Merge pull request #98351 from bobbytreed/bobbytreed-dscupdates

v-albemi · web-flow · commit cda589b798aa · 2019-12-09T07:23:42.000-08:00
Adding troubleshooting updates
diff --git a/articles/automation/automation-dsc-onboarding.md b/articles/automation/automation-dsc-onboarding.md
@@ -347,6 +347,18 @@ For added security, the primary and secondary access keys of an Automation accou
 regenerated at any time (on the **Manage Keys** page) to prevent future node registrations using
 previous keys.
 
+## Certificate expiration and re-registration
+
+After registering a machine as a DSC node in Azure Automation State Configuration, there are a
+number of reasons why you may need to re-register that node in the future:
+
+- For versions of Windows Server prior to Windows Server 2019, each node automatically negotiates a unique certificate for authentication that expires after one year. Currently, the PowerShell DSC registration protocol cannot automatically renew certificates when they are nearing expiration, so you need to re-register the nodes after a year's time. Before re-registering, ensure that each node is running Windows Management Framework 5.0 RTM. If a node's authentication certificate expires, and the node is not re-registered, the node is unable to communicate with Azure Automation and is marked 'Unresponsive.' re-registration performed 90 days or less from the certificate expiration time, or at any point after the certificate expiration time, will result in a new certificate being generated and used.  A resolution to this issue is included in Windows Server 2019 and later.
+- To change any [PowerShell DSC Local Configuration Manager values](/powershell/scripting/dsc/managing-nodes/metaConfig4) that were set during initial registration of the node, such as ConfigurationMode. Currently, these DSC agent values can only be changed through re-registration. The one exception is the Node Configuration assigned to the node -- this can be changed in Azure Automation DSC directly.
+
+re-registration can be performed in the same way you registered the node initially, using any of the
+onboarding methods described in this document. You do not need to un-register a node from Azure
+Automation State Configuration before re-registering it.
+
 ## Troubleshooting Azure virtual machine onboarding
 
 Azure Automation State Configuration lets you easily onboard Azure Windows VMs for configuration
@@ -363,17 +375,7 @@ Azure portal navigate to the VM being onboarded, then click **Extensions** under
 click **DSC** or **DSCForLinux** depending on your operating system. For more details, you can
 click **View detailed status**.
 
-## Certificate expiration and reregistration
-
-After registering a machine as a DSC node in Azure Automation State Configuration, there are a
-number of reasons why you may need to reregister that node in the future:
-
-- For versions of Windows Server prior to Windows Server 2019, each node automatically negotiates a unique certificate for authentication that expires after one year. Currently, the PowerShell DSC registration protocol cannot automatically renew certificates when they are nearing expiration, so you need to reregister the nodes after a year's time. Before reregistering, ensure that each node is running Windows Management Framework 5.0 RTM. If a node's authentication certificate expires, and the node is not reregistered, the node is unable to communicate with Azure Automation and is marked 'Unresponsive.' Reregistration performed 90 days or less from the certificate expiration time, or at any point after the certificate expiration time, will result in a new certificate being generated and used.  A resolution to this issue is included in Windows Server 2019 and later.
-- To change any [PowerShell DSC Local Configuration Manager values](/powershell/scripting/dsc/managing-nodes/metaConfig4) that were set during initial registration of the node, such as ConfigurationMode. Currently, these DSC agent values can only be changed through reregistration. The one exception is the Node Configuration assigned to the node -- this can be changed in Azure Automation DSC directly.
-
-Reregistration can be performed in the same way you registered the node initially, using any of the
-onboarding methods described in this document. You do not need to unregister a node from Azure
-Automation State Configuration before reregistering it.
+For more information on troubleshooting, see [Troubleshooting issues with Azure Automation Desired State Configuration (DSC)](./troubleshoot/desired-state-configuration.md).
 
 ## Next steps
 
diff --git a/articles/automation/troubleshoot/desired-state-configuration.md b/articles/automation/troubleshoot/desired-state-configuration.md
@@ -89,6 +89,68 @@ This error is normally caused by a firewall, the machine being behind a proxy se
 
 Verify your machine has access to the proper endpoints for Azure Automation DSC and try again. For a list of ports and addresses needed, see [network planning](../automation-dsc-overview.md#network-planning)
 
