DSC Pull Server Deploy Errors - xDscWebServiceRegistration

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of Ed Ed 1 week, 1 day ago.

  • Author
    Posts
  • #58751
    Profile photo of Ed
    Ed
    Participant

    Hello, I created a test lab DSC Pull server using 'The DSC Book' / 3.0 OK
    However now am wanting to configure a newer release/use https

    So, configured a vanilla VM,
    Patched, Windows Server 2012 R2 standard
    Domain joined, admin rights, uac disable
    Installed WMF 5.0
    xPSDesiredStateConfiguration 5.0
    Generated self signed cert using script: https://gallery.technet.microsoft.com/scriptcenter/self-signed-certificate-5920a7c6
    Configured 'pullserver' MOF using msdn guide: https://msdn.microsoft.com/en-us/powershell/dsc/pullserver (+Also tried using the example config in the module itself)

    When i set the config/install i get 3 lines of errors below,
    on 2nd re-run no errors but the website is inaccessible: HTTP 503 Service Unavailable, both the pull site and the default site.

    Fixing Attempts:
    Rebuilt server same issue
    Getting same problem with 4.0 xPSDesiredStateConfiguration
    Installing IIS and DSC roles prior to mof deploy
    Trawling google/forums but haven't been able to solve whats going on..
    Turned on debug logging: wevtutil.exe set-log “Microsoft-Windows-Dsc/Analytic” /q:true /e:true
    Errors:
    Failed attempt number 1 : Couldn't delete file C:\Windows\System32\Configuration\DSCEngineCache.mof . The error code is 2. The error message is: The system cannot find the file specified.
    Have deleted these files from the configuration dir (with no luck), another post this worked for someone

    Having now spent 2 days trying to work this out, now I am reaching out, am i missing something simple?
    Any help muchly appreciated! 🙂

     
    # =================================== Section Pull Server =================================== #
    $certificateThumbPrint = 'E957004B8D17ACDE83A15831731CF32DA6F2ED2A'
    $RegistrationKey = 'f25ed3f5-adba-4e50-a334-e8b4d094f668'
    configuration Sample_xDscWebServiceRegistration
    {
        param 
        (
            [string[]]$NodeName = 'localhost',
    
            [ValidateNotNullOrEmpty()]
            [string] $certificateThumbPrint,
    
            [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
        )
    
        Import-DSCResource -ModuleName xPSDesiredStateConfiguration
        Import-DSCResource -ModuleName PSDesiredStateConfiguration
    
        Node $NodeName
        {
            WindowsFeature DSCServiceFeature
            {
                Ensure = "Present"
                Name   = "DSC-Service"            
            }
    
            xDscWebService PSDSCPullServer
            {
                Ensure                  = "Present"
                EndpointName            = "PSDSCPullServer"
                Port                    = 8080
                PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer"
                CertificateThumbPrint   = $certificateThumbPrint
                ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
                State                   = "Started"
                DependsOn               = "[WindowsFeature]DSCServiceFeature" 
                RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"   
                AcceptSelfSignedCertificates = $true
                UseSecurityBestPractices = $false
            }
    
            File RegistrationKeyFile
            {
                Ensure          = 'Present'
                Type            = 'File'
                DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
                Contents        = $RegistrationKey
            }
        }
    }
    
    Sample_xDscWebServiceRegistration -NodeName 'PULL.ed.local' -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint
    
    
        Directory: C:\temp\Sample_xDscWebServiceRegistration
    
    
    Mode                LastWriteTime         Length Name                                                                                                               
    ----                -------------         ------ ----                                                                                                               
    -a----       11/27/2016   4:48 PM           4680 PULL.ed.local.mof                                                                                                  
    
    
    
    PS C:\temp> Start-DscConfiguration -Path C:\temp\Sample_xDscWebServiceRegistration -Wait -Verbose -Force
    
