-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add xProvisionODJ Resource #84
Comments
@PlagueHO There are a load of switches on DJOIN.EXE! Do you know what happens if you specify
It looks like we might need to check whether the computer account exists before we can determine whether to use the |
@iainbrighton - you're right. I've had to use the /REUSE parameter a couple of times and it resets the secure channel password of the computer account when you use it. So it's not something I like to use unless necessary - especially on Nano Server because neither I actually think that by default the resource should not issue a /REUSE - but should throw an error if the computer account already exists (and the ODJ blob hasn't been created). Perhaps an "AllowReuse" parameter of the resource could be set to allow the /REUSE to be issued. Either way you're right - a check to see of the computer account already exists must be issued before calling DJOIN. What are you feelings on this? |
Here's the Schema I'd propose using for this: [ClassVersion("1.0.0.0"), FriendlyName("xRequestODJ")]
class MSFT_xRequestODJ : OMI_BaseResource
{
[Key, Description("The name of the domain that will contain the computer account to ODJ.")]] String DomainName;
[Key, Description("The computer name of the AD account to request an ODJ file for.")]] String ComputerName;
[Write, Description("The optional OU to create the computer account in.")]] String OU;
[Write, Description("The optional DC Name to target for account creation.")]] String DCName;
[Write, Description("If the computer account already exists, allow Reuse to be issued.")]] Boolean AllowReuse;
[Required, Description("The full path to the Offline Domain Join Request file to create.")] String RequestFile;
}; |
@PlagueHO I best finish the xADComputer resource then! If we don't implement the /REUSE switch we'll be OK. We only invoke the Set-TargetResource if the computer account is not present. However, I'm still trying to wrap my head around how we make the ODJ request idempotent if we implement the /REUSE switch. We cannot use the presence of the computer account indicating that we need to invoke the Set-TargetResource method. We could use the presence of the local .txt file, but if someone removes that we would end up breaking an existing trust relationship... |
@iainbrighton - Cool. So:
We definitely can't use the existence of the file either because in many situations you'd want to write the DJOIN to a share on another machine (accessible to machines outside the domain) and last thing you want is a transient network failure to cause all your DJOIN'd machines to have broken secure channels. When I was looking into all this I wondered where the xADComputer resource was 😄 but then I remember the discussion about creating xADObject. |
@PlagueHO So are you going to submit a PR for this? If so, thanks - saves me job 👍 |
@iainbrighton: For xProvisionODJ? Absolutely - it's already nearly finished. Just working on unit tests. |
@iainbrighton - I bet as soon as this is released WS2016 TP5 will come out and a non ODJ method of joining a Nano Server to a domain will be included 😄 |
@PlagueHO Here's my current implementation of xADComputer: https://github.com/iainbrighton/xactivedirectory/tree/Issue69 |
I'm working on this one now. |
Create a new resource for provisioning a computer in AD for ODJ. The ODJ file created can then be consumed by the xOfflineDomainJoin resource I've just submitted to xComputerManagement.
The main purpose of this is to allow automated provisioning of Nano Server via DSC, although it will work for other any machine.
DJOIN will be used to provision the machine in AD (/REUSE is required if already exists) and create the request blob:
The text was updated successfully, but these errors were encountered: