via DSC, although it will work for other any machine.

DJOIN will be used to provision the machine in AD (/REUSE is required if already exists) and create the request blob:

djoin /PROVISION /DOMAIN CONTOSO.COM /MACHINE NANO1 /SAVEFILE c:\nano1-odj.txt
@iainbrighton
Copy link
Contributor

@PlagueHO There are a load of switches on DJOIN.EXE! Do you know what happens if you specify /MACHINEOU <OU Name> and /REUSE? Here's the description of the switches:

/machineou <OU Name>
Specifies the name of the organizational unit (OU) in which you want the computer account to be created. By default, the computer account is created in the Computers container. This parameter is ignored if /reuse is specified.

/reuse
Specifies the reuse of any existing computer account. The password for the computer account will be reset.

It looks like we might need to check whether the computer account exists before we can determine whether to use the /REUSE switch or not. What's your experience?

@PlagueHO
Copy link
Member Author

PlagueHO commented Apr 8, 2016

@iainbrighton - you're right.

I've had to use the /REUSE parameter a couple of times and it resets the secure channel password of the computer account when you use it. So it's not something I like to use unless necessary - especially on Nano Server because neither Test-ComputerSecureChannel -Repair, NLTEST /SC_RESET or netdom are available - so no way to repair a broken secure channel. So mistakenly calling /REUSE would be a real pain for Nano Server - you'd need to unjoin and rejoin the server to the domain to fix a secure channel issue - not nice.

I actually think that by default the resource should not issue a /REUSE - but should throw an error if the computer account already exists (and the ODJ blob hasn't been created).

Perhaps an "AllowReuse" parameter of the resource could be set to allow the /REUSE to be issued.

Either way you're right - a check to see of the computer account already exists must be issued before calling DJOIN.

What are you feelings on this?

@PlagueHO
Copy link
Member Author

PlagueHO commented Apr 9, 2016

Here's the Schema I'd propose using for this:

[ClassVersion("1.0.0.0"), FriendlyName("xRequestODJ")]
class MSFT_xRequestODJ : OMI_BaseResource
{
    [Key, Description("The name of the domain that will contain the computer account to ODJ.")]] String DomainName;
    [Key, Description("The computer name of the AD account to request an ODJ file for.")]] String ComputerName;
    [Write, Description("The optional OU to create the computer account in.")]] String OU;
    [Write, Description("The optional DC Name to target for account creation.")]] String DCName;
    [Write, Description("If the computer account already exists, allow Reuse to be issued.")]] Boolean AllowReuse;
    [Required, Description("The full path to the Offline Domain Join Request file to create.")] String RequestFile;
};

@iainbrighton
Copy link
Contributor

@PlagueHO I best finish the xADComputer resource then!

If we don't implement the /REUSE switch we'll be OK. We only invoke the Set-TargetResource if the computer account is not present.

However, I'm still trying to wrap my head around how we make the ODJ request idempotent if we implement the /REUSE switch. We cannot use the presence of the computer account indicating that we need to invoke the Set-TargetResource method. We could use the presence of the local .txt file, but if someone removes that we would end up breaking an existing trust relationship...

@PlagueHO
Copy link
Member Author

@iainbrighton - Cool. So:

  • I'll not implement the /REUSE flag.
  • I'll use the existence of the account in AD to determine the outcome of Test-TargetResource.

We definitely can't use the existence of the file either because in many situations you'd want to write the DJOIN to a share on another machine (accessible to machines outside the domain) and last thing you want is a transient network failure to cause all your DJOIN'd machines to have broken secure channels.

When I was looking into all this I wondered where the xADComputer resource was 😄 but then I remember the discussion about creating xADObject.

@iainbrighton
Copy link
Contributor

@PlagueHO So are you going to submit a PR for this? If so, thanks - saves me job 👍

@PlagueHO
Copy link
Member Author

@iainbrighton: For xProvisionODJ? Absolutely - it's already nearly finished. Just working on unit tests.

@PlagueHO
Copy link
Member Author

@iainbrighton - I bet as soon as this is released WS2016 TP5 will come out and a non ODJ method of joining a Nano Server to a domain will be included 😄

@iainbrighton
Copy link
Contributor

@PlagueHO Here's my current implementation of xADComputer: https://github.com/iainbrighton/xactivedirectory/tree/Issue69

@PlagueHO
Copy link
Member Author

PlagueHO commented Jun 9, 2016

I'm working on this one now.

@TravisEz13 TravisEz13 added the enhancement The issue is an enhancement request. label Jun 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is an enhancement request.
Projects
None yet
Development

No branches or pull requests

3 participants