Tag Archives: DSC

Episode 288 – PowerScripting Podcast – Hal and Jon talk about Splunk and DSC troubleshooting


Listen:

In This Episode

Tonight on the PowerScripting Podcast, Hal and Jon talk about Splunk and troubleshooting DSC

Links

<migreene> http://aka.ms/dscmp

<alevyinroc> here’s my screen. https://www.dropbox.com/s/5bz3jqbghjsh2lx/Screenshot%202014-10-23%2021.42.33.png?dl=0

<halr9000> https://apps.splunk.com/app/1477/

<halr9000> wave 7 shipped https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d

<halr9000> wrong link: this one: https://gallery.technet.microsoft.com/xExchange-PowerShell-1dd18388/

<halr9000> http://blogs.citrix.com/2014/10/09/tech-preview-xendesktop-desired-state-configuration-resource-provider/

<rcookiemonster> They did a series on it a short while back – http://blogs.citrix.com/author/brianeh/ has them I think

<halr9000> http://blogs.msdn.com/b/powershell/archive/2014/01/03/using-event-logs-to-diagnose-errors-in-desired-state-configuration.aspx

<halr9000> http://www.ravichaganti.com/blog/portfolio/book-windows-powershell-desired-state-configuration-revealed/

<migreene> https://gallery.technet.microsoft.com/scriptcenter/xDscDiagnostics-PowerShell-abb6bcaa

<JonWalz> https://gallery.technet.microsoft.com/scriptcenter/xDscResourceDesigne-Module-22eddb29

<halr9000> http://blogs.citrix.com/author/brianeh/

Chatroom Highlights:

<Schlauge> ### input inot splunk    key/value pairs?    custom objects?

<Schlauge> ### @JonWalz   did you say you have a resource that pushes your PowerShell profile to a remove computer?

Up Next: Configure Exchange with PowerShell DSC with Jason Walker & Mike Hendrickson!


This Thursday, we will be joined by two excellent guests from Microsoft: Jason Walker, and Mike Hendrickson. They will be talking about a rather large bit of PowerShell DSC code: the xExchange Resource Kit! Mike wrote a blog post series on the topic, and his first piece, Introducing xExchange – Managing Exchange 2013 With DSC – Part 1, starts with “why DSC”, and goes on to examine the contents of this resource kit.

We will talk about it live this Thursday night at 9:30 PM EST, and we would love for you to join us! Viewers of the live stream get to submit questions and interact with their fellow PowerShell peers, so don’t miss out!

The current and future state of the Windows Management Framework


At the 2nd of October, Lee Holmes gave a presentation about the current and future state of the Windows Management Framework (WMF) during the Dutch PowerShell User Group (DuPSUG) at the Microsoft headquarters in The Netherlands.

The slide decks and recorded videos will be made available soon, but this is what was discussed:

The release cycle of the Windows Management Framework (WMF)

Faster incremental releases of preview versions are being released. This rapid development means that companies that need specific new functionalities to tackle current problems they’re having, don’t have to wait as long as they had to in the past.

Everyone should keep in mind that documentation for preview versions can be more limited, but should still read the release notes carefully. They contain descriptions of some of the improvements that are discussed in this blog post, but also cover other things that aren’t discussed here. Also be sure to take a look at What’s New in Windows PowerShell at TechNet.

A request from the audience was to include more helpful real-life examples until documentation is fully up-to-date.

 

Desired State Configuration (DSC) partial/split configurations

With DSC partial/split configuration it is possible to combine multiple separate DSC configurations to a single desired state. This could be useful when a company has different people or departments that are responsible for a specific part of the configuration (by example Windows, database, applications).

 

OneGet

OneGet is a Package Manager Manager (it manages package managers). It enables companies to find, get, install and uninstall packages from both internal and public sources. Public repositories can contain harmful files and should be treated accordingly.

Besides the OneGet module included in the Windows Management Framework Preview, updated versions are continuously being uploaded to https://github.com/OneGet/oneget by Microsoft. These can include bug fixes and new functionality like support for more provider types.

While in the past it seemed that Nuget was required, during the PowerShell Summit it was demonstrated that a file share can be used as well.

