Failing to pull

This topic contains 11 replies, has 3 voices, and was last updated by Profile photo of Arie H Arie H 6 months, 3 weeks ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #36092
    Profile photo of Michael Seto
    Michael Seto
    Participant

    I have created a pull server, now I am on one of the nodes attempting to do an Update-DscConfiguration -Wait- Verbose, but it saying something I have never seen before ::

    Cannot bind argument to parameter 'RegistrationKey' because it is an empty string.
    + CategoryInfo : InvalidData: (@{CertificateID...onnection=True}:String) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName : localhost

    I can verify I did create a GUID on the node and put it into RegistrationKeys.txt on the pull server. I did make sure to create a checksum. I did successfully execute Set-DscLocalConfigurationManager -ComputerName localhost -Path .\PullClientConfigID -Verbose. It is just failing the update the configuration with the above error. I cannot find this error anywhere on the net.

    Please help! 🙁

    #36096
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, let's focus on the problem, because I don't think checksums and all that have anything to do with the error. It seems to feel as if the LCM on the target node doesn't have a RegistrationKey set.

    Can you get the LCM configuration from the node, and verify that it has the registration key set?

    #36100
    Profile photo of Michael Seto
    Michael Seto
    Participant

    Thank you for answering! Here is the output ::

    PS C:\Windows\system32> Get-DscLocalConfigurationManager

    ActionAfterReboot : ContinueConfiguration
    AgentId : 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3
    AllowModuleOverWrite : False
    CertificateID :
    ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]my-pull-server}
    ConfigurationID :
    ConfigurationMode : ApplyAndMonitor
    ConfigurationModeFrequencyMins : 15
    Credential :
    DebugMode : {NONE}
    DownloadManagerCustomData :
    DownloadManagerName :
    LCMCompatibleVersions : {1.0, 2.0}
    LCMState : Idle
    LCMStateDetail :
    LCMVersion : 2.0
    MaxPendingConfigRetryCount :
    StatusRetentionTimeInDays : 10
    PartialConfigurations :
    RebootNodeIfNeeded : False
    RefreshFrequencyMins : 30
    RefreshMode : Pull
    ReportManagers : {}
    ResourceModuleManagers : {}
    PSComputerName :

    #36101
    Profile photo of Michael Seto
    Michael Seto
    Participant

    Here is what I used to configure the LCM ::

    [DSCLocalConfigurationManager()]
    configuration PullClientConfigID
    {
    Node localhost
    {
    Settings
    {
    RefreshMode = 'Pull'
    RefreshFrequencyMins = 30
    RebootNodeIfNeeded = $false
    }
    ConfigurationRepositoryWeb my-pull-server
    {
    ServerURL = 'http://my-pull-server:8080/PSDSCPullServer.svc'
    RegistrationKey = '88d639db-8e69-492d-a095-60e1eabd78e2'
    ConfigurationNames = @("ADMachineAgentPackage")
    AllowUnsecureConnection = $true
    }
    }
    }
    PullClientConfigID

    #36102
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Man, you kids with your AllowUnsecureConnection. That's like "AllowLackOfPants." It's not okay, even in a lab environment.

    My inclination is to enable a DSC debug trace on the node, re-push the meta config, and then re-pull your config. Then go through the Debug and Analytic logs and see if something more useful pops out. You might do the same on the pull server while you try all that, too, just in case it logs something fun. Don't forget to turn the trace off when you're done with all that.

    #36105
    Profile photo of Michael Seto
    Michael Seto
    Participant

    Haha, I should at least use a self signed, eh? I will.

    Any guides or references you can point me to for tracing, please? Not sure how exactly to do that with DSC.

    #36106
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, no, a self-signed cert isn't a shortcut to what SSL provides. If the node doesn't trust the certificate – and it can't with a self-signed one produced on the pull server – then mutual authentication fails. The point of the SSL certificate is to make sure you can't have a bad actor shipping configurations to your nodes, and it's an important consideration. Read "The DSC Book." It's free, right on our Resources menu.

