Client is configured to pull, but does not pull Config

Hi,

I would be happy for some help.

I can’t get my client to load his config from the pull server.

1st. I setup a pullserver and ensure WinRM is working
Pullserver Testpage is ok, Test-WSman is also ok

# pre
Install-Module xPSDesiredStateConfiguration
Install-Module NetworkingDsc
Install-Module PSDscResources
Install-WindowsFeature RSAT-AD-Powershell

# Guid for RegistrationKey
[guid]::NewGuid()

# manual install Certificate for IIS


Configuration CreatePullServer
{
param
(
[Parameter()]
[System.String[]]
$NodeName = 'localhost',

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.String]
$CertificateThumbPrint,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.String]
$RegistrationKey,

[Parameter()]
[ValidateRange(1, 65535)]
[System.UInt16]
$Port = 8080
)

Import-DscResource -ModuleName NetworkingDsc
Import-DSCResource -ModuleName xPSDesiredStateConfiguration

Node $NodeName
{
WindowsFeature DSCServiceFeature
{
Ensure = 'Present'
Name = 'DSC-Service'
}

xDscWebService PSDSCPullServer
{
Ensure = 'Present'
EndpointName = 'PSDSCPullServer'
Port = $Port
PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
CertificateThumbPrint = $CertificateThumbPrint
ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
State = 'Started'
DependsOn = '[WindowsFeature]DSCServiceFeature'
RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
AcceptSelfSignedCertificates = $true
Enable32BitAppOnWin64 = $false
UseSecurityBestPractices = $true
ConfigureFirewall = $false
}

File RegistrationKeyFile
{
Ensure = 'Present'
Type = 'File'
DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
Contents = $RegistrationKey
}

Firewall PSDSCPullServerRule
{
Ensure = 'Present'
Name = "DSC_PullServer_$Port"
DisplayName = "DSC PullServer $Port"
Group = 'DSC PullServer'
Enabled = $true
Action = 'Allow'
Direction = 'InBound'
LocalPort = $Port
Protocol = 'TCP'
DependsOn = '[xDscWebService]PSDSCPullServer'
}
}
}

md C:\DSC
CreatePullServer -Output c:\DSC

Start-DscConfiguration -Path C:\DSC -Wait -Verbose -Force

Then I set the client to pull - Config
Looks like the configuration is successfully transferred to the client. (Tested with Get-DscLocalConfigurationManager)

[DSCLocalConfigurationManager()]
configuration RegisterClientPull
{

[string[]]$NodeName = 'TestClient'

Node $NodeName
{

Settings
{
RefreshMode = 'Pull'
ConfigurationMode = 'ApplyAndAutoCorrect'
ConfigurationModeFrequencyMins = 15
RebootNodeIfNeeded = $true
}

ConfigurationRepositoryWeb Dorner-PullSrv
{
ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
RegistrationKey = "SuppressedGUID"
ConfigurationNames = @('ClientConfig')
}

ResourceRepositoryWeb Dorner-PullSrv
{
ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
}

ReportServerWeb Dorner-PullSrv
{
ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
RegistrationKey = "SuppressedGUID"
}
}
}


RegisterClientPull -Output c:\DSC

# Create Checksum
New-DscChecksum "C:\DSC\*.mof"

Set-DscLocalConfigurationManager -Path C:\DSC\

PS C:\Windows\system32> Get-DscLocalConfigurationManager

ActionAfterReboot : ContinueConfiguration
AgentId : Suppressed
AllowModuleOverWrite : False
CertificateID :
ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]Dorner-PullSrv}
ConfigurationID :
ConfigurationMode : ApplyAndAutoCorrect
ConfigurationModeFrequencyMins : 15
Credential :
DebugMode : {NONE}
DownloadManagerCustomData :
DownloadManagerName :
LCMCompatibleVersions : {1.0, 2.0}
LCMState : Idle
LCMStateDetail :
LCMVersion : 2.0
StatusRetentionTimeInDays : 10
SignatureValidationPolicy : NONE
SignatureValidations : {}
MaximumDownloadSizeMB : 500
PartialConfigurations :
RebootNodeIfNeeded : True
RefreshFrequencyMins : 30
RefreshMode : Pull
ReportManagers : {[ReportServerWeb]Dorner-PullSrv}
ResourceModuleManagers : {[ResourceRepositoryWeb]Dorner-PullSrv}
PSComputerName :

I also made a TestClient.mof (which is the hostname) which works perfectly in PUSH mode.

Configuration Test
{

[string[]]$NodeName = 'TestClient'
Node $NodeName
{
somewhat
}
}

Test -Output "C:\Program Files\WindowsPowerShell\DscService\Configuration"

# Create Checksum
New-DscChecksum "C:\Program Files\WindowsPowerShell\DscService\Configuration\*.mof"

Start-DscConfiguration -Path "C:\Program Files\WindowsPowerShell\DscService\Configuration\"

But here starts the problem - the client does not pull and use his configuration.

I can force it from server site (push) with Start-DscConfiguration -Path "C:\Program Files\WindowsPowerShell\DscService\Configuration" -Wait -Verbose -Force but the Client is not pullig it from it self. I waited for an hour, but nothing happens…

Can someone help me out here? I read tutorials for days now, meanwhile im quite at the end of my knowledge.

BR and Thank you so much!

Mathias

Hi Mathias,

What happens when you run

Update-DscConfiguration -Wait -Verbose

On the client machine?

