Windows PowerShell:

Desired State Configuration

Robert Novák, Senior Premier Field Engineer

Microsoft

Agenda

3

• Introduction

• DSC Architecture

• DSC Authoring in Windows Powershell

• DSC Resource

• DSC Operationanl modes

• DSC Push mode

• DSC Pull mode (SMB and HTTP pull server)

• Build-in DSC resources

• DSC in PowerShell 5.0

• Related PowerShell Workshops

What is Windows PowerShell Desired State Configuration (DSC)

4

• new configuration platform introduced in Windows PowerShell 4.0

• enables the deployment and management of configuration data for:

• software services

• the environment in which these services run (ie. infrastructure technologies, components, etc.)

• Key features:

• based on open standards

• cloud-ready

• flexible enough to work reliably and consistently in each stage of the deployment lifecycle:

• development

• test

• pre-production

• production

• scale-out which is required in the cloud world

• is inherently idempotent:

• configuration changes might be deployed repeatedly with the same resulting desired state

• the desired state will be reached by applying the entire configuration, regardless of the current state

• incremental changes can be made and deployed to the configuration over time without fear of putting the systems

into a bad state

Components of DSC technology

5

• simple declarative syntax introduced in the PowerShell language

• used to describe the desired state of an environment

• New keywords:

• Configuration, node

• Windows PowerShell DSC engine (aka. Local Configuration Manager)

• receives the configuration

• applies the configuration

• can correct configuration drift

• can report configuration drift

• Set of new Powershell cmd-lets and functions for management of the

technology:• Start-DscConfiguration Cmdlet

• Update-DscConfiguration Cmdlet

• Get-DscConfiguration Function

• Test-DscConfiguration Function

• Restore-DscConfiguration Function

• Stop-DscConfiguration Function

• Get-DscLocalConfigurationManager Function

• Set-DscLocalConfigurationManager Cmdlet

• New-DscCheckSum Function

• Get-DscResource Function

• Remove-DscConfigurationDocument Function

DSC Authoring in Windows PowerShell

6

1. Windows PowerShell is used as authoring tool

2. Definition of the desired configuration has form of PowerShell script

3. Execution of this PowerShell script creates MOF file

4. MOF file is the native form of DSC definition

DSC Authoring – understanding DSC configuration script

7

DSC resources

8

• building blocks that you can use to write a Windows PowerShell DSC script

• DSC technology comes with a set of built-in resources such as:

• files and folders

• server features and roles

• registry settings

• environment variables

• services and processes

• A DSC resource is provided as a Windows PowerShell module that contains both:

• schema - the definition of the configurable properties for given type of the DSC resource

• defined in a MOF file (or a class in PowerShell 5.0)

• implementation - the code that executes actual configuration transactions specified by a DSC configuration

script

• Contained in a script module (or a class in PowerShell 5.0)

DSC operational modes – push and pull

9

Pull mode• Authoring:

• target computers

identified by Guids

(created during pull mode

configuration)

• Local Configuration Manager

(LCM) on a pull client:

• requests the pull server for

the current configuration

• downloads the

new/updated

configuration

• downloads resources that

the pull client is missing

• performs a compliance

check on the configuration

of the node

• Prerequisites:

• SMB or HTTP pull server

must be configured

• Target computers must be

configured as pull clients

Push mode• Default mode

• Authoring:

• target computers identified

by names

• administrator has to:

• transmit configuration files

to each target node using

the Start-DscConfiguration

cmdlet

• keep track of which

configurations go to with

which nodes

• Prerequisites:

• WinRM must be running

on target node

• Firewall exceptions at

target computers must

allow WinRM

communication (Set-

WSManQuickConfig)

Push mode - default configuration

10

AllowModuleOverwrite : False

CertificateID :

ConfigurationID :

ConfigurationMode : ApplyAndMonitor

ConfigurationModeFrequencyMins : 30

Credential :

DownloadManagerCustomData :

DownloadManagerName :

RebootNodeIfNeeded : False

RefreshFrequencyMins : 15

RefreshMode : PUSH

PSComputerName :

Get-DscLocalConfigurationManager

· how often the DSC consistency engine applies the latest configuration that

was downloaded to the target node

· The default value is 30.

