xADObjectPermissionEntry: Fails when applied in the same configuration as xADDomain

[X-Guardian]

Details of the scenario you tried and the problem that is occurring

When deploying an xADObjectPermissionEntry resource in the same configuration as a new xADDomain resource, the xADObjectPermissionEntry will fail with the error Cannot find drive. A drive with the name 'AD' does not exist the first time the configuration is deployed.

Verbose logs showing the problem

Operation Consistency Check or Pull started by user sid S-1-5-20 from computer NULL.
Running consistency engine.
The local configuration manager is updating the PSModulePath to WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules.
 Resource execution sequence :: [WindowsFeature]AD-Domain-Services, [xADDomain]ADDomain, [xWaitForADDomain]ADDomain, [xADObjectPermissionEntry]Permission.
This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_xADObjectPermissionEntry DSC resource. FullyQualifiedErrorId is DriveNotFound,Microsoft.PowerShell.Commands.GetAclCommand. Error Message is Cannot find drive. A drive with the name 'AD' does not exist..
MIResult: 1
Error Message: Cannot find drive. A drive with the name 'AD' does not exist.
Message ID: DriveNotFound,Microsoft.PowerShell.Commands.GetAclCommand
Error Category: 13
Error Code: 13
Error Type: MI
This event indicates that failure happens when LCM is processing the configuration. Error Id is 0x1. Error Detail is The SendConfigurationApply function did not succeed.. Resource Id is [xADObjectPermissionEntry]Permission and Source Info is C:\users\Administrator\Documents\test.ps1::38::9::xADObjectPermissionEntry. Error Message is The PowerShell DSC resource '[xADObjectPermissionEntry]Permission' with SourceInfo 'C:\users\Administrator\Documents\test.ps1::38::9::xADObjectPermissionEntry' threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details..
MIResult: 1
Error Message: The PowerShell DSC resource '[xADObjectPermissionEntry]Permission' with SourceInfo 'C:\users\Administrator\Documents\test.ps1::38::9::xADObjectPermissionEntry' threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
Message ID: NonTerminatingErrorFromProvider
Error Category: 7
Error Code: 1
Error Type: MI
Job runs under the following LCM setting.
ConfigurationMode: ApplyAndMonitor
ConfigurationModeFrequencyMins: 15
RefreshMode: Push
RefreshFrequencyMins: 30
RebootNodeIfNeeded: NONE
DebugMode: True
MIResult: 1
Error Message: The SendConfigurationApply function did not succeed.
Message ID: MI RESULT 1
Error Category: 0
Error Code: 1
Error Type: MI

Suggested solution to the issue

The resource is attempting to use the AD PSDrive without first verifying that it is present. I believe it is normally created when the ActiveDirectory module is initially loaded, but only if the Active Directory is running at the time. In this scenario, the module is loaded prior to the Active Directory being installed, so no AD PSDrive is created. The resource therefore should check for the existence of the AD PSDrive and create it if necessary.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ActiveDirectory {
    param (
        # Specifies the Domain Name
        [Parameter()]
        $DomainName = 'contoso.com',
        # Specifies the Domain NetBIOS Name
        [Parameter()]
        $DomainNetbiosName = 'CONTOSO',
        # Specifies the Domain Administrator Credentials
        [Parameter()]
        [PSCredential]$DomainCred = (Get-Credential -Message 'Enter Domain Administrator Credentials' -UserName 'Administrator'),
        # Specifies the Safe Mode Administrator Credentials
        [Parameter()]
        [PSCredential]$SafeModeCred = (Get-Credential -Message 'Enter Safe Mode Credentials' -UserName 'None'),
        # Specifies the DomainJoiner user Credentials
        [Parameter()]
        [PSCredential]$DomainJoinerCred = (Get-Credential -Message 'Enter DomainJoiner user Credentials' -UserName 'DomainJoiner')
    )

    Import-DscResource -ModuleName PsDscResources
    Import-DscResource -ModuleName xActiveDirectory

