Tag Archives: DSC

Episode 275 – PowerScripting Podcast – PowerShell MVP Steve Murawski

A Podcast about Windows PowerShell.

In This Episode

Tonight on the PowerScripting Podcast, we talk to Steve Murawski


Guest – Steve Murawski


Chatroom Highlights:

<gpduck> https://github.com/powershellorg/dsc

<halr9000> https://github.com/PowerShellOrg/DSC

<gpduck> also here are links to his talks on DSC from summit: https://www.youtube.com/watch?v=BWR2SVXEpXk

<gpduck> https://www.youtube.com/watch?v=nkKyfsy-iQA

<gpduck> https://www.youtube.com/watch?v=JAzjf4sQvro

<randal_hicks> http://technet.microsoft.com/en-us/library/dn249912.aspx

<randal_hicks> https://github.com/PowerShellOrg/DSC

<JonWalz> this is my favorite one-page post about the Summit http://curah.microsoft.com/67912/powershell-summit-na-2014

<halr9000> https://github.com/PowerShellOrg/DSC/tree/master/Resources/StackExchangeResources/DSCResources

<ehorley> Hum, limited to IPv4 only in https://github.com/PowerShellOrg/DSC/blob/master/Resources/cNetworking/DSCResources/PSHOrg_cIPAddress/PSHOrg_cIPAddress.psm1

<halr9000> http://msdn.microsoft.com/en-us/library/dd878343(v=vs.85).aspx

<halr9000> here ya go ehorley https://github.com/PowerShellOrg/DSC/issues/new

<halr9000> https://github.com/PowerShellOrg/DSC/blob/master/Tooling/DscDevelopment/New-MofFile.ps1

<halr9000> https://github.com/PowerShellOrg/DSC/issues/26

* Vern_Anderson ([email protected]) has quit IRC (Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it)

<ehorley> Might have to try and make the Lisa event – https://www.usenix.org/conference/lisa14

<KC1> ORGANICIT – see http://powershell.org/wp/2013/10/03/building-a-desired-state-configuration-pull-server/

<KC1> http://davewyatt.wordpress.com/2014/06/07/how-to-install-a-dsc-pull-server-on-windows-2008-r2/

<halr9000> http://stevenmurawski.com/

<halr9000> http://www.opsallthethings.com/

<randal_hicks> https://twitter.com/StevenMurawski

<stevenmurawski> https://twitter.com/therubyrep

<gpduck> https://twitter.com/opsallthethings

<JonWalz> http://www.zombiepodcast.com/

<halr9000> http://scottsigler.com/

<stevenmurawski> http://www.arresteddevops.com/

<stevenmurawski> http://theshipshow.com/

<gpduck> ## steven you need to talk to jason helmick about how those tutorials work and possibly doing something similar at summit next year

<logicaldiagram> ## You’ll still manage the powershell.org repo then?

<Vern_Anderson> ## Do you use System Center?

<KC1> ##I really like the git hub feel and his code seems organized and clear. Was the ability to organize it into levels why he chose github over poshcode? Or is PoshCode more for random scripts? Apologies if this question was already asked/answered

<JasonMor_> ## but you have to run that twice right?

<organicit> ## maybe someone already asked but can Steve elaborate on what he uses for a build server?

The Question – what was the first task you completed with PowerShell?

  • resetting user passwords in AD

Tonight on the podcast–Jeffrey Snover!

Hi everyone, it’s summer and we are recording on Wednesday. Don’t forget to drop by tonight of all nights, because we are pleased to have Jeffrey Snover back again! Topics include JEA, software defined datacenter, DSC for Linux, and anything else that YOU want to talk about!

You can join us live at 9:30 PM at live.powerscripting.net and ask questions of the inventor of PowerShell, and architect of Windows Server and System Center. Don’t miss it!

DSC Pull Server on Windows Server 2008 R2

Recently on the PowerShell.org forums, a community member mentioned that they were having trouble setting up a Server 2008 R2 machine as a DSC pull server. It turns out, this is possible, but you have to install all the prerequisites yourself, since the Add-WindowsFeature DSC-Service command doesn’t do it for you on the older operating system.

Refer to this blog post for the checklist.

Patterns for Implementing a DSC Pull Server Environment

My Patterns for Implementing a DSC Pull Server Environment talk from the PowerShell Summit is now online.


Building Scalable Configurations With DSC

My Building Scalable Configurations with DSC talk from the PowerShell Summit is now online.