Max

Hi Max,

Thanks for your help!

PS C:\Windows\system32> Update-DscConfiguration -wait -verbose AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" mit den folgenden Parametern durchführen, "'methodName' =
PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration".
AUSFÜHRLICH: Vom Computer 'TESTCLIENT' mit Benutzer-SID 'S-......' ist ein
LCM-Methodenaufruf eingegangen.
AUSFÜHRLICH: [TESTCLIENT]: [] "Get-Action" wird mit der Prüfsumme der Konfiguration
"(null)" ausgeführt: .
AUSFÜHRLICH: [TESTCLIENT]: [] Fehler beim Ausführen von "Get-Action" mit der Prüfsumme der
Konfiguration "(null)". Prüfen Sie die Verfügbarkeit des Pull-Servers.
Serverfehler "ResourceNotFound (404)" beim Versuch, eine Aktion für AgentId A6258B5D-2B1C-11EA-9DF1-901B0ED98C00 von
Server-URL
https://servernamehidden:8080///PSDSCPullServer.svc/Nodes(AgentId='A6258B5D-2B1C-11EA-9DF1-901B0ED98C00')/GetDscAction
abzurufen.
Weitere Details finden Sie in der unten aufgeführten Serverfehlermeldung oder im DSC-Debugereignisprotokoll mit der ID
4339.
ServerErrorMessage:- "The assigned configuration 'ClientConfig' is not found in the pull server configuration
repository."
+ CategoryInfo : ResourceUnavailable: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : WebDownloadManagerGetActionNodeConfigurationNotFound,Microsoft.PowerShell.DesiredStateCo
nfiguration.Commands.GetDscActionCommand
+ PSComputerName : localhost

AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" wurde abgeschlossen.
AUSFÜHRLICH: Die Ausführung des Konfigurationsauftrags hat 0.603 Sekunden gedauert.

Sorry, german Windows…

Looks like the client use some AgentID in the URL. URL is valid, but I think the pullserver can’t deliver anything with the AgentID. The .mof file / config is called hostname.mof on the Server.

Maybe im wrong, but I think this could be the Problem in the LCM?

ConfigurationNames = @(‘ClientConfig’)

Or am I completely wrong?

BR,

Mathias

Update - meanwhile I tryed

ConfigurationNames = @($NodeName)

I also changed the pull server iis to his real hostname instead of the cname. (wildcard certificate, so it should make no difference, but this should be safe)

No ssl errors when I call the server in a browser.

PS C:\Windows\system32> Update-DscConfiguration -wait -verbose AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" mit den folgenden Parametern durchführen, "'methodName' =
PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration".
AUSFÜHRLICH: Vom Computer 'TESTCLIENT' mit Benutzer-SID 'S-.......' ist ein
LCM-Methodenaufruf eingegangen.
AUSFÜHRLICH: [TESTCLIENT]: [] "Get-Action" wird mit der Prüfsumme der Konfiguration
"(null)" ausgeführt: .
AUSFÜHRLICH: [TESTCLIENT]: [] Das Ausführen von "Get-Action" mit der Prüfsumme der
Konfiguration "" hat folgenden Ergebnisstatus zurückgegeben: GetConfiguration.
AUSFÜHRLICH: [TESTCLIENT]: [] Die Prüfsumme ist unterschiedlich. LCM führt
"GetConfiguration" aus, um die Konfiguration "" mithilfe von Pull zu übertragen.
AUSFÜHRLICH: [TESTCLIENT]: [] Fehler beim Ausführen von "GetConfiguration". Die
Konfiguration "" wird nicht mithilfe von Pull übertragen.

Die Prüfsumme für die Konfiguration stimmt nicht überein.
+ CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : WebDownloadManagerMismatchChecksum,Microsoft.PowerShell.DesiredStateConfiguration.Comman
ds.GetDscDocumentCommand
+ PSComputerName : localhost

AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" wurde abgeschlossen.
AUSFÜHRLICH: Die Ausführung des Konfigurationsauftrags hat 0.269 Sekunden gedauert.
PS C:\Windows\system32>

Now I get no url error anymore, but a checksum error.

I rebuild all configs and checksums just to be sure, but that does not help.

I think I do not understand the way this schould work. The whole thing is quite frustrating…

Wohooo, I found the Problem!!!

The solution was to use ConfigurationNames = @($Nodename)in LCM, as I thought.

But, the checksum error was because New-DscChecksum “C:\Program Files\WindowsPowerShell\DscService\Configuration*.mof” in the node configuration PS did not override the existing checksum file.

I have to use New-DscChecksum “C:\Program Files\WindowsPowerShell\DscService\Configuration*.mof” -Force instead.

Maybe this helps someone else. Works like a charm now even with https and cname.

BR, and Max - Thank you so much. This was the perfect hint!

You can refer to this https://devblogs.microsoft.com/powershell/how-to-register-a-node-with-a-dsc-pull-server/ for explanation regarding the AgenId.

Btw, the https://servernamehidden:8080/PSDSCPullServer.svc/Nodes(AgentId=‘A6258B5D-2B1C-11EA-9DF1-901B0ED98C00’) should be accessible from your browser as far as i remember so, it worth testing it.

Additionally, please try cleaning everything that may be already applied by running

Remove-DscConfigurationDocument -Stage Current, Pending, Previous -Force

I know the frustration feeling, but once you will figure it out and it starts working, it’s like a magic

Max