From the audience a question was raised whether BITS (Background Intelligent Transfer Service) could be used. This is currently not the case and there were also no plans yet to implement it.

 

PowerShellGet

PowerShellGet is a module manager which should make it easier to find the many great modules that are already available, but are not very discoverable because they’re fragmented on numerous websites across the Internet.

Microsoft is currently hosting a gallery of modules. The modules that are available in there are currently being controlled by Microsoft, but this might change in the future.

It is possible to create an internal module source and the save location for modules can be specified as well.

 

PSReadLine

PSReadLine is a bash inspired readline implementation for PowerShell to improve the command line editing experience in the PowerShell.exe console. It includes syntax coloring and CTRL+C and CTRL+V support, for more information about other improvements, view their website.

PSReadLine is one of the modules that can be installed using PowerShellGet:
Find-Module PsReadLine | Install-Module

 

Security

  • Always be careful when running scripts that include Invoke-Expression or its alias iex because it might run harmful code.
    • For a non harmful example, take a look at this blog post by Lee Holmes.
  • Many people in the security community are adopting PowerShell.
  • PowerShell is done in memory and is therefore volatile. To improve security the following enhancements were introduced:
    • Transcript improvements
      • Transcript support was added to the engine so it can used everywhere, also in the Integrated Scripting Environment (ISE).
      • A transcript file name automatically includes the computer name.
      • Transcript logging can be enforced to be redirected to another system.
      • Transcription can be enforced by default.
  • Group Policy
    • An ADMX file is currently not available to configure it on all platforms, but it can be found in the technical preview versions of Windows 10 and Windows Server under: Administrative Templates -> Windows Components -> Windows PowerShell
  • More advanced Scriptblock logging
    • Enable ScriptBlockLogging through GPO (in later Windows versions) or by registry by setting EnableScriptBlockLogging to 1 (REG_DWORD) in: HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
    • The additional logging will show you what code was run and can be found in event viewer under Applications and Services Logs\Microsoft\Windows\PowerShell\Operational.
    • Scriptblocks can be split across multiple event log entries due to size limitations.
    • Using Get-WinEvent -FilterHashTable it is possible to get related events, extract the information and combine it.
    • Since attackers would want to remove these registry settings and clear event logs, consider using Windows Event Forwarding/SCOM ACS to store this information on another server. Also consider enabling cmdlet logging.
  • Just Enough Admin (JEA)
    • JEA enables organizations to provide operators with only the amount of access required to perform their tasks.

 

New and improved functionality and cmdlets

 

Manage .zip files using Expand-Archive and Compress-Archive

.zip files can be managed using Compress-Archive and Expand-Archive. Other archive types like .rar are not currently supported, but this might be added in future versions.

 

New-Item

It is now not necessary anymore to specify the item type. To create a new item, simply run
New-Item foo.txt

 

Get-ItemPropertyValue

This makes it easier to get the value of a file or registry:

  • Get-ItemPropertyValue $Env:windir\system32\calc.exe -name versioninfo
  • Get-ItemPropertyValue-PathHKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics -Name ExecutionPolicy

 

Symbolic links support for New-Item, Remove-Item and Get-ChildItem

Symbolic link files and directories can now be created using:

  • New-Item -ItemType SymbolicLink -Path C:\Temp\MySymLinkFile.txt -Value $pshome\profile.ps1
  • New-Item -ItemType SymbolicLink -Path C:\Temp\MySymLinkDir -Value $pshome

Junctions cannot currently be created, but this might also be added in a later version.

 

Debugging using Enter-PSHostProcess and Exit-PSHostProcess

Let you debug Windows PowerShell scripts in processes separate from the current process that is running in the Windows PowerShell console (by example long running or looping code). Run Enter-PSHostProcess to enter, or attach to, a specific process ID, and then run Get-Runspace to return the active runspaces within the process. Run Exit-PSHostProcess to detach from the process when you are finished debugging the script within the process.

 

Use Psedit to edit files in a remote session directly in ISE

Simply open a new PSSession to a remote computer and type PSEdit <path to a file>.