DSC push operational mode – authoring and deployment of configuration workflow

11

DSC Pull mode –SMB and HTTP pull servers

12

SMB Pull server• simple share that contains the DSC configuration documents

(MOF files) generated by DSC configuration scripts

• Accessed by SMB protocol

HTTP Pull server• website in IIS that uses an OData interface to make DSC

configuration files available to target nodes

• TCP port 8080 used by default

• Accessed by HTTP or HTTPS protocol

• Requirements for using a pull server:

• at least WMF 4.0

• IIS server role

• DSC Service feature

• Ideally, some means of generating a certificate, to

secure credentials passed to the LCM on target nodes

DSC Pull mode – configuration of SMB Pull server

13

• Create folder and share on the server that will host SMB pull server role:

DSC Pull mode – configuration of target nodes for SMB pull

14

• DSC Local Configuration Manager

Pull configuration must be pushed

to target computer(s) from

administrator’s workstation

• Unique guid must be generated for:

• every computer with unique

configuration

• every group of computers with

common configuration

DSC SMB Pull – authoring and deployment of configuration workflow

15

If step 4 is not performed the pull node will download new

configuration at time based on the RefreshFrequencyMins value

DSC Pull mode – configuration of HTTP Pull server

16

Requirements for using a pull server:

• Any server with at least WMF 4.0

• Server needs the IIS server role

• Server needs the DSC Service

Setup procedure:

1. Download the xPSDesiredStateConfiguration module from https://gallery.technet.microsoft.com/xPSDesiredStateConfiguratio-

417dc71d

2. unzip DSCPullServerConfiguration.zip to the C:\Program Files\WindowsPowerShell\Modules\ folder

3. Dot source run configuration script Sample_xDscWebService.ps1.

. C:\DSC\Sample_xDscWebService.ps1

4. Run configuration function Sample_xDscWebService. This script creates configuration document (MOF file) for local HTTP pull

server and a compliance server:

Sample_xDscWebService -NodeName $env:computername -OutputPath c:\temp -certificateThumbPrint "AllowUnencryptedTraffic"

5. Apply the configuration document (MOF file) to the local server :

Start-DscConfiguration -ComputerName $env:computername -Path "C:\Temp\$($env:computername).mof" -Force -Wait -Verbose

DSC Pull mode – configuration of target nodes for HTTP pull

17

• DSC Local Configuration Manager Pull

configuration must be pushed to target

computer(s) from administrator’s

workstation

• Unique guid must be generated for:

• every computer with unique

configuration

• every group of computers with

common configuration

DSC HTTP Pull mode – authoring and deployment of configuration workflow

18

If step 4 is not performed the pull node will download new

configuration at time based on the RefreshFrequencyMins value

DSC Resource – Group resource

19

DSC Resource – Package resource (MSI)

20

DSC Resource – WindowsProcess resource

21

DSC Resource - registry

22

DSC Resource - WindowsFeature

23

DSC Resource - Service

24

DSC in Windows PowerShell 5.0

25

• Several new features introduced

- New configuration of Local Configuration Manager

- Posibility to implement resource by means of PowerShell classes

- New types of built-in resource

• More than 180 resources available in DSC Resource Kit Wave 10 (released in Februar 2015) for:

Active Directory, Azure VMs, Certificate Services, SQL Server, disk drives, DNS, file shares, Failover

clusters, Internet Explorer, Exchange, web applications, Hyper-V, networking, Just Enough

Administration, DNS, Remote Desktop Services, the System Center products (SCDPM, SCOM,

SCSMA, SCSPF, SCSR, SCVMM),

Related workshops

26

Windows PowerShell 5.0 – Desired configuration management deep dive – 3 days

Windows PowerShell 5.0 – scripting language workshop for beginners - 5 days

Windows PowerShell 5.0 -Advanced topics – 4 days

Windows PowerShell 3.0 - System management using WMI – 4 days