Client is configured to pull, but does not pull Config

Welcome Forums DSC (Desired State Configuration) Client is configured to pull, but does not pull Config

Viewing 5 reply threads
  • Author
    Posts
    • #195716
      Participant
      Topics: 1
      Replies: 3
      Points: 19
      Rank: Member

      Hi,

      I would be happy for some help.

      I can't get my client to load his config from the pull server.

      1st. I setup a pullserver and ensure WinRM is working
      Pullserver Testpage is ok, Test-WSman is also ok

      # pre
      Install-Module xPSDesiredStateConfiguration
      Install-Module NetworkingDsc
      Install-Module PSDscResources
      Install-WindowsFeature RSAT-AD-Powershell
      
      # Guid for RegistrationKey
      [guid]::NewGuid()
      
      # manual install Certificate for IIS
      
      
      Configuration CreatePullServer
      {
      param
      (
      [Parameter()]
      [System.String[]]
      $NodeName = 'localhost',
      
      [Parameter(Mandatory = $true)]
      [ValidateNotNullOrEmpty()]
      [System.String]
      $CertificateThumbPrint,
      
      [Parameter(Mandatory = $true)]
      [ValidateNotNullOrEmpty()]
      [System.String]
      $RegistrationKey,
      
      [Parameter()]
      [ValidateRange(1, 65535)]
      [System.UInt16]
      $Port = 8080
      )
      
      Import-DscResource -ModuleName NetworkingDsc
      Import-DSCResource -ModuleName xPSDesiredStateConfiguration
      
      Node $NodeName
      {
      WindowsFeature DSCServiceFeature
      {
      Ensure = 'Present'
      Name = 'DSC-Service'
      }
      
      xDscWebService PSDSCPullServer
      {
      Ensure = 'Present'
      EndpointName = 'PSDSCPullServer'
      Port = $Port
      PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
      CertificateThumbPrint = $CertificateThumbPrint
      ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
      ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
      State = 'Started'
      DependsOn = '[WindowsFeature]DSCServiceFeature'
      RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
      AcceptSelfSignedCertificates = $true
      Enable32BitAppOnWin64 = $false
      UseSecurityBestPractices = $true
      ConfigureFirewall = $false
      }
      
      File RegistrationKeyFile
      {
      Ensure = 'Present'
      Type = 'File'
      DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
      Contents = $RegistrationKey
      }
      
      Firewall PSDSCPullServerRule
      {
      Ensure = 'Present'
      Name = "DSC_PullServer_$Port"
      DisplayName = "DSC PullServer $Port"
      Group = 'DSC PullServer'
      Enabled = $true
      Action = 'Allow'
      Direction = 'InBound'
      LocalPort = $Port
      Protocol = 'TCP'
      DependsOn = '[xDscWebService]PSDSCPullServer'
      }
      }
      }
      
      md C:\DSC
      CreatePullServer -Output c:\DSC
      
      Start-DscConfiguration -Path C:\DSC -Wait -Verbose -Force

      Then I set the client to pull – Config
      Looks like the configuration is successfully transferred to the client. (Tested with Get-DscLocalConfigurationManager)

      [DSCLocalConfigurationManager()]
      configuration RegisterClientPull
      {
      
      [string[]]$NodeName = 'TestClient'
      
      Node $NodeName
      {
      
      Settings
      {
      RefreshMode = 'Pull'
      ConfigurationMode = 'ApplyAndAutoCorrect'
      ConfigurationModeFrequencyMins = 15
      RebootNodeIfNeeded = $true
      }
      
      ConfigurationRepositoryWeb Dorner-PullSrv
      {
      ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
      RegistrationKey = "SuppressedGUID"
      ConfigurationNames = @('ClientConfig')
      }
      
      ResourceRepositoryWeb Dorner-PullSrv
      {
      ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
      }
      
      ReportServerWeb Dorner-PullSrv
      {
      ServerURL = "https://Suppressed:8080/PSDSCPullServer.svc"
      RegistrationKey = "SuppressedGUID"
      }
      }
      }
      
      
      RegisterClientPull -Output c:\DSC
      
      # Create Checksum
      New-DscChecksum "C:\DSC\*.mof"
      
      Set-DscLocalConfigurationManager -Path C:\DSC\
      PS C:\Windows\system32> Get-DscLocalConfigurationManager
      