 

Classes and other user-defined types

    • The goal is to enable a wider range of use cases, simplify development of Windows PowerShell artifacts (such as DSC resources), and accelerate coverage of management surfaces.
    • Classes are useful for structured data. Think by example about custom objects that you need to change afterwards.
    • Name of the class and the constructor must be the same.
    • Code is case insensitive.
    • In classes, variables are lexically scoped (matching braces) instead of dynamically scoped.
    • Every return must be explicit.
    • Sample code:

Class MyClass
{
  MyClass($int1, $int2)
   {
        “In the constructor”
   }
   [int]$Property1
   [DateTime]$Property2
   [int]MyHelper($param1)
   {
       return 42
   } 
}

 

 

 

 

 

 

 

Episode 275 – PowerScripting Podcast – PowerShell MVP Steve Murawski


A Podcast about Windows PowerShell.
Listen:

In This Episode

Tonight on the PowerScripting Podcast, we talk to Steve Murawski

Interview

Guest – Steve Murawski

Links

Chatroom Highlights:

<gpduck> https://github.com/powershellorg/dsc

<halr9000> https://github.com/PowerShellOrg/DSC

<gpduck> also here are links to his talks on DSC from summit: https://www.youtube.com/watch?v=BWR2SVXEpXk

<gpduck> https://www.youtube.com/watch?v=nkKyfsy-iQA

<gpduck> https://www.youtube.com/watch?v=JAzjf4sQvro

<randal_hicks> http://technet.microsoft.com/en-us/library/dn249912.aspx

<randal_hicks> https://github.com/PowerShellOrg/DSC

<JonWalz> this is my favorite one-page post about the Summit http://curah.microsoft.com/67912/powershell-summit-na-2014

<halr9000> https://github.com/PowerShellOrg/DSC/tree/master/Resources/StackExchangeResources/DSCResources

<ehorley> Hum, limited to IPv4 only in https://github.com/PowerShellOrg/DSC/blob/master/Resources/cNetworking/DSCResources/PSHOrg_cIPAddress/PSHOrg_cIPAddress.psm1

<halr9000> http://msdn.microsoft.com/en-us/library/dd878343(v=vs.85).aspx

<halr9000> here ya go ehorley https://github.com/PowerShellOrg/DSC/issues/new

<halr9000> https://github.com/PowerShellOrg/DSC/blob/master/Tooling/DscDevelopment/New-MofFile.ps1

<halr9000> https://github.com/PowerShellOrg/DSC/issues/26

* Vern_Anderson ([email protected]) has quit IRC (Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it)

<ehorley> Might have to try and make the Lisa event – https://www.usenix.org/conference/lisa14

<KC1> ORGANICIT – see http://powershell.org/wp/2013/10/03/building-a-desired-state-configuration-pull-server/

<KC1> http://davewyatt.wordpress.com/2014/06/07/how-to-install-a-dsc-pull-server-on-windows-2008-r2/

<halr9000> http://stevenmurawski.com/

<halr9000> http://www.opsallthethings.com/

<randal_hicks> https://twitter.com/StevenMurawski

<stevenmurawski> https://twitter.com/therubyrep

<gpduck> https://twitter.com/opsallthethings

<JonWalz> http://www.zombiepodcast.com/

<halr9000> http://scottsigler.com/

<stevenmurawski> http://www.arresteddevops.com/

<stevenmurawski> http://theshipshow.com/

<gpduck> ## steven you need to talk to jason helmick about how those tutorials work and possibly doing something similar at summit next year

<logicaldiagram> ## You’ll still manage the powershell.org repo then?

<Vern_Anderson> ## Do you use System Center?

<KC1> ##I really like the git hub feel and his code seems organized and clear. Was the ability to organize it into levels why he chose github over poshcode? Or is PoshCode more for random scripts? Apologies if this question was already asked/answered

<JasonMor_> ## but you have to run that twice right?

<organicit> ## maybe someone already asked but can Steve elaborate on what he uses for a build server?

The Question – what was the first task you completed with PowerShell?

  • resetting user passwords in AD

Tonight on the podcast–Jeffrey Snover!