+### <a name="unauthorized"><a/>Scenario: Status reports return response code "Unauthorized"
+
+#### Issue
+
+When registering a Node with State Configuration (DSC) you receive one of the following error messages:
+
+```error
+The attempt to send status report to the server https://{your automation account url}/accounts/xxxxxxxxxxxxxxxxxxxxxx/Nodes(AgentId='xxxxxxxxxxxxxxxxxxxxxxxxx')/SendReport returned unexpected response code Unauthorized.
+```
+
+```error
+VM has reported a failure when processing extension 'Microsoft.Powershell.DSC / Registration of the Dsc Agent with the server failed.
+```
+
+### Cause
+
+This issue is caused by a bad or expired certificate.  For more information, see [Certificate expiration and reregistration](../automation-dsc-onboarding.md#certificate-expiration-and-re-registration).
+
+### Resolution
+
+Follow the steps listed below to re-register the failing DSC node.
+
+First, un-register the node using the following steps.
+
+1. From the Azure portal, under **Home** -> **Automation Accounts**-> {Your Automation Account} -> **State configuration (DSC)**
+2. Click "Nodes", and click on the node having trouble.
+3. Click "Unregister" to un-register the node.
+
+Second, uninstall the DSC extension from the node.
+
+1. From the Azure portal, under **Home** -> **Virtual Machine** -> {Failing node} -> **Extensions**
+2. Click "Microsoft.Powershell.DSC".
+3. Click "Uninstall", to uninstall the PowerShell DSC extension.
+
+Third, remove all bad or expired certificates from the node.
+
+On the failing node from an elevated Powershell Prompt, run the following:
+
+```powershell
+$certs = @()
+$certs += dir cert:\localmachine\my | ?{$_.FriendlyName -like "DSC"}
+$certs += dir cert:\localmachine\my | ?{$_.FriendlyName -like "DSC-OaaS Client Authentication"}
+$certs += dir cert:\localmachine\CA | ?{$_.subject -like "CN=AzureDSCExtension*"}
+"";"== DSC Certificates found: " + $certs.Count
+$certs | FL ThumbPrint,FriendlyName,Subject
+If (($certs.Count) -gt 0)
+{ 
+    ForEach ($Cert in $certs) 
+    {
+        RD -LiteralPath ($Cert.Pspath) 
+    }
+}
+```
+
+Finally, re-register the failing node using the following steps.
+
+1. From the Azure portal, under **Home** -> **Automation Accounts** -> {Your Automation Account} -> **State configuration (DSC)**
+2. Click "Nodes".
+3. Click the "Add" button.
+4. Select the failing node.
+5. Click "Connect", and select your desired options.
+
 ### <a name="failed-not-found"></a>Scenario: Node is in failed status with a "Not found" error
 
 #### Issue
@@ -187,6 +249,49 @@ This error typically occurs when the node is assigned a node configuration name
 * Make sure that you're assigning the node with a node configuration name that exactly matches the name in the service.
 * You can choose to not include the node configuration name, which will result in onboarding the node but not assigning a node configuration
 
+### <a name="cross-subscription"></a>Scenario: Registering a node with PowerShell returns the error "One or more errors occurred"
+
+#### Issue
+
+When registering a node using `Register-AzAutomationDSCNode` or `Register-AzureRMAutomationDSCNode`, you receive the following error.
+
+```error
+One or more errors occurred.
+```
+
+#### Cause
+
+This error occurs when you attempt to register a node that lives in a separate subscription than the Automation Account.
+
+#### Resolution
+
+Treat the cross-subscription node as though it lives in a separate cloud, or on-premise.
+
+Follow the steps below to register the node.
+
+* Windows - [Physical/virtual Windows machines on-premises, or in a cloud other than Azure/AWS](../automation-dsc-onboarding.md#physicalvirtual-windows-machines-on-premises-or-in-a-cloud-other-than-azureaws).
+* Linux - [Physical/virtual Linux machines on-premises, or in a cloud other than Azure](../automation-dsc-onboarding.md#physicalvirtual-linux-machines-on-premises-or-in-a-cloud-other-than-azure).
+
+### <a name="agent-has-a-problem"></a>Scenario: Error message - "Provisioning Failed"
+
+#### Issue
+
+When registering a node, you see the error:
+
+```error
+Provisioning has failed
+```
+
+#### Cause
+
+This message occurs when there is a connectivity issue between the node and Azure.
+
+#### Resolution
+
+Determine whether your node is in a private virtual network or has other issues connecting to Azure.
+
+For more information, see [Troubleshoot errors when onboarding solutions](onboarding.md).
+
 ### <a name="failure-linux-temp-noexec"></a>Scenario: Applying a configuration in Linux, a failure occurs with a general error
 
 #### Issue