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'name
    spaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer PULL with user sid S-1-5-21-859306304-1798028966-4293564394-1001.
    VERBOSE: [PULL]: LCM:  [ Start  Set      ]
    VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' started: DSC-Service
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' succeeded: DSC-Service
    VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[WindowsFeature]DSCServiceFeature]  in 0.9380 seconds.
    VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Installation started...
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Continue with installation?
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing started...
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing succeeded.
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Installation succeeded.
    VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Successfully installed the feature DSC-Service.
    VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[WindowsFeature]DSCServiceFeature]  in 35.9670 seconds.
    VERBOSE: [PULL]: LCM:  [ End    Resource ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Check Ensure
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] The Website PSDSCPullServer is not present
    VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[xDSCWebService]PSDSCPullServer]  in 2.8880 seconds.
    VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Create the IIS endpoint
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Setting up endpoint at - https://PULL:8080/PSDSCPullServer.svc
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\M
    Y\
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Checking IIS requirements
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Delete the App Pool if it exists
    VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Remove the site if it already exists
    A specified logon session does not exist. It may already have been terminated
        + CategoryInfo          : NotSpecified: (:) [], CimException
        + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
        + PSComputerName        : PULL.ed.local
     
    VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[xDSCWebService]PSDSCPullServer]  in 1.7960 seconds.
    The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo '::31::9::xDscWebService' threw one or more non-terminating errors while running the 
    Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
        + CategoryInfo          : InvalidOperation: (:) [], CimException
        + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
        + PSComputerName        : PULL.ed.local
     
    VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[File]RegistrationKeyFile]
    VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[File]RegistrationKeyFile]
    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys
    .txt.
    VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[File]RegistrationKeyFile]  in 0.0150 seconds.
    VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[File]RegistrationKeyFile]
    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys
    .txt.
    VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[File]RegistrationKeyFile]  in 0.0000 seconds.
    VERBOSE: [PULL]: LCM:  [ End    Resource ]  [[File]RegistrationKeyFile]
    VERBOSE: [PULL]: LCM:  [ End    Set      ]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 1
        + PSComputerName        : PULL.ed.local
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 47.73 seconds
    
    
  • #58754
    Profile photo of Don Jones
    Don Jones
    Keymaster

    May I ask why you're using a self signed certificate, which would be useless to clients?

  • #58757
    Profile photo of Ed
    Ed
    Participant

    Hi Don,
    Its for a test environment lab (was planning to have this cert 'trusted root' on the clients).
    I dont have any CA cert's i can use. Is this likely part of the problem? I guess i can buy one.

    Test:
    Did some tests with my selfsigned cert, added to the IIS 'default site', then import cert to client trusted root, this failed, still get cert warning on browsing, as you pointed out.
    I've always been a bit stand-offish when it comes to certificates and that jazz, ill look into setting up a CA in my domain and issue a certificate that way, give this another go tomorrow.

  • #58775
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It'd be far better to spin up a CA; the problem is that a self-signed certificate is only trusted by the machine that created it. It can't be readily used to create an HTTPS channel in a pull server, because none of the nodes contacting the pull server are going to trust the certificate. You do need a proper SSL certificate.

    You do also have some setup problems.

    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
    VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys
    

    Is telling you that the pull server is missing its registration key file, which is required. Because this is happening during pull server setup, I'd surmise that it's unable to create the file you specified. You also have a conflict:

    RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService"

    and

    DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"

    You're setting up the file in one place, but telling pull server to find it in another place.

    You also appear to not have the correct certificate installed in the correct location:

    VERBOSE: [PULL]: [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\

    Pull server isn't able to find the certificate thumbprint you specified in the machine repository. Possibly you installed it in the wrong certificate store, or you provided the wrong thumbprint for it.

  • #58804
    Profile photo of Ed
    Ed
    Participant

    Cheers Don, appreciate you taking the time to help out.

    I setup a CA, issued a certificate, left all other settings the same and looks OK!
    No red errors, https site access OK (from other clients too 🙂 )

    So it all came down to the certificate i was attempting to use.
    It referenced the correct thumbprint and was in the correct store, but something else was definitely wrong with it.

You must be logged in to reply to this topic.