Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADDomainTrust: Changing trust type does not work #424

Open
johlju opened this issue Jul 10, 2019 · 0 comments
Open

ADDomainTrust: Changing trust type does not work #424

johlju opened this issue Jul 10, 2019 · 0 comments
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@johlju
Copy link
Member

johlju commented Jul 10, 2019
edited
Loading

Details of the scenario you tried and the problem that is occurring

With the current implementation of xADDomainTrust (nor with the refactored version in PR #423) it is not possible to change the trust type. This was detected when creating integration tests.

The problem is that it is using the type [System.DirectoryServices.ActiveDirectory.Domain] or the type [System.DirectoryServices.ActiveDirectory.Forest] on which it calls the method GetTrustRelationship(). But if there already is a trust with the trust type 'Domain' and the trust should have the trust type 'Forest' the code will use the [System.DirectoryServices.ActiveDirectory.Forest] type (since the parameter TrustType = 'Forest') and no trust will be detected.
The result is that it want to create a new trust when there already is one. The logic to recreate the trust is never called since the there is no logic to check if there are a trust with either type.

Verbose logs showing the problem

Context When using configuration MSFT_xADDomainTrust_ChangeTrustType_Config
WARNING: It is not recommended to use domain credential for node 'localhost'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to your DSC configuration data for node 'localhost'.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer CLDC03 with user sid S-1-5-21-1619467470-1459113476-3809063323-500.
VERBOSE: [CLDC03]: LCM:  [ Start  Set      ]
VERBOSE: [CLDC03]:                            [DSCEngine] Importing the module C:\Source\xActiveDirectory\DscResources\MSFT_xADDomainTrust\MSFT_xADDomainTrust.psm1 in force mode.
VERBOSE: [CLDC03]: LCM:  [ Start  Resource ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]: LCM:  [ Start  Test     ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Importing the module MSFT_xADDomainTrust in force mode.
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining the current state of the Active Directory trust with source domain 'contoso.com', target domain 'lab.local' and context type 'Forest'. (ADDT0007)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'lab.local'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will be accessed using the 'LAB\Administrator' credentials. (ADCOMMON0048)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'contoso.com'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining if the trust between the 'contoso.com' and the 'lab.local' with the context type 'Forest' exists. (ADDT0001)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] There is no trust between domains 'contoso.com' and 'lab.local' with the context type 'Forest'. (ADDT0006)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'Ensure'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is 'Absent', but expected the value 'Present'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'Ensure' is not in desired state. (ADCOMMON0005)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'TrustDirection'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is '', but expected the value 'Bidirectional'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'TrustDirection' is not in desired state. (ADCOMMON0005)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'TrustType'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is '', but expected the value 'Forest'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'TrustType' is not in desired state. (ADCOMMON0005)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory trust is not in the desired state. (ADDT0009)
VERBOSE: [CLDC03]: LCM:  [ End    Test     ]  [[xADDomainTrust]Integration_Test]  in 0.1400 seconds.
VERBOSE: [CLDC03]: LCM:  [ Start  Set      ]  [[xADDomainTrust]Integration_Test]
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Importing the module MSFT_xADDomainTrust in force mode.