Episode 265 – PowerScripting Podcast – Narayanan Lakshmanan from the PowerShell Team on DSC

A Podcast about Windows PowerShell. Listen:

In This Episode

Tonight on the PowerScripting Podcast, we talk to Narayanan Lakshmanan from the PowerShell team about DSC



Guest – Narayanan Lakshmanan



Chatroom Highlights:

<JimB_> ### for a DSC noob, how well does it compare with Puppet?  Linux guys are pushing and I am not too familiar with it.  Does an IT shop need both?

<marc_carter> ##DSC noob here too…any suggestions or some practical examples to gain some familiarity?

<alexandair1> ## when can we expect to get resources written by other product teams?

<stevenmurawski> ##Will Test-TargetResource tell you what’s deviating if it fails?

<justpaul> ## will MS require the various teams to provide DSC resources (aka stop-ship, like they did with powerShell cmdlets)

<stevenmurawski> ##When will the DscResourceDesigner’s Test-DscResource handle more complex schema.mofs?

<stevenmurawski> ##What’s failing is the wave resources that you’ve released fail to validate with Test-DscResource

<stevenmurawski> ## How far downlevel will WMF5 be supported?  2008R2?

<stevenmurawski> ### What is N for WMF5?

<alevyinroc> totally unrelated…on win 8.1, how would one get past “access denied” when trying to use location services (like this: http://www.verboon.info/2013/10/powershell-script-get-computergeolocation/)

<Vern_Anderson> http://youtu.be/JM7e5tsYOi8

<Vern_Anderson> http://channel9.msdn.com/Events/Build/2014  << For those who missed the keynote

<Vern_Anderson> http://blogs.technet.com/b/windowsserver/archive/2014/04/03/windows-management-framework-v5-preview.aspx

<Vern_Anderson> https://oneget.codeplex.com/

<halr9000> http://blogs.msdn.com/b/powershell/archive/2014/03/28/dsc-resource-kit-wave-3.aspx

<Vern_Anderson> http://blogs.technet.com/b/windowsserver/archive/2014/04/03/windows-management-framework-v5-preview.aspx

<halr9000> dsc reskit wave 1 http://blogs.msdn.com/b/powershell/archive/2013/12/26/holiday-gift-desired-state-configuration-dsc-resource-kit-wave-1.aspx

<halr9000> wave 2 http://blogs.msdn.com/b/powershell/archive/2014/02/07/need-more-dsc-resources-announcing-dsc-resource-kit-wave-2.aspx

<halr9000> dsc reskit home http://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d

<brwilkinson> @marc_carter check the book here https://github.com/PowerShellOrg/ebooks/tree/master/DSC

<Vern_Anderson> http://en.wikipedia.org/wiki/Managed_Object_Format

<ScriptWarrior> http://social.technet.microsoft.com/Search/en-US?query=desired%20state%20configuration&ac=3

<halr9000> http://gallery.technet.microsoft.com/scriptcenter/xDscResourceDesigne-Module-22eddb29

<Francois-Xavier> https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=microsoft.holsystems.com&altadd=true&labid=10068

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-B302

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-H310

<Vern_Anderson> http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/MDC-IL206-R#fbid=

The Question -

  • Superhero – He-Man

Tonight, Nana from the PowerShell team talks DSC and more!

Tonight, we’re pleased to have Narayanan (Nana) Lakshmanan, Senior Development Lead from the PowerShell team at Microsoft on the show! One of our big areas to cover is going to be DSC, and what Microsoft has been doing with the out-of-band releases of DSC resources with the DSC Resource Kit, which is now up to 50 resources!

We Want Your DSC Resource Wish List!

What sorts of things would you want to configure via DSC that don’t already have a resource?

NB: Focusing on the core Windows OS and its components only; Exchange, SharePoint, SQL Server, and other products are off the table for this discussion.

For example, I want a “log file rotator” resource, that lets me specify a log file folder, an archive folder, and a pair of dates. Files older than one date are moved from the log folder to the archive folder; archived files older than the second date are deleted.

I’d also like a File Permissions resource. Specify a folder or file, optional recursion, and a set of access control entries (in plain English terms), and it’ll make sure the permissions stay that way.

Maybe also a User Home Folder resource, which would (a) ensure a folder exists for a given set of user accounts, and (b) ensures a set of “template” permissions, so that each individual user has the rights to their folder, plus rights given to global users like admins.

