Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADDomainTrust: Removing trust type does not work if using wrong 'TrustType' #425

Open
johlju opened this issue Jul 10, 2019 · 0 comments
Open

ADDomainTrust: Removing trust type does not work if using wrong 'TrustType' #425

johlju opened this issue Jul 10, 2019 · 0 comments
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@johlju
Copy link
Member

johlju commented Jul 10, 2019
edited
Loading

Details of the scenario you tried and the problem that is occurring

This is related to issue #424. Please see description there.

If there are a trust with the trust type 'Domain' and a configuration is suppose to remove the trust, but the in the configuration the trust type is set to 'Forest' then the trust will not be removed.
This is because of the same problem as in issue #424. There is no check to see if there is a trust of either type [System.DirectoryServices.ActiveDirectory.Domain] or [System.DirectoryServices.ActiveDirectory.Forest].

Verbose logs showing the problem

The resource reporting that the the configuration is in desired state because the wrong type is used to look for if the trust exist.

WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer CLDC03 with user sid S-1-5-21-1619467470-1459113476-3809063323-500.
VERBOSE: [CLDC03]: LCM:  [ Start  Set      ]
VERBOSE: [CLDC03]:                            [DSCEngine] Importing the module C:\Source\xActiveDirectory\DscResources\MSFT_xADDomainTrust\MSFT_xADDomainTrust.psm1 in force mode.
VERBOSE: [CLDC03]: LCM:  [ Start  Resource ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]: LCM:  [ Start  Test     ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Importing the module MSFT_xADDomainTrust in force mode.
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining the current state of the Active Directory trust with source domain 'contoso.com', target domain 'lab.local' and context type 'Forest'. (ADDT0007)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'lab.local'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will be accessed using the 'LAB\Administrator' credentials. (ADCOMMON0048)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'contoso.com'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining if the trust between the 'contoso.com' and the 'lab.local' with the context type 'Forest' exists. (ADDT0001)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] There is no trust between domains 'contoso.com' and 'lab.local' with the context type 'Forest'. (ADDT0006)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'Ensure'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'Ensure' is in desired state. (ADCOMMON0004)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory trust is in the desired state. (ADDT0008)
VERBOSE: [CLDC03]: LCM:  [ End    Test     ]  [[xADDomainTrust]Integration_Test]  in 0.1090 seconds.
VERBOSE: [CLDC03]: LCM:  [ Skip   Set      ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]: LCM:  [ End    Resource ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]: LCM:  [ End    Set      ]
VERBOSE: [CLDC03]: LCM:  [ End    Set      ]    in  0.2650 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.656 seconds

Suggested solution to the issue

See issue #424 for possible solutions.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

<#
    .SYNOPSIS
        Creates a domain trust.
#>
Configuration MSFT_xADDomainTrust_CreateDomainTrust_Config
{
    Import-DscResource -ModuleName 'xActiveDirectory'

    node $AllNodes.NodeName
    {
        xADDomainTrust 'Integration_Test'
        {
            SourceDomainName                    = $Node.SourceDomain
            TargetDomainName                    = $Node.TargetDomain
            TrustType                           = 'External'
            TrustDirection                      = 'Outbound'
            TargetDomainAdministratorCredential = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force))

        }
    }
}

<#
    .SYNOPSIS
        Removes the forest trust.
#>
Configuration MSFT_xADDomainTrust_RemoveTrust_Config
{
    Import-DscResource -ModuleName 'xActiveDirectory'

    node $AllNodes.NodeName
    {
        xADDomainTrust 'Integration_Test'
        {
            Ensure                              = 'Absent'
            SourceDomainName                    = $Node.SourceDomain
            TargetDomainName                    = $Node.TargetDomain
            TrustType                           = 'Forest'
            TrustDirection                      = 'Bidirectional'
            TargetDomainAdministratorCredential = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force))

        }
    }
}

The operating system the target node is running

Windows Server 2019

Version and build of PowerShell the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

Dev
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Jul 10, 2019
@johlju johlju mentioned this issue Jul 12, 2019
Merged
9 tasks
@johlju johlju changed the title xADDomainTrust: Removing trust type does not work if using wrong 'TrustType' ADDomainTrust: Removing trust type does not work if using wrong 'TrustType' Jul 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johlju