Desired State Configuration – xADDomain (Configure your domain)


It’s been a while i hadn’t publish a post on this blog. Mainly because i’m really busy at work 😉

So now, it’s time to work on a session i’ve submited for Microsoft ReBuild here in France.. This session will focus on DSC and Azure. So my first need is a Domain, i’ve looked directly in direction of xADDomain resource available in Wave kit for DSC.

The first you’ll have to check is what is need to work.

PS C:\PowerShell> (Get-DscResource -name xADDomain).Properties

Name                          PropertyType                                    IsMandatory Values
----                          ------------                                    ----------- ------
DomainAdministratorCredential [PSCredential]                                         True {}
DomainName                    [string]                                               True {}
SafemodeAdministratorPassword [PSCredential]                                         True {}
DependsOn                     [string[]]                                            False {}
DnsDelegationCredential       [PSCredential]                                        False {}
ParentDomainName              [string]                                              False {}


Another thing is to look about the syntax you’ll have to use in your DSC Script

PS C:\PowerShell> Get-DscResource -name xADDomain -Syntax
xADDomain [string] #ResourceName
    DomainAdministratorCredential = [PSCredential]
    DomainName = [string]
    SafemodeAdministratorPassword = [PSCredential]
    [ DependsOn = [string[]] ]
    [ DnsDelegationCredential = [PSCredential] ]
    [ ParentDomainName = [string] ]


Yet another thing essential is to import the custom DSC Resource !! If you don’t put this line on your script, no error will be printed on screen, but you won’t have any action initiated.

Import-DSCResource -ModuleName "C:\Program Files\WindowsPowerShell\Modules\xActiveDirectory"


Ah, and by the way, you will have to put credential in your script, using a Get-Credential won’t do the trick  as the error bellows shows it.

PS C:\PowerShell> C:\PowerShell\addomain.ps1
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 
'DomainAdministratorCredential' OF TYPE 'xADDomain': Converting and storing encrypted 
passwords as plain text is not recommended for security reasons. If you understand 
the risks, you can add a property named “PSDscAllowPlainTextPassword” with a value of 
“$true” to your DSC configuration data, for each node where you want to allow plain 
text passwords. For more information about DSC configuration data, see the TechNet 
Library topic,
At C:\PowerShell\addomain.ps1:9 char:9
+   xADDomain
At line:180 char:16
+     $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationEx 
    + FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Errors occurred while processing configuration 'AD'.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDe
siredStateConfiguration.psm1:2203 char:5
+     throw $errorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (AD:String) [], InvalidOperationExcep 
    + FullyQualifiedErrorId : FailToProcessConfiguration

If you navigate inside the link provided in the error, the solution will become very clear..

$ConfigData = @{
    AllNodes = @(
        @{ NodeName="srv01"; PSDscAllowPlainTextPassword = $true }

Thanks to this, you can now use this in your DSC script to create the MOF file.

    $pwd = ConvertTo-SecureString "Test12345!1" -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential ("Administrator", $pwd)


Now, let’s take a look about the dependencies needed to get this MOF file Pushed sucessfully by DSC.

First , navigate to C:\Program Files\WindowsPowerShell\Modules\xActiveDirectory\DSCResources\MSFT_xADDomain\MSFT_xADDomain.ps1 and edit it.

The function for which we are looking for is named Set-TargetResource… look at what it contains… Install-ADDSDomain !! So, for our DSC script we need each Windows Features to create or adminnistrate a domain with PowerShell !

And now you can use the following script to do the job for you !

$ConfigData = @{
    AllNodes = @(
        @{ NodeName="srv01"; PSDscAllowPlainTextPassword = $true }

configuration AD {
    Import-DSCResource -ModuleName "C:\Program Files\WindowsPowerShell\Modules\xActiveDirectory"
    $pwd = ConvertTo-SecureString "Test12345!1" -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential ("Administrator", $pwd)
    Node srv01  {
        WindowsFeature AD-Domain-Services {
            Ensure = "Present"
            Name   = "AD-Domain-Services"
        WindowsFeature RSAT-AD-AdminCenter {
            Ensure = "Present"
            Name   = "RSAT-AD-AdminCenter"
        WindowsFeature RSAT-ADDS {
            Ensure = "Present"
            Name   = "RSAT-ADDS"
        WindowsFeature RSAT-AD-PowerShell {
            Ensure = "Present"
            Name   = "RSAT-AD-PowerShell"
        WindowsFeature RSAT-AD-Tools {
            Ensure = "Present"
            Name   = "RSAT-AD-Tools"
        WindowsFeature RSAT-Role-Tools {
            Ensure = "Present"
            Name   = "RSAT-Role-Tools"
        xADDomain reBUILD {
            DomainAdministratorCredential = $creds
            DomainName = "reBUILD.local"
            SafemodeAdministratorPassword = $creds
            DependsOn = "[WindowsFeature]AD-Domain-Services"

AD -ConfigurationData $ConfigData

Now like always with DSC you will have to make a Start-DSCConfiguration -Path <yourpath> to apply the configuration.

I hope this will help you using and understanding DSC.

See ya !