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'lab.local'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will be accessed using the 'LAB\Administrator' credentials. (ADCOMMON0048)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'contoso.com'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'lab.local'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will be accessed using the 'LAB\Administrator' credentials. (ADCOMMON0048)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'contoso.com'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining if the trust between the 'contoso.com' and the 'lab.local' with the context type 'Forest' exists. (ADDT0001)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] There is no trust between domains 'contoso.com' and 'lab.local' with the context type 'Forest'. (ADDT0006)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'Ensure'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is 'Absent', but expected the value 'Present'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'Ensure' is not in desired state. (ADCOMMON0005)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'TrustDirection'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is '', but expected the value 'Bidirectional'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'TrustDirection' is not in desired state. (ADCOMMON0005)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Evaluating the state of the property 'TrustType'. (ADCOMMON0003)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] String value does not match. Current value is '', but expected the value 'Forest'. (ADCOMMON0008)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The parameter 'TrustType' is not in desired state. (ADCOMMON0005)
      [-] Should compile and apply the MOF without throwing 1.35s
        Expected no exception to be thrown, but an exception "Exception calling "CreateTrustRelationship" with "2" argument(s): "A forest trust relationship exists between "contoso.com" and "lab.local"."" was thrown from C:\Source\xActiveDir
ectory\Tests\Integration\MSFT_xADDomainTrust.Integration.Tests.ps1:161 char:21
            + ...               Start-DscConfiguration @startDscConfigurationParameters
            +                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
        162:                 } | Should -Not -Throw
        at <ScriptBlock>, C:\Source\xActiveDirectory\Tests\Integration\MSFT_xADDomainTrust.Integration.Tests.ps1: line 143
VERBOSE: An LCM method call arrived from computer CLDC03 with user sid S-1-5-21-1619467470-1459113476-3809063323-500.
WARNING: [CLDC03]:                            [] The GET operation will be carried against a pending configuration since the latest configuration has not converged yet.
VERBOSE: [CLDC03]:                            [DSCEngine] Importing the module C:\Source\xActiveDirectory\DscResources\MSFT_xADDomainTrust\MSFT_xADDomainTrust.psm1 in force mode.
VERBOSE: [CLDC03]: LCM:  [ Start  Get      ]
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Importing the module MSFT_xADDomainTrust in force mode.
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'lab.local'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will be accessed using the 'LAB\Administrator' credentials. (ADCOMMON0048)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The type 'System.DirectoryServices.ActiveDirectory.DirectoryContext' is already loaded into the PowerShell session. (ADCOMMON0043)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Get a new Active Directory context of the type 'Forest'. (ADCOMMON0046)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] The Active Directory context will target 'contoso.com'. (ADCOMMON0047)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] Determining if the trust between the 'contoso.com' and the 'lab.local' with the context type 'Forest' exists. (ADDT0001)
VERBOSE: [CLDC03]:                            [[xADDomainTrust]Integration_Test] There is no trust between domains 'contoso.com' and 'lab.local' with the context type 'Forest'. (ADDT0006)
VERBOSE: [CLDC03]: LCM:  [ End    Get      ]  [[xADDomainTrust]Integration_Test]  in 0.0780 seconds.
VERBOSE: [CLDC03]: LCM:  [ End    Get      ]    in  0.1560 seconds.
      [+] Should be able to call Get-DscConfiguration without throwing 555ms
      [-] Should have set the resource and all the parameters should match 25ms
        Expected strings to be the same, but they were different.
        Expected length: 7
        Actual length:   6
        Strings differ at index 0.
        Expected: 'Present'
        But was:  'Absent'
        177:                 $resourceCurrentState.Ensure | Should -Be 'Present'
        at <ScriptBlock>, C:\Source\xActiveDirectory\Tests\Integration\MSFT_xADDomainTrust.Integration.Tests.ps1: line 177

Suggested solution to the issue

Option 1

Add logic to call the method GetTrustRelationship() for both the types [System.DirectoryServices.ActiveDirectory.Domain] and [System.DirectoryServices.ActiveDirectory.Forest] in Get-TargetResource to really determine if there is a trust present.

Option 2

Use the cmdlet Get-ADTrust available in ActiveDirectoy powershell module. It will return the trust regardless of trust type.

