New DSC Pull Server on 2016

So I have this new Pull Server, and mind you this is my first foray into DSC, and i got it setup with a SSL cert and all that jazz and was able to confirm it’s at least providing the proper response when I perform this:

([xml](Invoke-WebRequest "https://$($fqdn):8080/psdscpullserver.svc" | % Content)).service.workspace.collection.href

I get the expected result of

Configurations
Modules
Action
Module
StatusReport
Node
Reports
Nodes

So I’m thinking all is good, so I go to do my pull client registration and wham, I get this,

he client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or
WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

Well, I’m using a secure config over IIS, so WinRM shouldn’t be a factor. So my question is, what am I missing here? My configs are below, and I wish I knew where things where being logged so I would have something to look at, but even the IIS logs are pretty sparse.

Pull Server Config

    param 
    (
        [string[]]$NodeName = 'localhost',

        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint,

        [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
        [ValidateNotNullOrEmpty()]
        [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
    )

   Import-DSCResource -ModuleName xPSDesiredStateConfiguration
   Import-DSCResource -ModuleName PSDesiredStateConfiguration
   Import-DSCResource -ModuleName xWebAdministration
   Import-DSCResource -ModuleName xComputerManagement
   
    Node $NodeName
    {
         LocalConfigurationManager
         {
            ConfigurationMode    = "ApplyAndMonitor" #https://docs.microsoft.com/en-us/powershell/dsc/metaconfig
            RebootNodeIfNeeded   = $false
         }

         WindowsFeature IISMgmt
         {
             Ensure     = "Present"
             Name       = "Web-Mgmt-Console"
             Source     = "c:\i386\sources\sxs"
         }

         WindowsFeature DSCServiceFeature
         {
            Ensure = "Present"
            Name   = "DSC-Service"
            Source = "c:\i386\sources\sxs"
         }

         WindowsFeature WinAuth 
         {
            Ensure = "Present"
            Name   = "web-Windows-Auth"
            Source = "c:\i386\sources\sxs"
         }

         WindowsFeature NETHTTPActivation
         { 
            Ensure = "Present"
            Name   = "NET-HTTP-Activation"
            Source = "c:\i386\sources\sxs"
         }

        WindowsFeature ISE
        {
         Ensure = "Absent"
         Name   = "PowerShell-ISE"
         Source = "c:\i386\sources\sxs"
        }
         
        xDscWebService PSDSCPullServer
        {
            Ensure                        = "Present"
            EndpointName                  = "PSDSCPullServer"
            Port                          = 8080
            PhysicalPath                  = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint         = $certificateThumbPrint
            ModulePath                    = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
            ConfigurationPath             = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
            State                         = "Started"
            DependsOn                     = @("[WindowsFeature]DSCServiceFeature",
                                             "[WindowsFeature]WinAuth",
                                             "[WindowsFeature]NETHTTPActivation")
            AcceptSelfSignedCertificates  = $false
            Enable32BitAppOnWin64         = $false
            UseSecurityBestPractices      = $false
        }

        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }

        #Stop the default WebSite
        xWebSite StopDefaultSite
        {
           Ensure       = "Present"
           Name         = "Default Web Site"
           State        = "Stopped"
           PhysicalPath = "$env:SystemDrive\inetpub\wwwroot"
           DependsOn    = "[WindowsFeature]DSCServiceFeature"
        }
    }
}

Client Registration

[DSCLocalConfigurationManager()]
configuration PullClientRegistration
{
   param
   (
      [ValidateNotNullOrEmpty()]
      [string]$NodeName,

      [ValidateNotNullOrEmpty()]
      [string]$RegistrationKey,

      [ValidateNotNullOrEmpty()]
      [string]$PullServer
   )
   Node $NodeName
   {     
      
      Settings
      {
         RefreshMode                      = 'Pull'
         RebootNodeIfNeeded               = $false
         ConfigurationMode                = "ApplyAndMonitor"
         ConfigurationModeFrequencyMins   = 15
      }

      ConfigurationRepositoryWeb $PullServer
      {
         ServerURL                  = "https://$($PullServer):8080/PSDSCPullServer.svc"
         RegistrationKey            = $RegistrationKey
         ConfigurationNames         = @('ClientConfig')
         AllowUnsecureConnection    = $false
         #ConfigurationNames = @($Target)
      }

      ReportServerWeb $PullServer
      {
         ServerURL       = "https://$($PullServer):8080/PSDSCPullServer.svc"
         RegistrationKey = $RegistrationKey
      }
   }
}

Test ClientConfig

configuration ClientConfig
{
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    
    Node localhost
    {
      WindowsFeature ISE
      {
         Ensure = "Absent"
         Name   = "PowerShell-ISE"
         Source = "c:\i386\sources\sxs"
        }
        
       Service EPOPS
       {
          Name          = "End Point Operations Management Agent"
          StartupType   = "Automatic"
          State         = "Running"
       }
    }
}

WinRM is required by DSC(cmdlet like Start-DSCConfiguration uses it)

Here is an article on running DSC with WinRM disabled, but it looks more trouble then it’s worth.

Using DSC with the WinRM service disabled

I thought the point of the DSC Pull server using HTTPS was so one didn’t have to have WinRM configured everywhere?

Nnnnooo… DSC wants to use WinRM regardless of whether you use HTTP or HTTPS. It’s not using WinRM to talk to the pull server; that indeed happens over HTTP(S). It wants to use it to talk to itself locally, because DSC operates out of the CIM repository, and CIM uses WinRM. This isn’t PowerShell Remoting (e.g., MS-PSRP protocol); it’s CIM. So you don’t have to Enable-PSRemoting, but you do need CIM to be usable.

That actually makes a lot of sense explained that way, I just wish the docs would say that and clearly state it as a pre-req for DSC.
Now to try and figure out how to fully use the Pull Server config, not as straight forward as I was hoping to do something as simple as remove PowerShell ISE and ensure a service is running on a Pull Client. Start small and go bigger LOL.

You may want to pick up “The DSC Book” from Leanpub. I spent a lot of time writing this all down in it.

Pull Client isn’t a service; the LCM runs as a scheduled task and is trigged via the CIM repository. ISE has nothing to do with it.

Oh ISE was just an example of how DSC can manage a server without having to touch each and every server, and ISE is one of those things that’s not good to have on a server generally and not impactful to add and remove at will.
As far as the book, yeah, $60 is a bit steep for something that should be straight forward and simple. I mean I manage a global Windows and VMware infrastructure and do C#, PowerShell, and Perl programming to provide automation, DSC should be dirt simple one would think in comparison.
Nevertheless I will take a look at it, maybe a business expense…

It’s actually a fairly complex technology with a lot of subtle nuances and some serious need for smart design. I think VMware is pretty complex, too; I remember spending a good bit more than $60 to learn it back in the day [grin].

And you certainly can learn DSC from the docs. I did. It just takes a lot of work, and a lot of experimentation.