What resources would YOU like to have to ease configuration and maintenance in YOUR environment? Drop a comment!

Going Deeper on DSC Resources

Desired State Configuration is a very new technology and declarative configuration management is a very young space yet.  We (Microsoft and the community) are still figuring out the best structure for resources, composite configurations, and other structures.

That said, there are certain viewpoints that I’ve come to, either from hands on experience or in watching how other communities (like the Puppet community or Chef community) handle similar problems.

How Granular Should I Get?

There is no absolute answer.

Very, Very Granular

Resources should be very granular in the abstract, but in practice, you may need to make concessions to improve the user experience.

For example, when I configure an IP address for a network interface, I can supply a default gateway. A default gateway is a route, which is separate from the interface and IP address, but in practice they tend to be configured together. In this case, it might make sense to offer a resource that can configure both the IP address and the default gateway.

I tend to think resources should be very granular. We can use composite resources to offer higher level views of the configuration. If I were implementing a resource to configure a network adapter’s IP and gateway, I would have a route resource, an IP address resource, and probably a DNS server setting resource. I would then also have a composite resource to deal with the default use case of configuring a network adapter’s IP address, gateway, and DNS servers together.

The benefit of doing it this way is that I still have very discrete, flexible primitives (the IP address resource, the route resource, and the DNS server resource). I can then leverage the route resource to create static routes, or use them directly to more discretely configure the individual elements.


You have some flow control that you need to happen based on the state of the client or the environment.  Since your configuration is statically generated and is declarative, there are no flow control statements in the configuration MOF document.  That means that any logic that needs to occur at application time

Unfortunately, this leads to the need to re-implement common functionality.  For example, if I have a service that I need to be able to update the binary (not via an MSI), I need to basically re-implement parts of the file and service resource.  This use case requires a custom resource because I need to stop the service before I can replace the binary, but I don’t want to stop the service with every consistency check if I don’t need to replace the file.

This scenario begs for a better way to leverage existing resources in a cross resource scenario (kind of like RequiredModules in module metadata), but there isn’t a clean way to do this that I’ve found (but I’m still looking!).

My Recommendation

So for most cases, I would try to use existing resources or build very granular custom resources.  If I need to offer a higher level of abstraction, I’d escalate to putting a composite resource on top of those granular resources.  Finally, if I need some flow control or logic for a multistep process, I’d implement a more comprehensive resource.

What Should I Validate?

Now that we are seeing some more resources in the community repository (especially thanks to the waves of resources from the Powershell Team!), we are seeing a variety of levels of validation being performed.

I think that the Test-TargetResource function should validate all the values and states that Set-TargetResource can set.

An example of where this isn’t happening currently is in the cNetworking resource for PSHOrg_cIPAddress.  I’m going to pick on this resource a bit, since it was the catalyst for this discussion.

The resource offers a way to set a default gateway as well as the IP address.  So what happens if after setting the IP and default gateway, someone changes the default gateway to point to another router?

In this case, the validation is only checking that the IP address is correct.  DSC will never re-correct the gateway and our DSC configuration document (the MOF file) is no longer an accurate representation of the system state, despite the fact that the Local Configuration Manager (LCM) will report that everything matches.

This is BAD!!  If a resource offers an option to configure a setting, that setting should be validated by Test-TargetResource, otherwise that setting should be removed from the resource.  The intent of DSC is to control configuration, including changes over time and return a system to the desired state.  If we ignore certain settings, we weaken our trust in the underlying infrastructure of DSC.

What should I return?

The last element I’m going to tackle today is what should be returned from Get-TargetResource.  I’ve been on the fence about this one.  Like with Test-TargetResource, there are a number of implementation examples that vary in how they come up with the return values.

Currently, I don’t see a ton of use for Get-TargetResource and it doesn’t impact the Test and Set phases of the LCM, so it’s been easy to ignore.  This is bad practice (shame on me).

Here’s my thoughts around Get-TargetResource.  It should return the currently configured state of the machine.  Directly returning parameters passed in is misleading.

Going back to the PSHOrg_cIPAddress from the earlier example, it directly returns the default gateway from the parameter, regardless of the configured gateway.  This wouldn’t be so bad if the resource actually checked the gateway during processing and could correct it if it drifted.  But it does not check the gateway, so Get-TargetResource could be lying to you.  T

he most consistent result of Get-TargetResource would be retrieving the currently configured settings.