PS > Get-ADTrust -Identity lab.local | fl *

CanonicalName                   : contoso.com/System/lab.local
CN                              : lab.local
Created                         : 2019-07-10 15:44:11
createTimeStamp                 : 2019-07-10 15:44:11
Deleted                         :
Description                     :
Direction                       : Inbound
DisallowTransivity              : False
DisplayName                     :
DistinguishedName               : CN=lab.local,CN=System,DC=contoso,DC=com
dSCorePropagationData           : {1601-01-01 01:00:00}
flatName                        : LAB
ForestTransitive                : False
instanceType                    : 4
IntraForest                     : False
isCriticalSystemObject          : True
isDeleted                       :
IsTreeParent                    : False
IsTreeRoot                      : False
LastKnownParent                 :
Modified                        : 2019-07-10 15:55:58
modifyTimeStamp                 : 2019-07-10 15:55:58
Name                            : lab.local
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=contoso,DC=com
ObjectClass                     : trustedDomain
ObjectGUID                      : fcd19b74-eb52-4e3e-8580-31cd164c891b
ProtectedFromAccidentalDeletion : False
sDRightsEffective               : 15
securityIdentifier              : S-1-5-21-3775508409-2596963117-2076654268
SelectiveAuthentication         : False
showInAdvancedViewOnly          : True
SIDFilteringForestAware         : False
SIDFilteringQuarantined         : True
Source                          : DC=contoso,DC=com
Target                          : lab.local
TGTDelegation                   : False
TrustAttributes                 : 4
trustDirection                  : 1
TrustedPolicy                   :
TrustingPolicy                  :
trustPartner                    : lab.local
trustPosixOffset                : 0
TrustType                       : Uplevel
UplevelOnly                     : False
UsesAESKeys                     : False
UsesRC4Encryption               : False
uSNChanged                      : 69994
uSNCreated                      : 69826
whenChanged                     : 2019-07-10 15:55:58
whenCreated                     : 2019-07-10 15:44:11
PropertyNames                   : {CanonicalName, CN, Created, createTimeStamp...}
AddedProperties                 : {}
RemovedProperties               : {}
ModifiedProperties              : {}
PropertyCount                   : 51

The cmdlet Get-ADTrust will fail if the trust does not exist

Get-ADTrust : Cannot find an object with identity: 'lab.local2' under: 'DC=contoso,DC=com'.
At line:1 char:1
+ Get-ADTrust -Identity lab.local2 | fl *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (lab.local2:ADTrust) [Get-ADTrust], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADTrust

The DSC configuration that is used to reproduce the issue (as detailed as possible)

<#
    .SYNOPSIS
        Creates a domain trust.
#>
Configuration MSFT_xADDomainTrust_CreateDomainTrust_Config
{
    Import-DscResource -ModuleName 'xActiveDirectory'

    node $AllNodes.NodeName
    {
        xADDomainTrust 'Integration_Test'
        {
            SourceDomainName                    = $Node.SourceDomain
            TargetDomainName                    = $Node.TargetDomain
            TrustType                           = 'External'
            TrustDirection                      = 'Outbound'
            TargetDomainAdministratorCredential = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force))

        }
    }
}

<#
    .SYNOPSIS
        Changes trust type on an existing trust.
#>
Configuration MSFT_xADDomainTrust_ChangeTrustType_Config
{
    Import-DscResource -ModuleName 'xActiveDirectory'

    node $AllNodes.NodeName
    {
        xADDomainTrust 'Integration_Test'
        {
            SourceDomainName                    = $Node.SourceDomain
            TargetDomainName                    = $Node.TargetDomain
            TrustType                           = 'Forest'
            TrustDirection                      = 'Bidirectional'
            TargetDomainAdministratorCredential = New-Object `
                -TypeName System.Management.Automation.PSCredential `
                -ArgumentList @($Node.TargetUserName, (ConvertTo-SecureString -String $Node.TargetPassword -AsPlainText -Force))

        }
    }
}

The operating system the target node is running

Windows Server 2019

Version and build of PowerShell the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

Dev
@johlju johlju mentioned this issue Jul 10, 2019
Open
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Jul 10, 2019
@johlju johlju mentioned this issue Jul 12, 2019
Merged
9 tasks
@johlju johlju changed the title xADDomainTrust: Changing trust type does not work ADDomainTrust: Changing trust type does not work Jul 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johlju