Creating my first PULL Server with PowerShell 5

This topic contains 9 replies, has 5 voices, and was last updated by Profile photo of Zuldan Zuldan 8 months, 3 weeks ago.

  • Author
    Posts
  • #36613
    Profile photo of i255d
    i255d
    Member

    I am feeling a little frustrated. I thought this was going to be so quick. I am going to go through everything I have done, and see if I have something wrong and that is why my PULL server doesn't seem to be working.

    Frist I start with Install-Module xDesiredStateConfiguration -Force to put the module on my laptop and on the server that I am trying to configure as my PULL server.
    The first thing that seems weird to me is that the Get-Command -Module xDesiredStateConfiguration shows no commands. Enter the same thing against just DesiredStateConfiguration module it brings back 17 commands. Do I need the xDesiredStateConfiguration? It seems like I would being it is version 3.7 instead of version 1.1. Do I need to download it manually and copy it into place to see if I get commands?

  • #36616
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You should be getting your DSC resource modules from the PowerShell Gallery; if you are, then you'll have the latest and greatest versions. DSC modules, however, don't necessarily contain "commands" in the traditional sense. They contain resources, which aren't quite the same thing. I don't think Get-Command is a great way to validate that something's working.

    Also make sure you're reviewing some of the pinned threads in this forum. There are some known problems with DSCv5, and it might save you some frustration to bring yourself up to speed on that conversation.

  • #36618
    Profile photo of i255d
    i255d
    Member

    Ok, you are right, a better way to validate is Get-DSCResource, it gives me this list

    Get-DscResource | where{$_.name -match "^x\w"} | Select Name

    Name
    —-
    xArchive
    xDSCWebService
    xGroup
    xPackage
    xPSEndpoint
    xRegistry
    xRemoteFile
    xService
    xWindowsOptionalFeature
    xWindowsProcess

    So I think I am good there now. How do I find these pinned items?

  • #36627
    Profile photo of i255d
    i255d
    Member

    You might be referencing the security issue that keeps Start-DSCConfiguration from working:

    mofcomp $env:windir\\system32\\wbem\\DscCoreConfProv.mof

    This seems to take care of that.

    I want my PULL server to HTTPS, so I need to get a Cert from our company Cert authority. I don't see how I can get a CRS without installing IIS first, but I thought I did not have to do this because the DSC-Service would install IIS when I applied the MOF.

    Can I just use a self signed?

    New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $ComputerName

    I want to be able to test with this command:

    Start-Process -FilePath iexplore.exe http://computername:8080/PSDSCPullServer.svc< \pre>
  • #36640
    Profile photo of Arie H
    Arie H
    Participant

    You do not need to install iis to request a certificate. Ask your sysadmins or security peeps for the URL address of your CA. If you want to do this locally on the server, you can load the certificate management mmc.

    Wait till you get the cert, rather then going self-signed as its not a real SSL solution.

    All the xDSC resource are more of experimental but they work and are tested and continuously fixed and patched via github. The built in resource you see in the PSDesiredStateConfiguration module (no x at the start) are the basic ones you're most likely to use on every server, no matter its role. The x ones will be specific to roles and are available publicly for us to work with. Note that starting with v5 there are version of modules, so you can have side by side different versions of the same module, so you need to add that in your commands -module -version, else you'll get a lot of functions in return.

    What Don was referring to are the two top most messages in the forums, things like reporting server script, issues with windows core requiring GUI bits installed, issues with ConfigurationNames, internal certificate strength and more. Basically its worth doing good homework preparing to shorten the time and frustration 😊

  • #36725
    Profile photo of Nana Lakshmanan
    Nana Lakshmanan
    Participant

    We want to eliminate the frustration from setting up the pull server. So we updated the documentation https://msdn.microsoft.com/en-us/powershell/dsc/pullserver Following these steps should help you get setup. If there is something missing in this feel file an issue and we will have it fixed. Thanks

  • #36731
    Profile photo of i255d
    i255d
    Member

    Thanks, I will try this now. I have set up a pull server, I am hoping your URL will include the LCM configuration and a test configuration for testing. I have not been able to get that to work yet.

    This brings up the info in explorer just fine.

    Start-Process -FilePath iexplore.exe  https://ServerName:8080/PSDSCPullServer.svc< \pre>
  • #36732
    Profile photo of i255d
    i255d
    Member

    Arie, This is not my first PULL server, but my first one with PowerShell 5. What is wrong with a self-signed Cert? I am not sure I really see the difference for this use.

    Just FYI, you don't need IIS to get the CSR:
    https://wiki.cac.washington.edu/pages/viewpage.action?pageId=62554187

  • #36746
    Profile photo of i255d
    i255d
    Member

    I will update more latter, but I was able to get it all working at this fine hour!!! First PowerShell 5 PULL server, LCM checked in properly configured with Configuration Names and it pulled it first configuration.

    I love that you get immediate feed back: "Registration of the Dsc Agent with the server URL." I forgot the @{ClientConfig}, but caught it before I tried my first pull. I will write out a complete summery. Then lots more testing.
    I would add this refference to Nana Lakshmanan post above:
    https://msdn.microsoft.com/en-us/powershell/dsc/pullclientconfignames

    One more thing I would try and make more clear:
    #The ConfigurationNames property in the metaconfiguration file implicitly means that pull server is supporting the V2 version of the pull server protocol so an initial registration is required. Conversely, using a ConfigurationID means that the V1 version of the pull server protocol is used and there is no registration processing.

    This means don't put in a ConfigurationID when configuring your LCM even though your PULL server is configured with a Cert and SSL when configuring for Configuration Names. The lack of this is what triggers the above mentioned immediate feedback. It still works even though you are thinking it needs to be there.

  • #36785
    Profile photo of Zuldan
    Zuldan
    Participant

    @Nana Lakshmanan, do you know why this DSC doco page is empty?

    https://msdn.microsoft.com/en-us/powershell/dsc/retrievenodeinfo

    It's referenced on this page, https://msdn.microsoft.com/en-us/powershell/dsc/pullserver

You must be logged in to reply to this topic.