What’s left?

What other burning questions do you have around DSC?  Let’s keep talking them through either in the forums or in the comments here.

My DSC Demo-Class Setup Routine

I think I’ve gotten my DSC classroom and demo setup ready. Understand that this isn’t meant to be production-friendly – it doesn’t automate some stuff because I want to cover that stuff in class by walking through it. But, I thought I’d share.

I’ve basically made an ISO that I can carry into class, attach to a Win2012R2 VM and a Win81 VM, and run students through. The server VM is a DC in “company.pri” domain, and the client VM belongs to that domain.

In the root of the ISO are these scripts: ISO_Root (unzip that). Students basically just open PowerShell, set the execution policy to RemoteSigned or Unrestricted, and then run SetupLab -DVD D:, replacing “D:” with the drive letter of the VM’s optical drive. The script isn’t super-intelligent since I demo it at the same time; it needs the colon after the drive letter.

In a folder called DSC_Modules, I add the following DSC modules (unzipped): xActiveDirectory, xComputerManagement, xDscDiagnostics, xDscResourceDesigner, xNetworking, xPSDesiredStateConfiguration_1.1, xSmbShare, xSqlPs, xWebAdministration.

In a folder called DSC_Pull_Examples, I include these scripts: DSC_Pull_Examples (unzip that).

In a folder called eBooks, I include these files: eBooks (unzip that). Those get used in a lot of the demos I do, so I have the lab setup scripts copy over some script modules.

In a folder called Help, I have a file called Help.zip. This contains everything downloaded by the Save-Help command in PowerShell. The Setup script unzips this into the VM and then runs Update-Help against it, so the VM doesn’t need to be Internet-connected.

In a folder called Hotfix, I have the Windows8.1-KB2883200-x64.msu hot fix installer. I include the 32-bit version also, just in case, but my script doesn’t use it.

In a folder called Installers, I have installers for PrimalScript, PowerShell Studio, and SQL Server Express with Advanced Services. Again, those get used a lot in my classes, but the setup script doesn’t rely on them.

Finally, in a folder called sxs, I have the contents of the Windows 8.1 installation media’s \Sources\sxs folder. Some of the things my setup script does – like adding .NET Framework 3.5 so SQL Server 2012 will work – rely on features that aren’t in a Win8.1 VM, normally. Because I don’t want to rely on the Internet, I include this source so I can install new features from it.

This is all pretty specific to the way I run classes, but if there’s any use you can make of it, feel free.

Building Desired State Configuration Custom Resources

Now that we’ve suitably rested, let’s get back to working with Desired State Configuration.  Now, there are some basic features to work with that ship by default and the PowerShell team has been blogging some additional resources, but in order to do some really interesting thing with DSC, we’ll need to create our own resources.

The High Points

The DSC Resource Structure

DSC resources are (at their most basic) a PowerShell module.  These modules are augmented by a schema.mof file (we’ll get into that more in a minute or two).  These modules expose three main functions, Get-TargetResource, Set-TargetResource, and Test-TargetResource.  All three functions should share the same set of parameters.


Test-TargetResource validates whether your resource is currently in the desired state based on the parameters provided.  This function returns a boolean, $true if the resource is in the state described or $false if not.


Set-TargetResource is the workhorse in this module.  This is what will get things into the correct state.  The convention is to support one parameter called Ensure that can take two values, “Present” or “Absent” to describe whether or not a resource should be applied or removed as described.

(Here’s a little trick.. if you write break your Test-TargetResource into discrete functions, you can use those functions to only run the portions of Set-TargetResource that you need to!)


This is currently the least useful of the commands, but if experience has taught me anything, it’ll likely have an a growing use case over time.

Get-TargetResource returns the current state of the of the resource, returning a hash table of properties matching the parameters supplied to the command.

Exporting Commands

This module should explicitly export these commands via either Export-ModuleMember or a module manifest.  If you don’t, Import-DscResource will have trouble loading the resources when you try to generate a configuration (it’s not a problem for running a configuration, just the generation part).

The Managed Object Framework (MOF) Schema

The last piece of the DSC Resource is a schema file that maps the parameters for the command to a CIM class that can be registered in WMI.  This allows us to serialize the configuration parameters to a standards-based format and allows the Local Configuration Manager to marshal the parameters back to call the PowerShell functions for the phase that the LCM is in.  This file is named modulename.schema.mof.

