How do I create a single MOF and push it out to multiple nodes

Hi, I am working with/learning DSC and have a question. I have successfully set up the DSC pull Server and am able to use it to configure a node. This part seems pretty straight forward to me. My question is how do I take a configuration and apply it to multiple nodes without having multiple MOF’s (one for each node)

Here is what I have:

When I specify the two nodes as below this generates two seperate MOF’s (one for each server). I don’t see why I should need this as the config is the same for both.

Configuration TestOfficeServers
 {
 param ($MachineName)
 Node $MachineName
{
	#Install RSAT ADDS Tools
		WindowsFeature RSATADDSTools
		{
		Ensure = "Present"
		Name = "RSAT-ADDS-Tools"
		}
    #Install FS-FileServer
		WindowsFeature FileServer
		{
		Ensure = "Present"
		Name = "FS-FileServer"
		}
 }
 }

TestOfficeServers –MachineName 'lab-dsc-02','lab-dsc-03'

Next I would set the GUID, checksum and copy to the deployment location

$Guid1 = [guid]::NewGuid() 
$Guid2 = [guid]::NewGuid()

$source1 = "OfficeServers\lab-dsc-02.mof" 
$source2 = "OfficeServers\lab-dsc-03.mof" 

$target1= “\\lab-DSC-01\c$\program files\windowspowershell\dscservice\configuration\$Guid1.mof” 
$target2= “\\lab-DSC-01\c$\program files\windowspowershell\dscservice\configuration\$Guid2.mof” 

copy $source1 $target1
copy $source2 $target2

New-DSCCheckSum $target1
New-DSCCheckSum $target2

Then lastly I configure the nodes to pull the configurations(this is where I get really lost for multiple nodes):

Configuration SetPullMode
 {
 param([string]$guid)
 Node lab-dsc-02
 {
 LocalConfigurationManager
 {
    ConfigurationID = $guid;
    RefreshMode = 'Pull';
    RefreshFrequencyMins = 30;
    ConfigurationModeFrequencyMins = 30; 
    ConfigurationMode = "ApplyAndAutoCorrect";
    RebootNodeIfNeeded = $True;
    DownloadManagerName = 'WebDownloadManager';
    DownloadManagerCustomData = @{
        ServerUrl = 'http://lab-dsc-01:8080/PSDSCPullServer.svc';
         AllowUnsecureConnection = 'true' }
 }
 }
 }
SetPullMode –guid $Guid 
Set-DSCLocalConfigurationManager –Computer lab-dsc-02 -Path ./SetPullMode –Verbose

You can assign the same ConfigurationID GUID to multiple nodes, if you want; that’s how they decide which MOF to download from the pull server. (Incidentally, WMF 5 is introducing a separation between AgentID and ConfigurationID, but your LCM output looks like it’s WMF 4.)

Thanks Dave, I have read that I can but can’t figure out how Could you provide a short sample on how this would be done.

In the original powershell script to create the MOF I need to define the node it applies to via the -machinename switch, then again I need to state the node in the pullconfig. How do I get around specifying a single node in the script that creates the MOF, as in my example if I specify two servers/nodes it creates two MOF’s.

You don’t need to compile a MOF for each node, if they’re going to be identical. In fact, you can just generate a GUID (or use one that you already know), and use that right in the config:

# Assuming a GUID of 2ab78d06-f0cf-435c-9cb7-485213873edc

Configuration TestOfficeServers
 {
 Node '2ab78d06-f0cf-435c-9cb7-485213873edc'
{
	#Install RSAT ADDS Tools
		WindowsFeature RSATADDSTools
		{
		Ensure = "Present"
		Name = "RSAT-ADDS-Tools"
		}
    #Install FS-FileServer
		WindowsFeature FileServer
		{
		Ensure = "Present"
		Name = "FS-FileServer"
		}
 }
 }

That will compile straight to 2ab78d06-f0cf-435c-9cb7-485213873edc.mof, and you don’t need to rename it. Just generate a checksum and send it up to the pull servers.

Then you would just call your SetPullMode function using the same GUID (2ab78d06-f0cf-435c-9cb7-485213873edc, in the example) for all servers that share the same MOF.

Awesome, thank you. I was worried because when I looked in the MOF that gets generated it did have a section for node.

Hi,

This is a bit of a ‘revelation’ for me…

So far I’ve been unable to get an answer on this, and just took it for granted that if I had 200 nodes, then I’d need 200 mof files and 200 checksum files… even if they all had the same config!

However, now it seems that they don’t!?

I’m basically doing a Get-Computers from an OU, adding them to an array and then creating the mof files using a foreach … i.e. 200 mof files.

I thought this was a good way, as when I do the Get-Computers I pull the ObjectGUID also, so don’t need to generate any new GUIDs, I can just use the ones I’ve pulled.

So question is… how do I use the single mof file in this instance… what do I need to do on the local clients to ensure that they all pull the same mof file?

Thanks in advance

As long as the computers LCMs are all configured with the same GUID, then you only need a MOF / Checksum with that one GUID. They’ll all pull the same one.

If you need any more information on the process that Dave mentioned earlier ‘WMF 5 is introducing a separation between AgentID and ConfigurationID’

feel free to check out a quick video I made explaining how this works.

Is it possible to secure the communication in this scenario in order to be able to use Credentials in the shared.mof ?

All of the client nodes would need to have the same certificate and private key installed, which is not ideal, but technically possible. You’d use that certificate when compiling the MOF, and any PSCredential parameters to the resources would have their passwords encrypted.

Thanks Dave,
I could really use a link to show how to set that up reasonably securely… I am using Group Policy (via a Powershell Script) to do the initial client registration so collecting a specific .cer file from an internal UNC Path and installing it by script as part of the registration process is a possibility.
That’s a good video Flynn, thanks for sharing.

“reasonably securely” is going to be different from client to client. The key take away here is that if they clients wish to share the MOF, they need to share the certificate private key so they can decry-pt the credentials. As such there are a couple things you have to keep in mind:

1. How secure is the UNC path you are storing the certificate? Remember this houses the private key, so if it’s compromised they can see everything being pulled on any box. A lot of potential passwords are being held by this key.
2. How long is the certificate valid for and what is your update process? Certs expire, so you either have to increase the validity date or devise a reliable update strategy as every server in your environment could potentially “expire” at the same time.
3. How do you make the public key available to those compiling MOF files? Or do you not do this and automate that? Otherside of the tooling question, but it needs to be asked due to the risk of this key getting out.