Introduction do PowerShell DSC

DSC was one of the topics covered on the first Polish PowerShell User Group meeting :)

Thank you all for joining first Polish PowerShell user group meeting!

On the first meeting I have highlited what is DSC, how to install it and what are the capabilities.

I would like to continue with the subject of DSC and focus on aspects like HA cluster for HTTPS pull server, building advanced pull servers on windows core, present available resources, using Linux as authoring workstation (also covering PowerShell on Linux thing), etc.

At the end of the path I would like us to go through complete roadmap of DSC available features and configuration options so we together have it sorted out when comes to implement it in our environment.

All of this would be documented on this PPOSH GitHub and my private blog https://paweljarosz.wordpress.com

This resource contains:

1. Presentation from the first PPOSH meeting
2. Instructions how to build first HTTPS DSC Pull Server
3. Instructions how to apply basic configuration on Windows and Linux clients

Creating a test lab

To create a test lab for this I would suggest having 3 machines:

1. LABDSCPS01 – W2016 / DSC HTTPS Pull Server
2. LABDC01 – W2016 / DC & CA / DSC Windows client
3. LABCENTOS01 – Centos 7 / DSC Linux client

Creating simple DSC pull server

To create HTTPS Pull server we would need to have SSL certificate generated by our CA. To find out how to generate a certificate and build CA server please kindly take a look on below links:

https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/

http://duffney.io/Configure-HTTPS-DSC-PullServer (sections: "Creating the Web Cert" and "Exporting & Importing the Web Cert onto the PullServer")

Having certificate generated and imported to DSC server, it is highest time to configure it!

Before running these commands I would recommend creating for instance a c:\dsc folder, and navigating to it before running any configurations.

## [Code to run on LABDSCPS01 in c:\dsc]
##Step 1: Finding and installing needed DSC module module from PowerShell gallery on DSC server or authoring workstation
Find-Module xPSDesiredStateConfiguration | Install-Module
 
##Step 2: Creating DSC Pull Server configuration
configuration Sample_xDscPullServer
{ 
    param  
    ( 
            [string[]]$NodeName = 'localhost', 
 
            [ValidateNotNullOrEmpty()] 
            [string] $certificateThumbPrint,
 
            [Parameter(Mandatory)]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey 
     ) 
 
 
     Import-DSCResource -ModuleName xPSDesiredStateConfiguration
     Import-DSCResource –ModuleName PSDesiredStateConfiguration
 
     Node $NodeName 
     { 
         WindowsFeature DSCServiceFeature 
         { 
             Ensure = 'Present'
             Name   = 'DSC-Service'             
         } 
 
         xDscWebService PSDSCPullServer 
         { 
             Ensure                   = 'Present' 
             EndpointName             = 'PSDSCPullServer' 
             Port                     = 8080 
             PhysicalPath             = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer" 
             CertificateThumbPrint    = $certificateThumbPrint          
             ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                    = 'Started'
             DependsOn                = '[WindowsFeature]DSCServiceFeature'     
             UseSecurityBestPractices = $false
         } 
 
        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }
    }
}
 
###Step 3: Getting all needed variables for DSC Sample_xDscPullServer configuration
$WebCertThumb = (Invoke-Command -Computername labdscps01 {Get-Childitem Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq "DSCPSPullServerCert"} | Select-Object -ExpandProperty ThumbPrint})
$Guid = (New-Guid).Guid
 
##Step4: Running Sample_xDscPullServer configuration to create DSC Server MOF file
Sample_xDSCPullServer -certificateThumbprint $WebCertThumb -RegistrationKey $Guid -OutputPath c:\Configs\PullServer
 
##Step5: Applying DSC configration - this steps actually installs DSC pull server 
Start-DscConfiguration -Path c:\Configs\PullServer -Wait -Verbose -Force

Having installed DSC pull server we now need to corelate our first client with it.

First we will connect the windows client.

Connecting windows client to DSC pull server

So now we have our DSC pull server configured! now we need to tell windows client to go to this server and download certain configuration (and apply it).

Firstly let's create list of conditions a worstation need to meet in it's desired state - so sayign simple - what kind of software / windows features / other stuff there has to be configured.