    The DSC Resource Kit has a module called DSCDiagnostics. That's got the commands to enable/disable tracing. See https://blogs.msdn.microsoft.com/powershell/2014/02/11/dsc-diagnostics-module-analyze-dsc-logs-instantly-now/.

    #36107
    Profile photo of Michael Seto
    Michael Seto
    Participant

    Here is some output ::

    PS C:\Windows\system32> Trace-xDscOperation -SequenceID 2
    Index operation failed; the array index evaluated to null.
    At C:\windows\system32\windowspowershell\v1.0\Modules\xDscDiagnostics\xDscDiagnostics.psm1:712 char:9
    + $outputErrorMessage = $errorEvent.Properties[$propertyIndex]. ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArrayIndex

    Index ComputerName EventType TimeCreated Message
    —– ———— ——— ———– ——-
    0 dscnode01 OPERATIONAL 3/4/2016 11:07:50 PM Operation Consistency Check or Pull started by user sid S-1-5-21-709736597-1407805334-2645231930-11290 from computer dscnode01.
    1 dscnode01 OPERATIONAL 3/4/2016 11:07:51 PM Attempting to register the Dsc agent with AgentId 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3 with the server http://my-pull-server:8080/PSDSC...
    2 dscnode01 ERROR 3/4/2016 11:07:51 PM MIResult: 1...

    Not really helpful? That was the sequence ID for the error produced from Update-DscConfiguration

    #36108
    Profile photo of Don Jones
    Don Jones
    Keymaster

    No, not especially. This stuff is really hard to troubleshoot if you don't have a pretty deep understanding of what's happening AND are sitting right in front of it. However, do keep in mind that this is supported code. If you're having a can-always-reproduce situation, open up a case with Microsoft Product Support. You'll end up not paying if it's a bug or other problem of theirs, and you'll get a fix a lot faster.

    #36109
    Profile photo of Arie H
    Arie H
    Participant

    Hi,

    Can you also please post the pull server DSC script, and did you rmember to put the RegistrationKey.txt in the right folder either manaly or via the pull server creation script ?

    #36121
    Profile photo of Michael Seto
    Michael Seto
    Participant

    Hi Arie, yes, the txt file is there.

    Here is the script for pull server creation ::

    # DSC configuration for Pull Server and Compliance Server
    # Prerequisite: Certificate "CN=PSDSCPullServerCert" in "CERT:\LocalMachine\MY\" store
    # Note: A Certificate may be generated using MakeCert.exe: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386968%28v=vs.85%29.aspx

    configuration Sample_xDscWebService
    {
    param
    (
    [string[]]$NodeName = 'localhost',

    [ValidateNotNullOrEmpty()]
    [string] $certificateThumbPrint
    )

    Import-DSCResource -ModuleName xPSDesiredStateConfiguration

    Node $NodeName
    {
    WindowsFeature DSCServiceFeature
    {
    Ensure = "Present"
    Name = "DSC-Service"
    }

    xDscWebService PSDSCPullServer
    {
    Ensure = "Present"
    EndpointName = "PSDSCPullServer"
    Port = 8080
    PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
    CertificateThumbPrint = "AllowUnencryptedTraffic"
    ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
    ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
    State = "Started"
    DependsOn = "[WindowsFeature]DSCServiceFeature"
    }

    xDscWebService PSDSCComplianceServer
    {
    Ensure = "Present"
    EndpointName = "PSDSCComplianceServer"
    Port = 9080
    PhysicalPath = "$env:SystemDrive\inetpub\PSDSCComplianceServer"
    CertificateThumbPrint = "AllowUnencryptedTraffic"
    State = "Started"
    IsComplianceServer = $true
    DependsOn = @("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer")
    }
    }
    }

    Sample_xDscWebService

    #36129
    Profile photo of Arie H
    Arie H
    Participant

    Hi,

    Well for start, remove the entire section of xDscWebService PSDSCComplianceServer, which is the old v4 pull server sample you based your script on. As per previous issue Justin had a few posts ago, it doesn't work well with using the new v5 method of RegistrationKey and CinfigurationName.

    Edit: I Am assuming both the node and the pull server run the WMF 5 RTM version

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.