Failing to pull

This topic contains 11 replies, has 3 voices, and was last updated by  Arie H 2 years, 4 months ago.

  • Author
  • #36092

    Michael Seto

    I have created a pull server, now I am on one of the nodes attempting to do an Update-DscConfiguration -Wait- Verbose, but it saying something I have never seen before ::

    Cannot bind argument to parameter 'RegistrationKey' because it is an empty string.
    + CategoryInfo : InvalidData: (@{CertificateID...onnection=True}:String) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName : localhost

    I can verify I did create a GUID on the node and put it into RegistrationKeys.txt on the pull server. I did make sure to create a checksum. I did successfully execute Set-DscLocalConfigurationManager -ComputerName localhost -Path .\PullClientConfigID -Verbose. It is just failing the update the configuration with the above error. I cannot find this error anywhere on the net.

    Please help! 🙁

  • #36096

    Don Jones

    Well, let's focus on the problem, because I don't think checksums and all that have anything to do with the error. It seems to feel as if the LCM on the target node doesn't have a RegistrationKey set.

    Can you get the LCM configuration from the node, and verify that it has the registration key set?

  • #36100

    Michael Seto

    Thank you for answering! Here is the output ::

    PS C:\Windows\system32> Get-DscLocalConfigurationManager

    ActionAfterReboot : ContinueConfiguration
    AgentId : 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3
    AllowModuleOverWrite : False
    CertificateID :
    ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]my-pull-server}
    ConfigurationID :
    ConfigurationMode : ApplyAndMonitor
    ConfigurationModeFrequencyMins : 15
    Credential :
    DebugMode : {NONE}
    DownloadManagerCustomData :
    DownloadManagerName :
    LCMCompatibleVersions : {1.0, 2.0}
    LCMState : Idle
    LCMStateDetail :
    LCMVersion : 2.0
    MaxPendingConfigRetryCount :
    StatusRetentionTimeInDays : 10
    PartialConfigurations :
    RebootNodeIfNeeded : False
    RefreshFrequencyMins : 30
    RefreshMode : Pull
    ReportManagers : {}
    ResourceModuleManagers : {}
    PSComputerName :

  • #36101

    Michael Seto

    Here is what I used to configure the LCM ::

    configuration PullClientConfigID
    Node localhost
    RefreshMode = 'Pull'
    RefreshFrequencyMins = 30
    RebootNodeIfNeeded = $false
    ConfigurationRepositoryWeb my-pull-server
    ServerURL = 'http://my-pull-server:8080/PSDSCPullServer.svc'
    RegistrationKey = '88d639db-8e69-492d-a095-60e1eabd78e2'
    ConfigurationNames = @("ADMachineAgentPackage")
    AllowUnsecureConnection = $true

  • #36102

    Don Jones

    Man, you kids with your AllowUnsecureConnection. That's like "AllowLackOfPants." It's not okay, even in a lab environment.

    My inclination is to enable a DSC debug trace on the node, re-push the meta config, and then re-pull your config. Then go through the Debug and Analytic logs and see if something more useful pops out. You might do the same on the pull server while you try all that, too, just in case it logs something fun. Don't forget to turn the trace off when you're done with all that.

  • #36105

    Michael Seto

    Haha, I should at least use a self signed, eh? I will.

    Any guides or references you can point me to for tracing, please? Not sure how exactly to do that with DSC.

  • #36106

    Don Jones

    Well, no, a self-signed cert isn't a shortcut to what SSL provides. If the node doesn't trust the certificate – and it can't with a self-signed one produced on the pull server – then mutual authentication fails. The point of the SSL certificate is to make sure you can't have a bad actor shipping configurations to your nodes, and it's an important consideration. Read "The DSC Book." It's free, right on our Resources menu.

    The DSC Resource Kit has a module called DSCDiagnostics. That's got the commands to enable/disable tracing. See

  • #36107

    Michael Seto

    Here is some output ::

    PS C:\Windows\system32> Trace-xDscOperation -SequenceID 2
    Index operation failed; the array index evaluated to null.
    At C:\windows\system32\windowspowershell\v1.0\Modules\xDscDiagnostics\xDscDiagnostics.psm1:712 char:9
    + $outputErrorMessage = $errorEvent.Properties[$propertyIndex]. ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArrayIndex

    Index ComputerName EventType TimeCreated Message
    —– ———— ——— ———– ——-
    0 dscnode01 OPERATIONAL 3/4/2016 11:07:50 PM Operation Consistency Check or Pull started by user sid S-1-5-21-709736597-1407805334-2645231930-11290 from computer dscnode01.
    1 dscnode01 OPERATIONAL 3/4/2016 11:07:51 PM Attempting to register the Dsc agent with AgentId 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3 with the server http://my-pull-server:8080/PSDSC...
    2 dscnode01 ERROR 3/4/2016 11:07:51 PM MIResult: 1...

    Not really helpful? That was the sequence ID for the error produced from Update-DscConfiguration

  • #36108

    Don Jones

    No, not especially. This stuff is really hard to troubleshoot if you don't have a pretty deep understanding of what's happening AND are sitting right in front of it. However, do keep in mind that this is supported code. If you're having a can-always-reproduce situation, open up a case with Microsoft Product Support. You'll end up not paying if it's a bug or other problem of theirs, and you'll get a fix a lot faster.

  • #36109

    Arie H


    Can you also please post the pull server DSC script, and did you rmember to put the RegistrationKey.txt in the right folder either manaly or via the pull server creation script ?

  • #36121

    Michael Seto

    Hi Arie, yes, the txt file is there.

    Here is the script for pull server creation ::

    # DSC configuration for Pull Server and Compliance Server
    # Prerequisite: Certificate "CN=PSDSCPullServerCert" in "CERT:\LocalMachine\MY\" store
    # Note: A Certificate may be generated using MakeCert.exe:

    configuration Sample_xDscWebService
    [string[]]$NodeName = 'localhost',

    [string] $certificateThumbPrint

    Import-DSCResource -ModuleName xPSDesiredStateConfiguration

    Node $NodeName
    WindowsFeature DSCServiceFeature
    Ensure = "Present"
    Name = "DSC-Service"

    xDscWebService PSDSCPullServer
    Ensure = "Present"
    EndpointName = "PSDSCPullServer"
    Port = 8080
    PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
    CertificateThumbPrint = "AllowUnencryptedTraffic"
    ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
    ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
    State = "Started"
    DependsOn = "[WindowsFeature]DSCServiceFeature"

    xDscWebService PSDSCComplianceServer
    Ensure = "Present"
    EndpointName = "PSDSCComplianceServer"
    Port = 9080
    PhysicalPath = "$env:SystemDrive\inetpub\PSDSCComplianceServer"
    CertificateThumbPrint = "AllowUnencryptedTraffic"
    State = "Started"
    IsComplianceServer = $true
    DependsOn = @("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer")


  • #36129

    Arie H


    Well for start, remove the entire section of xDscWebService PSDSCComplianceServer, which is the old v4 pull server sample you based your script on. As per previous issue Justin had a few posts ago, it doesn't work well with using the new v5 method of RegistrationKey and CinfigurationName.

    Edit: I Am assuming both the node and the pull server run the WMF 5 RTM version

You must be logged in to reply to this topic.