I'd like to pick the brains of community on a DSC GUI tool that we're building to enable users to deploy a pre-built DSC template (e.g., CIS Control 3 server hardening for Server 2012 R2) or custom templates (limited functionality at the moment) to target host(s). Below are 2 features that we are hoping to add to make the tool more useful.
1) DSC config rollback – we got the following error when running the Restore-DscConfiguration cmdlet on a test server running WMF 5.0. Since we're using partial configs via Pull Mode and not the Publish-DscConfiguration cmdlet, what can we do to rollback a config? Is it possible to copy the previous.mof from the test server and publish it to a Pull Server for the test server to pull/enact? We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.
PS C:\> Restore-DscConfiguration
2) Detect conflict on a target host that also has GPOs deployed.
Any comments or suggestions are greatly appreciated. Thank you.
There's no "rollback" built-in; you could probably use a previous MOF, as you suggest, provided that MOF "counters" everything you wanted. E.g., it wouldn't be a "rollback" so much as a "last known good." For example, if you're source-controlling config script and MOFs, reverting to a previous version would in fact revert the desired config. In a DevOps environment, this is exactly what you'd do. Only you don't manage "rollback" at the MOF level, you manage it in the configuration script. That way you can re-generate any "version" MOF and deploy it.
As of 5.0, MOFs are encrypted on-disk.
Not really possible. See http://snoverisms.com/14-2/. DSC wasn't conceived as an adjunct to GPO, it was seen as an "instead of" thing.
You must be logged in to reply to this topic.