DSC GUI Tool

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
11 months, 1 week ago.

  • Author
    Posts
  • #95870

    Participant
    Points: 0
    Rank: Member

    I'd like to pick the brains of community on a DSC GUI tool that we're building to enable users to deploy a pre-built DSC template (e.g., CIS Control 3 server hardening for Server 2012 R2) or custom templates (limited functionality at the moment) to target host(s). Below are 2 features that we are hoping to add to make the tool more useful.

    1) DSC config rollback – we got the following error when running the Restore-DscConfiguration cmdlet on a test server running WMF 5.0. Since we're using partial configs via Pull Mode and not the Publish-DscConfiguration cmdlet, what can we do to rollback a config? Is it possible to copy the previous.mof from the test server and publish it to a Pull Server for the test server to pull/enact? We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

    PS C:\> Restore-DscConfiguration
    Restore-DscConfiguration : The only way DSC Partial Configurations can be used in Push mode is if the
    Publish-DscConfiguration Cmdlet is used. No other push cmdlet is supported. To avoid this error, either set a metaconfiguration without partial configurations, or use the Publish-DscConfiguration cmdlet to deploy your partial configuration.
    At line:1 char:1
    + Restore-DscConfiguration
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotImplemented: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [R
    estore-DscConfiguration], CimException
    + FullyQualifiedErrorId : MI RESULT 7,Restore-DscConfiguration

    2) Detect conflict on a target host that also has GPOs deployed.

    Any comments or suggestions are greatly appreciated. Thank you.

  • #95969

    Keymaster
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    what can we do to rollback a config?

    There's no "rollback" built-in; you could probably use a previous MOF, as you suggest, provided that MOF "counters" everything you wanted. E.g., it wouldn't be a "rollback" so much as a "last known good." For example, if you're source-controlling config script and MOFs, reverting to a previous version would in fact revert the desired config. In a DevOps environment, this is exactly what you'd do. Only you don't manage "rollback" at the MOF level, you manage it in the configuration script. That way you can re-generate any "version" MOF and deploy it.

    We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

    As of 5.0, MOFs are encrypted on-disk.

    2) Detect conflict on a target host that also has GPOs deployed.

    Not really possible. See http://snoverisms.com/14-2/. DSC wasn't conceived as an adjunct to GPO, it was seen as an "instead of" thing.

The topic ‘DSC GUI Tool’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort