ADComputer: Not restoring deleted object #498

johlju · 2019-09-03T12:41:20Z

Details of the scenario you tried and the problem that is occurring

When removing a computer account and then trying to restore the deleted computer account it fails and instead a new computer object is created.

Verbose logs showing the problem

    Context When using configuration MSFT_ADComputer_RemoveComputerAccount1_Config
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Determining the current state of the computer account 'DSCINTEGTEST01'. (ADC0006)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory. (ADC0003)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory, but expected it to be absent. (ADC0007)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is not in the desired state. (ADC0012)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADComputer]Integration_Test]  in 0.3590 seconds.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory. (ADC0003)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Removing the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0025)
VERBOSE: [DC01]: LCM:  [ End    Set      ]  [[ADComputer]Integration_Test]  in 0.9060 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Set      ]
VERBOSE: [DC01]: LCM:  [ End    Set      ]    in  1.7810 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.137 seconds
      [+] Should compile and apply the MOF without throwing 2.38s
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Get      ]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is absent from Active Directory. (ADC0004)
VERBOSE: [DC01]: LCM:  [ End    Get      ]  [[ADComputer]Integration_Test]  in 0.2500 seconds.
VERBOSE: [DC01]: LCM:  [ End    Get      ]    in  0.7040 seconds.
      [+] Should be able to call Get-DscConfiguration without throwing 1.59s
      [+] Should have set the resource and all the parameters should match 58ms
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = TestConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Test     ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Determining the current state of the computer account 'DSCINTEGTEST01'. (ADC0006)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is absent from Active Directory. (ADC0004)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is in the desired state. (ADC0011)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADComputer]Integration_Test] True in 0.3440 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Test     ]     Completed processing test operation. The operation returned True.
VERBOSE: [DC01]: LCM:  [ End    Test     ]    in  0.7970 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.795 seconds
      [+] Should return $true when Test-DscConfiguration is run 1.83s

    Context When using configuration MSFT_ADComputer_RestoreComputerAccount1_Config
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Determining the current state of the computer account 'DSCINTEGTEST01'. (ADC0006)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is absent from Active Directory. (ADC0004)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is absent in Active Directory, but expected it to be present. (ADC0008)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is not in the desired state. (ADC0012)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADComputer]Integration_Test]  in 0.2820 seconds.
VERBOSE: [DC01]: LCM:  [ Start  Set      ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is absent from Active Directory. (ADC0004)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Attempting to restore the computer object DSCINTEGTEST01 from recycle bin. (ADC0013)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Finding objects in the recycle bin matching the filter msDS-LastKnownRDN -eq "DSCINTEGTEST01" -and objectClass -eq "Computer" -and isDeleted -eq $true.
(ADCOMMON0027)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Did not find a restorable object in the recycle bin. (ADCOMMON0055)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is created in Active Directory, at the default path. (ADC0017)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory. (ADC0003)
VERBOSE: [DC01]: LCM:  [ End    Set      ]  [[ADComputer]Integration_Test]  in 1.0930 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Set      ]
VERBOSE: [DC01]: LCM:  [ End    Set      ]    in  1.8750 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.445 seconds
      [+] Should compile and apply the MOF without throwing 2.76s
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Get      ]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory. (ADC0003)
VERBOSE: [DC01]: LCM:  [ End    Get      ]  [[ADComputer]Integration_Test]  in 0.2340 seconds.
VERBOSE: [DC01]: LCM:  [ End    Get      ]    in  0.6400 seconds.
      [+] Should be able to call Get-DscConfiguration without throwing 1.37s
      [-] Should have set the resource and all the parameters should match 28ms
        Expected 'Old location', but got $null.
        187:                 $resourceCurrentState.Location | Should -Be 'Old location'
        at <ScriptBlock>, C:\source\ActiveDirectoryDsc\Tests\Integration\MSFT_ADComputer.Integration.Tests.ps1: line 187
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = TestConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer DC01 with user sid S-1-5-21-530133819-3181352061-503517500-500.
VERBOSE: [DC01]: LCM:  [ Start  Test     ]
VERBOSE: [DC01]:                            [DSCEngine] Importing the module C:\source\ActiveDirectoryDsc\DscResources\MSFT_ADComputer\MSFT_ADComputer.psm1 in force mode.
VERBOSE: [DC01]: LCM:  [ Start  Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ Start  Test     ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Importing the module MSFT_ADComputer in force mode.
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Determining the current state of the computer account 'DSCINTEGTEST01'. (ADC0006)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] Retrieving the information about the computer account 'DSCINTEGTEST01' from Active Directory. (ADC0002)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is present in Active Directory. (ADC0003)
VERBOSE: [DC01]:                            [[ADComputer]Integration_Test] The computer account 'DSCINTEGTEST01' is in the desired state. (ADC0011)
VERBOSE: [DC01]: LCM:  [ End    Test     ]  [[ADComputer]Integration_Test] True in 0.3280 seconds.
VERBOSE: [DC01]: LCM:  [ End    Resource ]  [[ADComputer]Integration_Test]
VERBOSE: [DC01]: LCM:  [ End    Test     ]     Completed processing test operation. The operation returned True.
VERBOSE: [DC01]: LCM:  [ End    Test     ]    in  0.8440 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.758 seconds
      [+] Should return $true when Test-DscConfiguration is run 1.82s

The DSC configuration that is used to reproduce the issue (as detailed as possible)

<#
    .SYNOPSIS
        Creates a computer account using the default values.

    .NOTES
        This computer account should be created enabled, as it will
        use the default value for the property Enable of the cmdlet
        New-ADComputer.
#>
Configuration MSFT_ADComputer_CreateComputerAccount1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADComputer 'Integration_Test'
        {
            ComputerName = $Node.ComputerName1

            <#
                This property is used to verify that the restore works
                in one of the next test.
            #>
            Location     = 'Old location'
        }
    }
}

<#
    .SYNOPSIS
        Removes a computer account using the default values.

    .NOTES
        This removed computer account will later be used to restore the
        computer account from the recycle bin.
#>
Configuration MSFT_ADComputer_RemoveComputerAccount1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADComputer 'Integration_Test'
        {
            Ensure       = 'Absent'
            ComputerName = $Node.ComputerName1
        }
    }
}

<#
    .SYNOPSIS
        Restores a computer account from recycle bin.

    .NOTES
        This test verifies that restored computer account location
        property is set to the previous value. If the restore does
        not work a computer account will be created using the default
        values and the test vill fail since the location will not be
        correct.
#>
Configuration MSFT_ADComputer_RestoreComputerAccount1_Config
{
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'

    node $AllNodes.NodeName
    {
        ADComputer 'Integration_Test'
        {
            Ensure                = 'Present'
            ComputerName          = $Node.ComputerName1
            RestoreFromRecycleBin = $true
        }
    }
}

The operating system the target node is running

n/a

Version and build of PowerShell the target node is running

n/a

Version of the DSC module that was used ('dev' if using current dev branch)

dev

The text was updated successfully, but these errors were encountered:

johlju · 2019-09-03T14:09:16Z

So this did not work because I did not enable the Recycle Bin in the lab environment whihc resulted in msDS-LastKnownRDN did not exist on the objects. I honestly thought the Recycle Bin was enabled by default when running Windows Server 2019 domain. 🙂

But I will send in a PR that adds a bit of documentation around this.

- Changes to ADUser - Added a note to the resource README.md that `RestoreFromRecycleBin` needs the feature Recycle Bin enabled. - Changes to ADGroup - Added a note to the resource README.md that `RestoreFromRecycleBin` needs the feature Recycle Bin enabled (issue #496). - Changes to ADOrganizationalUnit - Added a note to the resource README.md that `RestoreFromRecycleBin` needs the feature Recycle Bin enabled. - Changes to ADComputer - Added a note to the resource README.md that `RestoreFromRecycleBin` needs the feature Recycle Bin enabled (issue #498). - Updated integration test to be able to catch when a computer account cannot be restored.

johlju added documentation The issue is related to documentation only. in progress The issue is being actively worked on by someone. labels Sep 3, 2019

johlju mentioned this issue Sep 3, 2019

Update documentation for resource that uses RestoreFromRecycleBin #499

Merged

10 tasks

johlju closed this as completed in #499 Sep 3, 2019

johlju removed the in progress The issue is being actively worked on by someone. label Sep 3, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ADComputer: Not restoring deleted object #498

ADComputer: Not restoring deleted object #498

johlju commented Sep 3, 2019

johlju commented Sep 3, 2019 •

edited

Loading

ADComputer: Not restoring deleted object #498

ADComputer: Not restoring deleted object #498

Comments

johlju commented Sep 3, 2019

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

johlju commented Sep 3, 2019 • edited Loading

johlju commented Sep 3, 2019 •

edited

Loading