DSC 配置“AD”已完成,但出现错误。以下是前几个:WinRM 无法处理请求
在 AD VM 中触发 dsc 配置时出现以下错误。
VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'ConfigureActiveDirectory'. Error message: "DSC Configuration 'AD' completed with error(s). Following are the first few: WinRM cannot process the request. The following error with errorcode 0x80090350 occurred while using Negotiate authentication: An unknown security error occurred. \r\n Possible causes are:\r\n -The user name or password specified are invalid.\r\n -Kerberos is used when no authentication method and no user name are specified.\r\n -Kerberos accepts domain user names, but not local user names.\r\n -The Service Principal Name (SPN) for the remote computer name and port does not exist.\r\n -The client and remote computers are in different domains and there is no trust between the two domains.\r\n After checking for the above issues, try the following:\r\n -Check the Event Viewer for events related to authentication.\r\n -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.\r\n Note that computers in the TrustedHosts list might not be authenticated.\
以下是使用的身份验证方法。
[System.Management.Automation.PSCredential]$DomainCreds = New-Object System.Management.Automation.PSCredential ("${DomainNetBiosName}\$($AdminCredentials.UserName)", $AdminCredentials.Password)
每当我尝试在 VM 上重新运行相同的 dsc 配置时,问题都不会重复出现。
尝试在脚本中添加以下 PS 命令,但它无助于解决问题
winrm set winrm/config/client '@{TrustedHosts="localhost"}'
您部署了哪个VM SKU和哪个区域?我的西欧与standard_d4_v4遇到了完全相同的问题。但是,它可以与standard_d2_v4一起工作。
查看此线程,没有人发现根本原因是什么 手臂带有DSC扩展失败在创建新的广告森林和域期间重新启动后的安全错误
SetScript = {
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\WindowsAzureGuestAgent' -Name DependOnService -Type MultiString -Value DNS
Write-Verbose -Verbose "GuestAgent depends on DNS"
}
根据 MS 的建议,将这几行添加到代码中解决了我们的问题。
我遇到了完全相同的问题。我试图通过 Bicep 部署新的 Windows Active Directory 域。PowerShell DSC 配置因该错误而失败。上述 Set-ItemProperty CMDlet 修复了该问题。我将以下内容添加到我的 Bicep 文件中:
resource setScript 'Microsoft.Compute/virtualMachines/runCommands@2021-07-01' = {
name: 'RunCommand'
location: location
parent: vm
properties: {
asyncExecution: false
source: {
script: 'Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\WindowsAzureGuestAgent" -Name DependOnService -Type MultiString -Value DNS'
}
timeoutInSeconds: 30
}
}
父级是“Microsoft.Compute/virtualMachines@2021-03-01”资源。有一个后续的 PowerShellDSC VM 扩展资源依赖于此“runCommand”资源。因此,创建 VM,运行 Set-ItemProperty 命令,然后运行 PowerShell DSC 配置。
CMDlet 将 Windows Azure Guest Agent 服务设置为在启动之前等待 DNS 服务器服务。假设如果没有此设置,Windows Azure Guest Agent 服务将在 DNS 和名称解析失败之前启动,这会搞砸 WinRM。