community.windows
community.windows copied to clipboard
ansible-collections
win_domain_user: The server is not operational
SUMMARY
If a domain controller is shutdown for maintenance or similar reasons, a new user could not be created sometimes. The parameter "domain_server" is not used for the command "Get-ADPrincipalGroupMembership". It should be "ADPrincipalGroupMembership -Server YOURDC -ResourceContextServer YOURDC" when a "domain_server" is passed.
ISSUE TYPE
- Bug Report
COMPONENT NAME
win_domain_user
ANSIBLE VERSION
2.9.6
CONFIGURATION
DEFAULT_HOST_LIST(/mnt/c/git/ansible/ansible.cfg) = [u'/mnt/c/Git/ansible/environments/XXX-XXX/inventory']
DEFAULT_ROLES_PATH(/mnt/c/git/ansible/ansible.cfg) = [u'/mnt/c/git/ansible/roles']
OS / ENVIRONMENT
Targeted Domain Controller has Windows Server 2012 R2
STEPS TO REPRODUCE
Shutdown a domain controller and create a user:
- name: Ensure user bob is present in OU ou=test,dc=domain,dc=local
win_domain_user:
name: bob
password: YOURPASSWORD
state: present
path: OU=Users,OU=Test,DC=YOURDOMAIN,DC=ch
domain_server: YOURDC
delegate_to: YOURSERVER
EXPECTED RESULTS
A user could be created even if any domain controller is shutdown, when a specific domain controller is targeted.
ACTUAL RESULTS
TASK [windows-admins : Ensure user bob is present in OU ou=test,dc=domain,dc=local] ***********************************************************************************************
task path: /mnt/c/git/ansible/roles/windows-admins/tasks/main.yml:27
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_domain_user.ps1
Pipelining is enabled.
<YOURDC.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO YOURDC.local
EXEC (via pipeline wrapper)
The full traceback is:
The server is not operational
At line:355 char:25
+ ... ($group in (Get-ADPrincipalGroupMembership $username @extra_args)) {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (bob:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8250,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 355
Microsoft.ActiveDirectory.Management.ADException: The server is not operational ---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADPrincipalGroupMembershipFault]: Active Directory returned an error processing the operation.
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADPrincipalGroupMembership(ADSessionHandle handle, GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetPrincipalGroupMembership(String partitionDN, String principalDN, String resourceContextServer, String resourceContextPartition)
at Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership.GetGroupMembershipProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
fatal: [YOURDC.local -> YOURDC.local]: FAILED! => {
"changed": false,
"msg": "Unhandled exception while executing module: The server is not operational"
}
Looks like this specific line has changed in recent versions but we do set -Server {{ domain_ server }} for that cmdlet call. You can see in the error message the @extra_args value, this is splatting the Server option as defined at https://github.com/ansible-collections/community.windows/blob/a5414cb0e4ca73a4d19061c20410397e4c6ed18e/plugins/modules/win_domain_user.ps1#L118-L126. Maybe you are using an older version where this was a recently fixed bug so I suggest you try out the latest code and see if it's still a problem.
You state you've shut down the domain controller, is the dc defined in domain_server another controller or that same one you've shut down. If it's the latter then I don't see how defining the explicit server helps. You've shut it down so it won't be available to talk to.
Thanks for your fast reply. The issue isn't with the $extra_args.server or in Posh with the "-Server" parameter. However this seems not be enough for Get-ADPrincipalGroupMembership. As soon as i add the "-ResourceContextServer" to the module everything seams fine.
I do not pointing the domain_server to a DC which is shutdown.
Two of fives DC's are actually shutdown. They are waiting for depromoting. I do not have an other environment to test - I could get back after depromoting to confirm that the shutdown was the problem.
As I said above, as soon as I add "-ResourceContextServer" and pass the $domain_server value to this param, everything works fine.
Can you add the WMF version you have installed on the server running on? You mentioned the target server is 2012 R2, is that the DC or the server running the commands on?
The Domain Controller is Windows Server 2012 R2 and has WMF 4.0 - but I guess this doesn't mather. The target server (delegate_to) is Windows Server 2016 and has WMF 5.1.14393.3471.
It seems that after 2012 r2 there was a change to the cmdlet, is it possible for you to test directly on the DC or another 2012r2. If this is indeed a problem specific to the 2016 and above we should give an appropriate solution to those without breaking backward compatability.
On Fri, Apr 10, 2020, 11:38 rooso [email protected] wrote:
The Domain Controller is Windows Server 2012 R2 and has WMF 4.0 - but I guess this doesn't mather. The target server (delegate_to) is Windows Server 2016 and has WMF 5.1.14393.3471.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.windows/issues/71#issuecomment-611940344, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACV27RUINOPEJYQHSW4S3W3RL3LJNANCNFSM4MCRHI2Q .
I've done that, as well directly on the windows server 2012 R2 DC:
Unhandled exception while executing module: The server is not operational
Tried it with and without delegate_to and domain_server. Might this is an issue just in my environment ...
I have the same problem. Was it resolved? If yes, please provide the solution
@larrybg I have done a pull request to fix this issue for further usage. So far you could just change the line 131 of the file win_domain_user.ps1 from $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ErrorAction Stop to $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ResourceContextServer $domain_server -ErrorAction Stop. After that change it should work as expected.
The win_domain_user module has been deprecated by https://github.com/ansible-collections/community.windows/pull/516 in favour of microsoft.ad.user. See the migration guide for more info on how to change your code to use the newer module.
The code that calls Get-ADPrincipalGroupMembership is used with the @ADParams splat which will contain the -Server and optional -Credential if specified by the module options.