DSC GUI Tool

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
8 months ago.

  • Author
    Posts
  • #95870

    Participant
    Points: 0
    Rank: Member

    I'd like to pick the brains of community on a DSC GUI tool that we're building to enable users to deploy a pre-built DSC template (e.g., CIS Control 3 server hardening for Server 2012 R2) or custom templates (limited functionality at the moment) to target host(s). Below are 2 features that we are hoping to add to make the tool more useful.

    1) DSC config rollback – we got the following error when running the Restore-DscConfiguration cmdlet on a test server running WMF 5.0. Since we're using partial configs via Pull Mode and not the Publish-DscConfiguration cmdlet, what can we do to rollback a config? Is it possible to copy the previous.mof from the test server and publish it to a Pull Server for the test server to pull/enact? We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

    PS C:\> Restore-DscConfiguration
    Restore-DscConfiguration : The only way DSC Partial Configurations can be used in Push mode is if the
    Publish-DscConfiguration Cmdlet is used. No other push cmdlet is supported. To avoid this error, either set a metaconfiguration without partial configurations, or use the Publish-DscConfiguration cmdlet to deploy your partial configuration.
    At line:1 char:1
    + Restore-DscConfiguration
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotImplemented: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [R
    estore-DscConfiguration], CimException
    + FullyQualifiedErrorId : MI RESULT 7,Restore-DscConfiguration

    2) Detect conflict on a target host that also has GPOs deployed.

    Any comments or suggestions are greatly appreciated. Thank you.

  • #95969

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    what can we do to rollback a config?

    There's no "rollback" built-in; you could probably use a previous MOF, as you suggest, provided that MOF "counters" everything you wanted. E.g., it wouldn't be a "rollback" so much as a "last known good." For example, if you're source-controlling config script and MOFs, reverting to a previous version would in fact revert the desired config. In a DevOps environment, this is exactly what you'd do. Only you don't manage "rollback" at the MOF level, you manage it in the configuration script. That way you can re-generate any "version" MOF and deploy it.

    We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

    As of 5.0, MOFs are encrypted on-disk.

    2) Detect conflict on a target host that also has GPOs deployed.

    Not really possible. See http://snoverisms.com/14-2/. DSC wasn't conceived as an adjunct to GPO, it was seen as an "instead of" thing.

The topic ‘DSC GUI Tool’ is closed to new replies.