To a world of better compliance, probably
Hi all,
Based on questions in the forum and the lack of descriptive examples, i wrote down
some examples scripts to ease up the configuration and usage.
Quick Background - To enable nodes to report status to a central location, v4 DSC
had an option to create a compliance server via a resource inside
xPSDesiredStateConfiguration with a matching IsComplianceServer toggle bit in the
Pull Server creation script.
In V5 theres no more ComplianceServer, thoght the Compliance server resource and
toggle are still inside, most likely for backward compatibility.
You will see a couple examples for v5 DSC that still use the resource and the toggle,
including, unfortunatly again, Sample_xDscWebService.ps1 that comes with the latest
version 3.7.0.0 of xPSDesiredStateConfiguration resource.
Do note, from tests done by Justin King, if you want to use the new method of node
registration via RegistrationKey, you really do NOT want to use IsComplianceServer=$True
More Info:
https://powershell.org/forums/topic/confignames-being-awfully-quiet/
That said the PowerShell documentation on Microsoft site as its being updated from the
GITHub repo does contain fixed examples if somewhat limited in explaining. Its being
update quite often and published to the public. Hop to the PowerShell DSC Docs GitHub link if youre into contributing.
More Info:
https://msdn.microsoft.com/en-us/powershell/dsc/pullserver
Scenario
Srv1 was our Pull Server
Srv3 is our Pull client getting resources from Srv1
We dont want the reporting to be registered at SRV1, so we build a new Pull Server
on Srv2 and update the LCM on Srv3 accordingly.
Note that you can also separate the resource a.k.a. modules to be pulled from another
server. Secondly, im not going into how to get a certificate or install it, as its out of scope.
CreatePullServer_SRV1.ps1
# Configuration for creating a PullServer V2 (PS 5.0) Configuration CreatePullServer { param ( [ValidateNotNullOrEmpty()][string] $ComputerName, [ValidateNotNullOrEmpty()][String] $CertificateThumbprint ) Import-DSCResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 3.7.0.0 Node $ComputerName { WindowsFeature DSCServiceFeature { Ensure = 'Present' Name = 'DSC-Service' } xDscWebService PSDSCPullServer { Ensure = 'Present' EndpointName = 'PSDSCPullServer' Port = 8080 PhysicalPath = 'D:\WebSites\PSDSCPullServer' CertificateThumbPrint = $CertificateThumbprint State = 'Started' ModulePath = 'C:\Program Files\WindowsPowerShell\DscService\Modules' ConfigurationPath = 'C:\Program Files\WindowsPowerShell\DscService\Configuration' RegistrationKeyPath = 'C:\Program Files\WindowsPowerShell\DscService' AcceptSelfSignedCertificates = $false IsComplianceServer = $false DependsOn = '[File]RegistrationKeyFile' } File RegistrationKeyFile { Ensure = 'Present' Type = 'File' DestinationPath = 'C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys.txt' Contents = '5e2e5153-62b8-44a3-958e-198eafc7218a' DependsOn = '[WindowsFeature]DSCServiceFeature' } } } # Certificate should also be installed at the target server beforehand $myCertPath = '.\DSCPullServer.pfx' $myCertThumbprint = (Get-PfxCertificate -FilePath $myCertPath).Thumbprint CreatePullServer -ComputerName SRV1 -CertificateThumbprint $myCertThumbprint -OutputPath '.\' Start-DscConfiguration -ComputerName SRV1 -path '.\' -Force -Wait -Verbose
Iāve bound the creation of the pull server to the creation of the RegistraionKeys.txt but you
can obviously remove that.
The code for SRV2, follows:
Note i didnt change the RegistrationKey as its not needed, but of course you can, as long
as you remember to change it in the LCM script as well.
