Author Posts

March 16, 2016 at 6:40 am

I am feeling a little frustrated. I thought this was going to be so quick. I am going to go through everything I have done, and see if I have something wrong and that is why my PULL server doesn't seem to be working.

Frist I start with Install-Module xDesiredStateConfiguration -Force to put the module on my laptop and on the server that I am trying to configure as my PULL server.
The first thing that seems weird to me is that the Get-Command -Module xDesiredStateConfiguration shows no commands. Enter the same thing against just DesiredStateConfiguration module it brings back 17 commands. Do I need the xDesiredStateConfiguration? It seems like I would being it is version 3.7 instead of version 1.1. Do I need to download it manually and copy it into place to see if I get commands?

March 16, 2016 at 6:57 am

You should be getting your DSC resource modules from the PowerShell Gallery; if you are, then you'll have the latest and greatest versions. DSC modules, however, don't necessarily contain "commands" in the traditional sense. They contain resources, which aren't quite the same thing. I don't think Get-Command is a great way to validate that something's working.

Also make sure you're reviewing some of the pinned threads in this forum. There are some known problems with DSCv5, and it might save you some frustration to bring yourself up to speed on that conversation.

March 16, 2016 at 7:09 am

Ok, you are right, a better way to validate is Get-DSCResource, it gives me this list

Get-DscResource | where{$_.name -match "^x\w"} | Select Name

Name
—-
xArchive
xDSCWebService
xGroup
xPackage
xPSEndpoint
xRegistry
xRemoteFile
xService
xWindowsOptionalFeature
xWindowsProcess

So I think I am good there now. How do I find these pinned items?

March 16, 2016 at 7:37 am

You might be referencing the security issue that keeps Start-DSCConfiguration from working:

mofcomp $env:windir\\system32\\wbem\\DscCoreConfProv.mof

This seems to take care of that.

I want my PULL server to HTTPS, so I need to get a Cert from our company Cert authority. I don't see how I can get a CRS without installing IIS first, but I thought I did not have to do this because the DSC-Service would install IIS when I applied the MOF.

Can I just use a self signed?

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $ComputerName

I want to be able to test with this command:

Start-Process -FilePath iexplore.exe http://computername:8080/PSDSCPullServer.svc< \pre>

March 16, 2016 at 11:39 am

You do not need to install iis to request a certificate. Ask your sysadmins or security peeps for the URL address of your CA. If you want to do this locally on the server, you can load the certificate management mmc.

Wait till you get the cert, rather then going self-signed as its not a real SSL solution.

All the xDSC resource are more of experimental but they work and are tested and continuously fixed and patched via github. The built in resource you see in the PSDesiredStateConfiguration module (no x at the start) are the basic ones you're most likely to use on every server, no matter its role. The x ones will be specific to roles and are available publicly for us to work with. Note that starting with v5 there are version of modules, so you can have side by side different versions of the same module, so you need to add that in your commands -module -version, else you'll get a lot of functions in return.

What Don was referring to are the two top most messages in the forums, things like reporting server script, issues with windows core requiring GUI bits installed, issues with ConfigurationNames, internal certificate strength and more. Basically its worth doing good homework preparing to shorten the time and frustration 😊

March 18, 2016 at 11:09 am

We want to eliminate the frustration from setting up the pull server. So we updated the documentation https://msdn.microsoft.com/en-us/powershell/dsc/pullserver Following these steps should help you get setup. If there is something missing in this feel file an issue and we will have it fixed. Thanks

March 18, 2016 at 12:57 pm

Thanks, I will try this now. I have set up a pull server, I am hoping your URL will include the LCM configuration and a test configuration for testing. I have not been able to get that to work yet.

This brings up the info in explorer just fine.

Start-Process -FilePath iexplore.exe  https://ServerName:8080/PSDSCPullServer.svc< \pre>

March 18, 2016 at 1:32 pm

Arie, This is not my first PULL server, but my first one with PowerShell 5. What is wrong with a self-signed Cert? I am not sure I really see the difference for this use.

Just FYI, you don't need IIS to get the CSR:
https://wiki.cac.washington.edu/pages/viewpage.action?pageId=62554187

March 18, 2016 at 11:35 pm

I will update more latter, but I was able to get it all working at this fine hour!!! First PowerShell 5 PULL server, LCM checked in properly configured with Configuration Names and it pulled it first configuration.

I love that you get immediate feed back: "Registration of the Dsc Agent with the server URL." I forgot the @{ClientConfig}, but caught it before I tried my first pull. I will write out a complete summery. Then lots more testing.
I would add this refference to Nana Lakshmanan post above:
https://msdn.microsoft.com/en-us/powershell/dsc/pullclientconfignames

One more thing I would try and make more clear:
#The ConfigurationNames property in the metaconfiguration file implicitly means that pull server is supporting the V2 version of the pull server protocol so an initial registration is required. Conversely, using a ConfigurationID means that the V1 version of the pull server protocol is used and there is no registration processing.

This means don't put in a ConfigurationID when configuring your LCM even though your PULL server is configured with a Cert and SSL when configuring for Configuration Names. The lack of this is what triggers the above mentioned immediate feedback. It still works even though you are thinking it needs to be there.