DSC Compliance Server and LCM's reporting back

In the “DSC Book” the section on “Compliance Servers” states: “.So, part of the LCM’s job is to not only grab configuration MOFs from the pull server, but also to report back on how things are looking”.

How does an LCM know what the endpoint address is for the Compliance Server given its a different Web Site and port than the Pull Server? I haven’t seen anything as part of LCM configuration as to how this would be specified.

We have configured a “Pull” server to use HTTPS as the “DSC Book” states is a requirement.

I also looked in the IIS Logs on the Pull server, but don’t any requests coming into the Compliance server web site…

The compliance server endpoint is usually deployed under the same IIS website, which means it’s the same port and so forth. It’s a different service that the LCM calls. The PowerShell team blog recently included a post with more detail, including how to query the compliance server.

But, keep in mind that the whole compliance server functionality is, at present, undocumented. It’s unclear if it’s fully intended for production use at this point, which means it’s unclear if Microsoft’s thought through all the permutations, yet.

This is the link to the blog post Don was referring to:

I’ll take a look at the blog post, but in the meantime…

Don: You stated “compliance server endpoint is usually deployed under the same IIS website, which means it’s the same port and so forth”.

That is not how we set ours up. We used a different port based on the example on page 21/22 in the “DSC Book”. There you show creating two different sites (PSDSCPullServer amd PSDSCComplianceServer) with two different ports (i.e. 8080 and 9080).

That’s why I questioned how the LCM would know the correct endpoint address for the Compliance server.

I read through the blog post. Good information. When I tried calling the Compliance server I ran into an Authorization problem. The answer to my problem was in a comment added at the end of the post. which I will repeat here:

I had some problems while accessing PSDSCComplianceServer.svc service. I was getting error:

The server encountered an error processing the request. The exception message is ‘Access is denied.’. See server logs for more details. The exception stack trace is:

at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

After some digging I finally discovered that this section is missing in Compliance service web.config:

It should be added under configuration section. You can check Pull service web.config for example.

In addition, I had to set "" and which is what the Pull service web.config file has.

But this does prove that compliance information is being recorded. So I suspect that the LCM doesn’t actually call back to the Compliance service (as I thought it did), but instead the Pull service records compliance information returned by the LCM. The Compliance service must simply be an OData service used to retrieve compliance information, not record it. Is this correct?

My reply got cut off somehow (second to last paragraph)…

I also had to enable anonymousAuthentication and disable windowsAuthentication in the web.config file of the Compliance service, which is how authentication is configured in the web.config file of the Pull service.

Now that I am able to query the Compliance server, I have been doing some testing. I set the LCM on one of the nodes I am testing with to “ApplyAndMonitor”. I then changed a configuration setting on the node and forced the LCM to evaluate its configuration a number of times. The LCM logs a warning stating the server is not configured properly. I then queried the compliance server, and it reports that the node is still compliant (NodeCompliant = True), which is incorrect. The LastComplianceTime was updated after I made the configuration invalid, so it should be reporting that the node is not compliant.

The resource that first returns “False” from Test-TargetResource is the MSFT_File built-in resource I am using to compare, recursively, the contents of a directory.

Any ideas?

Although I will most likely use “ApplyAndAutoCorrect”, I wanted to see if compliance would be correctly reported when using “ApplyAndMonitor”, and it was not. False positives concern me…

I too have been having problems setting up both the Pull Server and the Compliance server. I followed the instructions laid out in the DSC Book. I was getting the same error for my compliance server and your tip fixed it!

However, now I see that the LCM is failing to grab the config from the Pull-Server. When I hit the URL manually, I get an internal error “Could not load file or assembly ‘Microsoft.Isam.Esent.Interop, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.”. The pull server is Windows 2012.

At first I thought these errors were related, but now I suspect they’re completely separate, so perhaps this thread isn’t the best place to look for help. However, I can’t seem to find any information on the internet about this!