      ActionAfterReboot : ContinueConfiguration
      AgentId : Suppressed
      AllowModuleOverWrite : False
      CertificateID :
      ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]Dorner-PullSrv}
      ConfigurationID :
      ConfigurationMode : ApplyAndAutoCorrect
      ConfigurationModeFrequencyMins : 15
      Credential :
      DebugMode : {NONE}
      DownloadManagerCustomData :
      DownloadManagerName :
      LCMCompatibleVersions : {1.0, 2.0}
      LCMState : Idle
      LCMStateDetail :
      LCMVersion : 2.0
      StatusRetentionTimeInDays : 10
      SignatureValidationPolicy : NONE
      SignatureValidations : {}
      MaximumDownloadSizeMB : 500
      PartialConfigurations :
      RebootNodeIfNeeded : True
      RefreshFrequencyMins : 30
      RefreshMode : Pull
      ReportManagers : {[ReportServerWeb]Dorner-PullSrv}
      ResourceModuleManagers : {[ResourceRepositoryWeb]Dorner-PullSrv}
      PSComputerName :

      I also made a TestClient.mof (which is the hostname) which works perfectly in PUSH mode.

      Configuration Test
      {
      
      [string[]]$NodeName = 'TestClient'
      Node $NodeName
      {
      somewhat
      }
      }
      
      Test -Output "C:\Program Files\WindowsPowerShell\DscService\Configuration"
      
      # Create Checksum
      New-DscChecksum "C:\Program Files\WindowsPowerShell\DscService\Configuration\*.mof"
      
      Start-DscConfiguration -Path "C:\Program Files\WindowsPowerShell\DscService\Configuration\"

      But here starts the problem – the client does not pull and use his configuration.

      I can force it from server site (push) with Start-DscConfiguration -Path "C:\Program Files\WindowsPowerShell\DscService\Configuration\" -Wait -Verbose -Force but the Client is not pullig it from it self. I waited for an hour, but nothing happens...

      Can someone help me out here? I read tutorials for days now, meanwhile im quite at the end of my knowledge.

       

      BR and Thank you so much!

      Mathias

    • #195725
      Participant
      Topics: 1
      Replies: 2
      Points: 23
      Rank: Member

      Hi Mathias,

      What happens when you run

      Update-DscConfiguration -Wait -Verbose

      On the client machine?

      Max

    • #195737
      Participant
      Topics: 1
      Replies: 3
      Points: 19
      Rank: Member

      Hi Max,

      Thanks for your help!

      PS C:\Windows\system32> Update-DscConfiguration -wait -verbose AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" mit den folgenden Parametern durchführen, "'methodName' =
      PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
      root/Microsoft/Windows/DesiredStateConfiguration".
      AUSFÜHRLICH: Vom Computer 'TESTCLIENT' mit Benutzer-SID 'S-......' ist ein
      LCM-Methodenaufruf eingegangen.
      AUSFÜHRLICH: [TESTCLIENT]: [] "Get-Action" wird mit der Prüfsumme der Konfiguration
      "(null)" ausgeführt: .
      AUSFÜHRLICH: [TESTCLIENT]: [] Fehler beim Ausführen von "Get-Action" mit der Prüfsumme der
      Konfiguration "(null)". Prüfen Sie die Verfügbarkeit des Pull-Servers.
      Serverfehler "ResourceNotFound (404)" beim Versuch, eine Aktion für AgentId A6258B5D-2B1C-11EA-9DF1-901B0ED98C00 von
      Server-URL
      https://servernamehidden:8080///PSDSCPullServer.svc/Nodes(AgentId='A6258B5D-2B1C-11EA-9DF1-901B0ED98C00')/GetDscAction
      abzurufen.
      Weitere Details finden Sie in der unten aufgeführten Serverfehlermeldung oder im DSC-Debugereignisprotokoll mit der ID
      4339.
      ServerErrorMessage:- "The assigned configuration 'ClientConfig' is not found in the pull server configuration
      repository."
      + CategoryInfo : ResourceUnavailable: (root/Microsoft/...gurationManager:String) [], CimException
      + FullyQualifiedErrorId : WebDownloadManagerGetActionNodeConfigurationNotFound,Microsoft.PowerShell.DesiredStateCo
      nfiguration.Commands.GetDscActionCommand
      + PSComputerName : localhost
      
      AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" wurde abgeschlossen.
      AUSFÜHRLICH: Die Ausführung des Konfigurationsauftrags hat 0.603 Sekunden gedauert.