This configuration file need to be placed on the DSC pull server in:

C:\Program Files\WindowsPowerShell\DscService\Configuration

so the path we declared in:

ConfigurationPath

Let's try to create configuration that will install IIS role on our server and also .Net 4.5:

## Creating configuration file
## [Code to run on LABDSCPS01 in c:\dsc]
Configuration webservice
{
    param ($MachineName)
        Node $MachineName
        {
                #Install the IIS Role
                WindowsFeature IIS
                {
                    Ensure = "Present"
                    Name = "Web-Server"
                }
                #Install ASP.NET 4.5
                WindowsFeature ASP
                {
                    Ensure = "Present"
                    Name = "web-Asp-Net45"
                }
        }
}
 
webservice -MachineName localhost 

So all what it does, it creates a .mof file, telling the client to ensure that it has mentioned roles/features installed.

Now we can rename the file as we like, so either leave it as it is, or we rename it to computername, or we rename it to the actual configuration we would like to set, I will call it webservice.mof.

Next thig we need to do is to generate checksum from that file. Command to avchieve it will be:

New-DscChecksum

So as mentioned we need to put it this both files now in:

C:\Program Files\WindowsPowerShell\DscService\Configuration

All right, so at this point we got DSC server configured, created configuration files. Now we need to tell the client where is it's DSC server from which it needs to pull configuration from, and the actual configuration file which we want to apply.

## Creating LCM configuration
## [Code to run on LABDC01 in c:\dsc]
[DSCLocalConfigurationManager()]
configuration BaseDscClientConfig
{
    Node localhost
    {
        Settings
        {
            RefreshMode          = 'Pull'
            RefreshFrequencyMins = 30 
            RebootNodeIfNeeded   = $true
            ConfigurationMode = "ApplyAndAutoCorrect"
 
        }
 
        ConfigurationRepositoryWeb PullSrv
        {
            ServerURL          = 'https://labdscps01:8080/PSDSCPullServer.svc'
            RegistrationKey    = '875aa7df-78fa-4e71-ab1c-479d7248ab87'
            ConfigurationNames = @('webservice')
            AllowUnsecureConnection = $true
        }   
        ReportServerWeb ReptSrv
        {
            ServerURL          = 'https://labdscps01:8080/PSDSCPullServer.svc'
            RegistrationKey    = '875aa7df-78fa-4e71-ab1c-479d7248ab87'
            AllowUnsecureConnection = $true
 
        }
 
 
    }
}
 
BaseDscClientConfig
## File *.meta.mof will be generated, now apply it to the host
Set-DscLocalConfigurationManager .\BaseDscClientConfig

## Triggering LCM to align server with that configuration
Start-DscConfiguration -Wait -Verbose -UseExisting

## If all went correct, output you should get:
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ApplyConfiguration,'className' = MSFT_DSCLoca
lConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer LABDC01 with user sid S-1-5-21-191450192-3335740963-707932236-500.
VERBOSE: [LABDC01]:                            [] Starting consistency engine.
VERBOSE: [LABDC01]:                            [] Checking consistency for current configuration.
VERBOSE: [LABDC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]IIS]
VERBOSE: [LABDC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]IIS]
VERBOSE: [LABDC01]:                            [[WindowsFeature]IIS] The operation 'Get-WindowsFeature' started: Web-Server
VERBOSE: [LABDC01]:                            [[WindowsFeature]IIS] The operation 'Get-WindowsFeature' succeeded: Web-Server
VERBOSE: [LABDC01]: LCM:  [ End    Test     ]  [[WindowsFeature]IIS]  in 0.5000 seconds.
VERBOSE: [LABDC01]: LCM:  [ Skip   Set      ]  [[WindowsFeature]IIS]
VERBOSE: [LABDC01]: LCM:  [ End    Resource ]  [[WindowsFeature]IIS]
VERBOSE: [LABDC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]ASP]
VERBOSE: [LABDC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]ASP]
VERBOSE: [LABDC01]:                            [[WindowsFeature]ASP] The operation 'Get-WindowsFeature' started: web-Asp-Net45
VERBOSE: [LABDC01]:                            [[WindowsFeature]ASP] The operation 'Get-WindowsFeature' succeeded: Web-Asp-Net45
VERBOSE: [LABDC01]: LCM:  [ End    Test     ]  [[WindowsFeature]ASP]  in 0.5160 seconds.
VERBOSE: [LABDC01]: LCM:  [ Skip   Set      ]  [[WindowsFeature]ASP]
VERBOSE: [LABDC01]: LCM:  [ End    Resource ]  [[WindowsFeature]ASP]
VERBOSE: [LABDC01]:                            [] Consistency check completed.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.269 seconds

Now you should wait and appropriate permissions should get applied to the windows client.