And most importantly, we are NOT using IsComplianceServer at all. I used it in the script
just to not have any doubts and not take it for granted that $false is the default value
CreatePullServer_SRV2.ps1
# Configuration for creating a PullServer for ReportServer V2 (PS 5.0) Configuration CreatePullServer { param ( [ValidateNotNullOrEmpty()][string] $ComputerName, [ValidateNotNullOrEmpty()][String] $CertificateThumbprint ) Import-DSCResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 3.7.0.0 Node $ComputerName { WindowsFeature DSCServiceFeature { Ensure = 'Present' Name = 'DSC-Service' } xDscWebService PSDSCPullServer { Ensure = 'Present' EndpointName = 'PSDSCReportServer' Port = 8080 PhysicalPath = 'D:\WebSites\PSDSCReportServer' CertificateThumbPrint = $CertificateThumbprint State = 'Started' ModulePath = 'C:\Program Files\WindowsPowerShell\DscService\Modules' ConfigurationPath = 'C:\Program Files\WindowsPowerShell\DscService\Configuration' RegistrationKeyPath = 'C:\Program Files\WindowsPowerShell\DscService' AcceptSelfSignedCertificates = $false IsComplianceServer = $false DependsOn = '[File]RegistrationKeyFile' } File RegistrationKeyFile { Ensure = 'Present' Type = 'File' DestinationPath = 'C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys.txt' Contents = '5e2e5153-62b8-44a3-958e-198eafc7218a' DependsOn = '[WindowsFeature]DSCServiceFeature' } } } # Certificate should also be installed at the target server beforehand $myCertPath = '.\DSCPullServer.pfx' $myCertThumbprint = (Get-PfxCertificate -FilePath $myCertPath).Thumbprint CreatePullServer -ComputerName SRV2 -CertificateThumbprint $myCertThumbprint -OutputPath '.\' Start-DscConfiguration -ComputerName SRV2 -path '.\' -Force -Wait -Verbose
And last but not least SRV3 LCM script
MetaConfig_SplitReport.ps1
# Configuration for creating a LCM V2 (PS 5.0) [DSCLocalConfigurationManager()] Configuration LCMMetaConfig { param ( [ValidateNotNullOrEmpty()][string] $ComputerName ) node $ComputerName { Settings { RefreshMode='Pull' ConfigurationMode = 'ApplyAndMonitor' ActionAfterReboot = 'ContinueConfiguration' RebootNodeIfNeeded = $false ConfigurationModeFrequencyMins = '15' RefreshFrequencyMins = '30' AllowModuleOverwrite = $true } ConfigurationRepositoryWeb PullServerConfig { ServerURL = 'https://SRV1:8080/PSDSCPullServer.svc' RegistrationKey = '5e2e5153-62b8-44a3-958e-198eafc7218a' ConfigurationNames = @("SRV_Base") } ReportServerWeb ReportServerConfig { ServerURL = 'https://SRV2:8080/PSDSCReportServer.svc' RegistrationKey = '5e2e5153-62b8-44a3-958e-198eafc7218a' } } } LCMMetaConfig -ComputerName SRV3 -OutputPath '.\' Set-DscLocalConfigurationManager -ComputerName SRV3 -Path '.\' -Verbose
Initialy, you do not want to split the locations.
Unless you manage 1000 servers, then you might say the traffic back and forth
especialy every 30 min (if thats the LCM settings you set) plus pulling the resources
when there are changes, might be an excess on the network bandwith.
Even more if the server you installed the Pull Server on, isnt a dedicated one and has
more web sites.
The main reason the separation was made is basically for Push mode, to allow those
using that method to still get a central repository for node status.
Remember that in LCM v5, you can now query two new parameters
LCMState
LCMStateDetail
To get the current state information, but its limited and obviously holds no history.
More Info:
https://msdn.microsoft.com/en-us/powershell/wmf/dsc_statestatus
OK, Pull Server and Report Server sorted.
What do i do with it exactly ??
Well the Report Server is an OData endpoint which exposes the information via REST
API. This means you can use Invoke-WebRequest to get JSON back and then parse it.
This is a bit out of scope for this time, but do follow the link and im sure
you can find other links generaly explaining what Invoke-WebRequest is and how to
handle JSON objects.
https://msdn.microsoft.com/en-us/powershell/dsc/reportserver
Hope this clears some questions previously posted and maybe future ones.
Changes will be done to this post to reflect changes in the future
Have fun DSCing or maybe Complying ?
Arie H.