ActiveDirectoryDsc: ADGroup still fails with members with foreign security principals in v6.2.0-preview0001 #654
Description
Details of the scenario you tried and the problem that is occurring
We have ADGroup DSC resources that create several groups in different OUs. After some of these groups are created by DSC, we manually add cross-domain members (foreign security principals). With ActiveDirectoryDsc version 6.0.1, we get errors as specified here: #619. We upgraded to ActiveDirectoryDsc version 6.2.0-preview0001. The number of these errors went from 20s to under 10.
The fix in 6.2.0 for this problem checks specifically for the following in Get-TargetResource in MSFT_ADGroup.psm1:
$oneWayTrustFullyQualifiedErrorId = 'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'
But for some reason that I haven't determined, some of the groups return the following error instead (0 vs 8224):
ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Verbose logs showing the problem
Following is a snippet of the logs for one of the groups. I replaced the group name to XXXXX:
VERBOSE: Invoking AWS Systems Manager operation --output truncated--, CommandId:9d14e6b5-c93e-45ff-b27b-cbb2ae325979, DocumentVersion:$DEFAULT, ExecutionElapsedTime:PT30M2.993S, StandardErrorContent:PowerShell DSC resource MSFT_ADGroup failed to execute Test-TargetResource
functionality with error message: System.InvalidOperationException: Error
retrieving membership for AD Group 'XXXXX'. (ADG0014) --->
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred
---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.Active
Directory.CustomActions.GetADGroupMemberFault]: Active Directory returned an
error processing the operation.
Server stack trace:
at
System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime
operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCal
lMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManag
ement.GetADGroupMember(GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErro
rCode(String message, String errorCode, String extendedErrorMessage, Exception
innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(Custom
ActionFault caFault, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetA
DGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.Ac
tiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle
handle, GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(
String partitionDN, String groupDN, Boolean recursive)
at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroup
MemberProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at
Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
--- End of inner exception stack trace ---
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
Suggested solution to the issue
I did the following in Get-TargetResource in MSFT_ADGroup.psm1 and it remedied my problem:
# This FullyQualifiedErrorId is indicative of a failure to retrieve members with Get-ADGroupMember
# for a one-way trust
$oneWayTrustFullyQualifiedErrorId = `
'ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'
$oneWayTrustFullyQualifiedErrorId8224 = `
'ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember'
if (($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId) -or
($_.FullyQualifiedErrorId -eq $oneWayTrustFullyQualifiedErrorId8224))
The DSC configuration that is used to reproduce the issue (as detailed as possible)
# insert configuration hereThe operating system the target node is running
OsName : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 9600.19994.amd64fre.winblue_ltsb_escrow.210331-1613
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
Name Value
---- -----
PSVersion 5.1.14409.1018
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1018
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
ActiveDirectoryDsc 6.2.0-preview0001