Hi everyone, it’s summer and we are recording on Wednesday. Don’t forget to drop by tonight of all nights, because we are pleased to have Jeffrey Snover back again! Topics include JEA, software defined datacenter, DSC for Linux, and anything else that YOU want to talk about!

You can join us live at 9:30 PM at live.powerscripting.net and ask questions of the inventor of PowerShell, and architect of Windows Server and System Center. Don’t miss it!

DSC Pull Server on Windows Server 2008 R2


Recently on the PowerShell.org forums, a community member mentioned that they were having trouble setting up a Server 2008 R2 machine as a DSC pull server. It turns out, this is possible, but you have to install all the prerequisites yourself, since the Add-WindowsFeature DSC-Service command doesn’t do it for you on the older operating system.

Refer to this blog post for the checklist.

Patterns for Implementing a DSC Pull Server Environment


My Patterns for Implementing a DSC Pull Server Environment talk from the PowerShell Summit is now online.

Enjoy!

Building Scalable Configurations With DSC


My Building Scalable Configurations with DSC talk from the PowerShell Summit is now online.

Enjoy!

Episode 265 – PowerScripting Podcast – Narayanan Lakshmanan from the PowerShell Team on DSC


A Podcast about Windows PowerShell. Listen:

In This Episode

Tonight on the PowerScripting Podcast, we talk to Narayanan Lakshmanan from the PowerShell team about DSC

News

Interview

Guest – Narayanan Lakshmanan

Links

 

Chatroom Highlights:

<JimB_> ### for a DSC noob, how well does it compare with Puppet?  Linux guys are pushing and I am not too familiar with it.  Does an IT shop need both?

<marc_carter> ##DSC noob here too…any suggestions or some practical examples to gain some familiarity?

<alexandair1> ## when can we expect to get resources written by other product teams?

<stevenmurawski> ##Will Test-TargetResource tell you what’s deviating if it fails?

<justpaul> ## will MS require the various teams to provide DSC resources (aka stop-ship, like they did with powerShell cmdlets)

<stevenmurawski> ##When will the DscResourceDesigner’s Test-DscResource handle more complex schema.mofs?

<stevenmurawski> ##What’s failing is the wave resources that you’ve released fail to validate with Test-DscResource

<stevenmurawski> ## How far downlevel will WMF5 be supported?  2008R2?

<stevenmurawski> ### What is N for WMF5?

<alevyinroc> totally unrelated…on win 8.1, how would one get past “access denied” when trying to use location services (like this: http://www.verboon.info/2013/10/powershell-script-get-computergeolocation/)

<Vern_Anderson> http://youtu.be/JM7e5tsYOi8

<Vern_Anderson> http://channel9.msdn.com/Events/Build/2014  << For those who missed the keynote

<Vern_Anderson> http://blogs.technet.com/b/windowsserver/archive/2014/04/03/windows-management-framework-v5-preview.aspx

<Vern_Anderson> https://oneget.codeplex.com/

<halr9000> http://blogs.msdn.com/b/powershell/archive/2014/03/28/dsc-resource-kit-wave-3.aspx

<Vern_Anderson> http://blogs.technet.com/b/windowsserver/archive/2014/04/03/windows-management-framework-v5-preview.aspx

<halr9000> dsc reskit wave 1 http://blogs.msdn.com/b/powershell/archive/2013/12/26/holiday-gift-desired-state-configuration-dsc-resource-kit-wave-1.aspx

<halr9000> wave 2 http://blogs.msdn.com/b/powershell/archive/2014/02/07/need-more-dsc-resources-announcing-dsc-resource-kit-wave-2.aspx

<halr9000> dsc reskit home http://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d

<brwilkinson> @marc_carter check the book here https://github.com/PowerShellOrg/ebooks/tree/master/DSC

<Vern_Anderson> http://en.wikipedia.org/wiki/Managed_Object_Format

<ScriptWarrior> http://social.technet.microsoft.com/Search/en-US?query=desired%20state%20configuration&ac=3

<halr9000> http://gallery.technet.microsoft.com/scriptcenter/xDscResourceDesigne-Module-22eddb29

<Francois-Xavier> https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=microsoft.holsystems.com&altadd=true&labid=10068

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-B302

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-H310

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-IL206-R#fbid=

The Question -

  • Superhero – He-Man

Tonight, Nana from the PowerShell team talks DSC and more!


