Get-AzStorageAccountADObject : AD object is of unsupported object class domainDNS computer.

[fang64]

I've rattled my head trying to figure out what is causing this error, as I've done this quite a few times. I initially thought it was Windows Server 2022 but regressed versions and even attempted to change Az module versions. then I tried a few different versions of the AzFilesHybrid module. It keeps producing this error. At best after digging around trying to make it work:

Get-AzStorageAccountADObject : AD object is of unsupported object class domainDNS computer. At C:\Users<user>\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1:3545 char:33 $azureStorageIdentity = Get-AzStorageAccountADObject ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AzStorageAccountADObject

I got to a point where, I tested the function that the error seems to come from... Get-AzStorageAccountActiveDirectoryProperties : ActiveDirectoryProperties is not set for storage account 'storageacct' in resource group 'production'. To set the properties, please use cmdlet Set-AzStorageAccount if the account is already associated with an Active Directory, or use cmdlet Join-AzStorageAccountForAuth to join the account to an Active Directory (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable) At C:\Users\user\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1:2678 char:46 ... DirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AzStorageAccountActiveDirectoryPro perties

I'm not entirely sure what's triggering the errors. It does manage to create the computeraccount or service principle but everytime it fails to do something. I am following instructions as-per https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccount

[fang64]

As a workaround for anyone in the future who might run into this, Follow instructions, https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccount

You will absolutely get the domainDNS error, nothing you can do about it, but in the same powershell session, you do add the following. ` $StorageAccountADCN = (Get-ADComputer -Identity $StorageAccountName).DistinguishedName $StorageAccountADSID = (Get-ADComputer -Identity $StorageAccountName).SID.Value

New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 $KerbKey = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | where-object{$_.Keyname -contains "kerb1"}

$NewPassword = ConvertTo-SecureString -String $KerbKey -AsPlainText -Force Set-ADAccountPassword -Identity $StorageAccountADCN -Reset -NewPassword $NewPassword

`

Then run, https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#enable-the-feature-on-your-storage-account

For whatever reason that function is broken now in latest modules and AzFilesHybrid, if someone can figure out what is wrong with Get-AzStorageAccountActiveDirectoryProperties, I think it would be helpful. I think it might be related to Windows 2019/2022 but I am unsure. After trying various combinations of install-module, requiredversion to try and make it work I was unable to.

Then roll the kerberos keys, Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName

you can confirm it worked via running, Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose

[Theragus]

Hi, just ran into this issue myself in our own domain.

One thing I noticed is that our storage account has the same name as a part of our internal AD DS Domain. Looking at the Modul PS-file I think the issue is that the script returns whatever object correlates to the name of the storage account, in our case it returned the domainDNS Object, so our internal AD DS root Object. Using a storage account with a different name brought up no errors.

Currently I'm unable to really pin it down to the specific line, but after the computer object for the storage account is created the script should ONLY check for computer objects and NOT for domainDNS entries.