    Node $AllNodes.NodeName {
        WindowsFeature AD-Domain-Services {
            Ensure = 'Present'
            Name   = 'AD-Domain-Services'
        }

        xADDomain ADDomain {
            DomainName                    = $DomainName
            DomainNetbiosName             = $DomainNetbiosName
            DomainAdministratorCredential = $DomainCred
            SafemodeAdministratorPassword = $SafeModeCred
            DependsOn                     = '[WindowsFeature]AD-Domain-Services'
        }

        xWaitForADDomain ADDomain {
            DomainName           = $DomainName
            DomainUserCredential = $DomainCred
            RetryCount           = 50
            RetryIntervalSec     = 30
            RebootRetryCount     = 2
            DependsOn            = '[xADDomain]ADDomain'
        }

        xADUser DomainJoiner {
            DomainName = $DomainName
            UserName   = $DomainJoinerCred.UserName
            Password   = $DomainJoinerCred
            DependsOn  = '[xWaitForADDomain]ADDomain'
        }

        xADObjectPermissionEntry Permission {
            Path                               = 'DC=contoso,DC=com'
            IdentityReference                  = "$DomainNetbiosName\$($DomainJoinerCred.UserName)"
            ActiveDirectoryRights              = 'CreateChild', 'DeleteChild'
            AccessControlType                  = 'Allow'
            ObjectType                         = 'bf967a86-0de6-11d0-a285-00aa003049e2' # Computer objects
            ActiveDirectorySecurityInheritance = 'All'
            InheritedObjectType                = '00000000-0000-0000-0000-000000000000'
            DependsOn                          = '[xADUser]DomainJoiner'
        }
    }
}

$configData = @{
    AllNodes = @(
        @{
            NodeName                    = 'localhost';
            PsDscAllowPlainTextPassword = $true
        }
    )
}

ActiveDirectory -ConfigurationData $ConfigData

Publish-DscConfiguration .\ActiveDirectory\

Start-DscConfiguration -Wait -Verbose -Force -UseExisting

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard Evaluation
OsOperatingSystemSKU : 79
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.316
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.316
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

2.26.0.0

[johlju]

How come that importing the module does not create the PSDrive? 🤔

https://github.com/PowerShell/xActiveDirectory/blob/e2fb20f8f51e1b81e1a2b1bb804155583be14e2c/DSCResources/MSFT_xADObjectPermissionEntry/MSFT_xADObjectPermissionEntry.psm1#L61

I curious if this is because the feature RSAT-AD-PowerShell is not part of the configuration, meaning that the ActiveDirectory module is not installed. Those cmdlets use prior to that is using the cmdlets out of the ADDSDeployment module. 🤔

I believe it is normally created when the ActiveDirectory module is initially loaded, but only if the Active Directory is running at the time.

Since the xADDomain resource is restarting the node, the Active Directory is running on the node once it comes back online, so next time the configuration runs it should import the module ActiveDirectory again, and PSDrive should be created. 🤔

What are you thoughts around this?

[X-Guardian]

Hi @johlju, when the DSC configuration first runs, the xADDomain resource creates Active Directory and then requires a reboot before the configuration will continue (it sets $global:DSCMachineStatus = 1).
After the reboot, the xADDomain resource will execute again, and as it uses ActiveDirectory cmdlets for its Test-TargetResource function, the module will be auto-loaded, but at this time, Active Directory is not yet ready for connection, and so the creation of the AD PSDrive silently fails.
The following resources will then be processed, but the ActiveDirectory module is already loaded in the DSC session without the AD PSDrive, and that is why this scenario occurs.
It may have been possible to force load the module to create the AD PS drive in the xADObjectPermissionEntry resource, but I don't know whether this would have had other consequences.

No other xActiveDirectory resources are currently affected by this, as they don't use the AD PSDrive.

[johlju]

@X-Guardian Thanks for that! Appreciate the detailed run down! I will review the PR you sent in to resolve this issue.

[X-Guardian]

No problem @johlju. It would be great to get integration testing added to this module, as discussed in #121 so we could add tests for scenarios like this.

[johlju]

Yep agree, I added one so far https://github.com/PowerShell/xActiveDirectory/tree/dev/Tests/Integration. Another PR will add another. I'm working on instructions on how to set up a test environment that I will send in as a PR eventually (half way done). It will be one of ways to set it up, we need to work on alternatives too.