Tonight, we’re pleased to have Narayanan (Nana) Lakshmanan, Senior Development Lead from the PowerShell team at Microsoft on the show! One of our big areas to cover is going to be DSC, and what Microsoft has been doing with the out-of-band releases of DSC resources with the DSC Resource Kit, which is now up to 50 resources!

We Want Your DSC Resource Wish List!


What sorts of things would you want to configure via DSC that don’t already have a resource?

NB: Focusing on the core Windows OS and its components only; Exchange, SharePoint, SQL Server, and other products are off the table for this discussion.

For example, I want a “log file rotator” resource, that lets me specify a log file folder, an archive folder, and a pair of dates. Files older than one date are moved from the log folder to the archive folder; archived files older than the second date are deleted.

I’d also like a File Permissions resource. Specify a folder or file, optional recursion, and a set of access control entries (in plain English terms), and it’ll make sure the permissions stay that way.

Maybe also a User Home Folder resource, which would (a) ensure a folder exists for a given set of user accounts, and (b) ensures a set of “template” permissions, so that each individual user has the rights to their folder, plus rights given to global users like admins.

What resources would YOU like to have to ease configuration and maintenance in YOUR environment? Drop a comment!

Going Deeper on DSC Resources


Desired State Configuration is a very new technology and declarative configuration management is a very young space yet.  We (Microsoft and the community) are still figuring out the best structure for resources, composite configurations, and other structures.

That said, there are certain viewpoints that I’ve come to, either from hands on experience or in watching how other communities (like the Puppet community or Chef community) handle similar problems.

How Granular Should I Get?

There is no absolute answer.

Very, Very Granular

Resources should be very granular in the abstract, but in practice, you may need to make concessions to improve the user experience.

For example, when I configure an IP address for a network interface, I can supply a default gateway. A default gateway is a route, which is separate from the interface and IP address, but in practice they tend to be configured together. In this case, it might make sense to offer a resource that can configure both the IP address and the default gateway.

I tend to think resources should be very granular. We can use composite resources to offer higher level views of the configuration. If I were implementing a resource to configure a network adapter’s IP and gateway, I would have a route resource, an IP address resource, and probably a DNS server setting resource. I would then also have a composite resource to deal with the default use case of configuring a network adapter’s IP address, gateway, and DNS servers together.

The benefit of doing it this way is that I still have very discrete, flexible primitives (the IP address resource, the route resource, and the DNS server resource). I can then leverage the route resource to create static routes, or use them directly to more discretely configure the individual elements.

Unless…

You have some flow control that you need to happen based on the state of the client or the environment.  Since your configuration is statically generated and is declarative, there are no flow control statements in the configuration MOF document.  That means that any logic that needs to occur at application time

Unfortunately, this leads to the need to re-implement common functionality.  For example, if I have a service that I need to be able to update the binary (not via an MSI), I need to basically re-implement parts of the file and service resource.  This use case requires a custom resource because I need to stop the service before I can replace the binary, but I don’t want to stop the service with every consistency check if I don’t need to replace the file.

This scenario begs for a better way to leverage existing resources in a cross resource scenario (kind of like RequiredModules in module metadata), but there isn’t a clean way to do this that I’ve found (but I’m still looking!).

My Recommendation

So for most cases, I would try to use existing resources or build very granular custom resources.  If I need to offer a higher level of abstraction, I’d escalate to putting a composite resource on top of those granular resources.  Finally, if I need some flow control or logic for a multistep process, I’d implement a more comprehensive resource.

What Should I Validate?

Now that we are seeing some more resources in the community repository (especially thanks to the waves of resources from the Powershell Team!), we are seeing a variety of levels of validation being performed.

I think that the Test-TargetResource function should validate all the values and states that Set-TargetResource can set.

An example of where this isn’t happening currently is in the cNetworking resource for PSHOrg_cIPAddress.  I’m going to pick on this resource a bit, since it was the catalyst for this discussion.