      Sorry, german Windows...

      Looks like the client use some AgentID in the URL. URL is valid, but I think the pullserver can't deliver anything with the AgentID. The .mof file / config is called hostname.mof on the Server.

      Maybe im wrong, but I think this could be the Problem in the LCM?

      ConfigurationNames = @('ClientConfig')

      Or am I completely wrong?

      BR,

      Mathias

       

       

    • #195749
      Participant
      Topics: 1
      Replies: 3
      Points: 19
      Rank: Member

      Update – meanwhile I tryed

      ConfigurationNames = @($NodeName)

      I also changed the pull server iis to his real hostname instead of the cname. (wildcard certificate, so it should make no difference, but this should be safe)

      No ssl errors when I call the server in a browser.

       

      PS C:\Windows\system32> Update-DscConfiguration -wait -verbose AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" mit den folgenden Parametern durchführen, "'methodName' =
      PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
      root/Microsoft/Windows/DesiredStateConfiguration".
      AUSFÜHRLICH: Vom Computer 'TESTCLIENT' mit Benutzer-SID 'S-.......' ist ein
      LCM-Methodenaufruf eingegangen.
      AUSFÜHRLICH: [TESTCLIENT]: [] "Get-Action" wird mit der Prüfsumme der Konfiguration
      "(null)" ausgeführt: .
      AUSFÜHRLICH: [TESTCLIENT]: [] Das Ausführen von "Get-Action" mit der Prüfsumme der
      Konfiguration "" hat folgenden Ergebnisstatus zurückgegeben: GetConfiguration.
      AUSFÜHRLICH: [TESTCLIENT]: [] Die Prüfsumme ist unterschiedlich. LCM führt
      "GetConfiguration" aus, um die Konfiguration "" mithilfe von Pull zu übertragen.
      AUSFÜHRLICH: [TESTCLIENT]: [] Fehler beim Ausführen von "GetConfiguration". Die
      Konfiguration "" wird nicht mithilfe von Pull übertragen.
      
      Die Prüfsumme für die Konfiguration stimmt nicht überein.
      + CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
      + FullyQualifiedErrorId : WebDownloadManagerMismatchChecksum,Microsoft.PowerShell.DesiredStateConfiguration.Comman
      ds.GetDscDocumentCommand
      + PSComputerName : localhost
      
      AUSFÜHRLICH: Vorgang "CIM-Methode aufrufen" wurde abgeschlossen.
      AUSFÜHRLICH: Die Ausführung des Konfigurationsauftrags hat 0.269 Sekunden gedauert.
      PS C:\Windows\system32>
      
      

      Now I get no url error anymore, but a checksum error.

      I rebuild all configs and checksums just to be sure, but that does not help.

      I think I do not understand the way this schould work. The whole thing is quite frustrating...

    • #195770
      Participant
      Topics: 1
      Replies: 3
      Points: 19
      Rank: Member

      Wohooo, I found the Problem!!!

      The solution was to use ConfigurationNames = @($Nodename)in LCM, as I thought.

      But, the checksum error was because New-DscChecksum "C:\Program Files\WindowsPowerShell\DscService\Configuration\*.mof" in the node configuration PS did not override the existing checksum file.

      I have to use New-DscChecksum "C:\Program Files\WindowsPowerShell\DscService\Configuration\*.mof" -Force instead.

      Maybe this helps someone else. Works like a charm now even with https and cname.

      BR, and Max – Thank you so much. This was the perfect hint!

    • #195779
      Participant
      Topics: 1
      Replies: 2
      Points: 23
      Rank: Member

      You can refer to this https://devblogs.microsoft.com/powershell/how-to-register-a-node-with-a-dsc-pull-server/ for explanation regarding the AgenId.

      Btw, the https://servernamehidden:8080/PSDSCPullServer.svc/Nodes(AgentId='A6258B5D-2B1C-11EA-9DF1-901B0ED98C00') should be accessible from your browser as far as i remember so, it worth testing it.

      Additionally, please try cleaning everything that may be already applied by running

      Remove-DscConfigurationDocument -Stage Current, Pending, Previous -Force

      I know the frustration feeling, but once you will figure it out and it starts working, it's like a magic 🙂

      Max

Viewing 5 reply threads
  • You must be logged in to reply to this topic.