There is no real reason to write a schema.mof file by hand, both the DSC Resource Designer and my New-MofFile function can help generate that function.  The one key thing to be aware of in the schema.mof is that there is an attribute at the top of each of the MOF classes that denotes a friendly name, which is the identifier you will use in a configuration to specify a resource.

[ClassVersion("1.0.0"), FriendlyName("Pagefile")]

How To Structure a Module With Resources

To get a good idea of the resource structure, we can look at the StackExchangeResources module in the PowerShell.Org GitHub repository.  There is a base module – StackExchangeResources, which has a module metadata file (required, you’ll see why in a minute).  In that module, we need a folder DSCResources.  Our custom resource will be placed under that folder.

The reason we need a module metadata file for the base module, is when resources from that module are used in a configuration, the generated configuration MOF files will reference the version of the base module (and that specific version is required on the node where the resource will be applied).

Next up, we’ll talk about how we package our resources to be distributed by a pull server.

Tonight on the podcast: Nana from the PowerShell team talks about DSC!

Join us tonight at live.powerscripting.net at 9:30 EST when we talk to Nana from the PowerShell team about DSC and the post-release “resource waves”. Should be a great show!


Yes, we know it’s not Thursday. :)

IndyPoSh Meeting #10 – Desired State Configuration: Overview and Introduction


A new breed of configuration management tools has been created to manage the platforms, applications, and infrastructure of the cloud, and keep cloud-related applications and infrastructure running with high availability. The need for these new tools and infrastructure comes from the increase in scale, rapid rate of change, and complexity of the cloud. But existing tools have limited support for Windows. Enter, Windows PowerShell Desired State Configuration (DSC). This rich toolset provides a configuration platform built into Windows that is based on open standards. DSC is flexible enough to function reliably and consistently in each stage of the deployment lifecycle (development, test, pre-production, production), as well as during scale-out, which is required in the cloud world. Among the many great features of DSC is the ability to extend the functionality beyond what is included Out of Box.
This sessions will help with grasping an understanding the why, what and how of DSC. From a simple configuration deployment to more involved deployments and that perhaps would also assist in laying the foundation for cloud-driven infrastructure, public or private.


Enrique Lima (MCITP, MCPD, MCSE+I, MCP+SB, MCT, MCDBA, MCSD, MCAD, CCNA, CCNP, OCP, LCP, LCI, RHCE) has over 18 years of experience in training, application development, database development and management, IT solutions architecture, and project management. Enrique has participated as a speaker and technical learning guide at conferences such as SharePoint Conference 2012, TechEd USA (2004-2013). He was also invited to TechReady 7, 9, 10, 11, 12, 13, 16 and 17, an internal Microsoft conference, as a Subject Matter Expert (SME) in the fields of Windows Azure, Office 365, SQL Server, Platform Virtualization, Application Lifecycle Management/Team Foundation Server, SharePoint Technologies and Service Oriented Architecture.

Enrique has been involved in architecting and developing solutions that leverage the integration of SharePoint Technologies, Windows Azure, Office 365, BizTalk, Commerce Server, and Content Management Server with other Microsoft and non-Microsoft platforms. He has been active in providing guidance in developing and designing solutions that expand and extend those technologies. He actively participated with Microsoft to create material and develop a path to tell the Azure story to IT Professionals and promote Windows Azure beyond just a development platform, also was co-author for Microsoft Official Courseware on SharePoint 2010, Implementation and Configuration (MOC 10174A), was lead author for Microsoft Official Courseware on SQL Server 2005 High Availability Solutions (MOC 2788A), and lead author for Microsoft Official Courseware on Designing Commerce Server 2007 Solutions (50015A). Currently developing and creating new courseware for SharePoint 2013.

Enrique has written, developed, and presented numerous Microsoft and vendor-specific custom classes. As a member of Microsoft’s Global Learning Services, he delivered training and consulting to clients in Latin America, Europe, and Asia.

Enrique’s academic background includes a Bachelor’s of Science, an Electronics Engineering degree, and a Masters of Business Administration from Universidad Francisco Marroquin, Guatemala.  He can be found on twitter on @enriquelima or his blog: http://geekswithblogs.net/enriquelima.


6:00 – 6:30 Food | Networking
6:30 – 6:45 Introduction | Announcements | Speaker Introduction
6:45 – 7:45 Presentation
7:45 – 8:00 Giveaways