The resource offers a way to set a default gateway as well as the IP address.  So what happens if after setting the IP and default gateway, someone changes the default gateway to point to another router?

In this case, the validation is only checking that the IP address is correct.  DSC will never re-correct the gateway and our DSC configuration document (the MOF file) is no longer an accurate representation of the system state, despite the fact that the Local Configuration Manager (LCM) will report that everything matches.

This is BAD!!  If a resource offers an option to configure a setting, that setting should be validated by Test-TargetResource, otherwise that setting should be removed from the resource.  The intent of DSC is to control configuration, including changes over time and return a system to the desired state.  If we ignore certain settings, we weaken our trust in the underlying infrastructure of DSC.

What should I return?

The last element I’m going to tackle today is what should be returned from Get-TargetResource.  I’ve been on the fence about this one.  Like with Test-TargetResource, there are a number of implementation examples that vary in how they come up with the return values.

Currently, I don’t see a ton of use for Get-TargetResource and it doesn’t impact the Test and Set phases of the LCM, so it’s been easy to ignore.  This is bad practice (shame on me).

Here’s my thoughts around Get-TargetResource.  It should return the currently configured state of the machine.  Directly returning parameters passed in is misleading.

Going back to the PSHOrg_cIPAddress from the earlier example, it directly returns the default gateway from the parameter, regardless of the configured gateway.  This wouldn’t be so bad if the resource actually checked the gateway during processing and could correct it if it drifted.  But it does not check the gateway, so Get-TargetResource could be lying to you.  T

he most consistent result of Get-TargetResource would be retrieving the currently configured settings.

What’s left?

What other burning questions do you have around DSC?  Let’s keep talking them through either in the forums or in the comments here.

My DSC Demo-Class Setup Routine


I think I’ve gotten my DSC classroom and demo setup ready. Understand that this isn’t meant to be production-friendly – it doesn’t automate some stuff because I want to cover that stuff in class by walking through it. But, I thought I’d share.

I’ve basically made an ISO that I can carry into class, attach to a Win2012R2 VM and a Win81 VM, and run students through. The server VM is a DC in “company.pri” domain, and the client VM belongs to that domain.

In the root of the ISO are these scripts: ISO_Root (unzip that). Students basically just open PowerShell, set the execution policy to RemoteSigned or Unrestricted, and then run SetupLab -DVD D:, replacing “D:” with the drive letter of the VM’s optical drive. The script isn’t super-intelligent since I demo it at the same time; it needs the colon after the drive letter.

In a folder called DSC_Modules, I add the following DSC modules (unzipped): xActiveDirectory, xComputerManagement, xDscDiagnostics, xDscResourceDesigner, xNetworking, xPSDesiredStateConfiguration_1.1, xSmbShare, xSqlPs, xWebAdministration.

In a folder called DSC_Pull_Examples, I include these scripts: DSC_Pull_Examples (unzip that).

In a folder called eBooks, I include these files: eBooks (unzip that). Those get used in a lot of the demos I do, so I have the lab setup scripts copy over some script modules.

In a folder called Help, I have a file called Help.zip. This contains everything downloaded by the Save-Help command in PowerShell. The Setup script unzips this into the VM and then runs Update-Help against it, so the VM doesn’t need to be Internet-connected.

In a folder called Hotfix, I have the Windows8.1-KB2883200-x64.msu hot fix installer. I include the 32-bit version also, just in case, but my script doesn’t use it.

In a folder called Installers, I have installers for PrimalScript, PowerShell Studio, and SQL Server Express with Advanced Services. Again, those get used a lot in my classes, but the setup script doesn’t rely on them.

Finally, in a folder called sxs, I have the contents of the Windows 8.1 installation media’s \Sources\sxs folder. Some of the things my setup script does – like adding .NET Framework 3.5 so SQL Server 2012 will work – rely on features that aren’t in a Win8.1 VM, normally. Because I don’t want to rely on the Internet, I include this source so I can install new features from it.

This is all pretty specific to the way I run classes, but if there’s any use you can make of it, feel free.