Author Posts

March 4, 2016 at 1:51 pm

I have created a pull server, now I am on one of the nodes attempting to do an Update-DscConfiguration -Wait- Verbose, but it saying something I have never seen before ::

Cannot bind argument to parameter 'RegistrationKey' because it is an empty string.
+ CategoryInfo : InvalidData: (@{CertificateID...onnection=True}:String) [], CimException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
+ PSComputerName : localhost

I can verify I did create a GUID on the node and put it into RegistrationKeys.txt on the pull server. I did make sure to create a checksum. I did successfully execute Set-DscLocalConfigurationManager -ComputerName localhost -Path .\PullClientConfigID -Verbose. It is just failing the update the configuration with the above error. I cannot find this error anywhere on the net.

Please help! 🙁

March 4, 2016 at 2:10 pm

Well, let's focus on the problem, because I don't think checksums and all that have anything to do with the error. It seems to feel as if the LCM on the target node doesn't have a RegistrationKey set.

Can you get the LCM configuration from the node, and verify that it has the registration key set?

March 4, 2016 at 2:35 pm

Thank you for answering! Here is the output ::

PS C:\Windows\system32> Get-DscLocalConfigurationManager

ActionAfterReboot : ContinueConfiguration
AgentId : 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3
AllowModuleOverWrite : False
CertificateID :
ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]my-pull-server}
ConfigurationID :
ConfigurationMode : ApplyAndMonitor
ConfigurationModeFrequencyMins : 15
Credential :
DebugMode : {NONE}
DownloadManagerCustomData :
DownloadManagerName :
LCMCompatibleVersions : {1.0, 2.0}
LCMState : Idle
LCMStateDetail :
LCMVersion : 2.0
MaxPendingConfigRetryCount :
StatusRetentionTimeInDays : 10
PartialConfigurations :
RebootNodeIfNeeded : False
RefreshFrequencyMins : 30
RefreshMode : Pull
ReportManagers : {}
ResourceModuleManagers : {}
PSComputerName :

March 4, 2016 at 2:36 pm

Here is what I used to configure the LCM ::

configuration PullClientConfigID
Node localhost
RefreshMode = 'Pull'
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $false
ConfigurationRepositoryWeb my-pull-server
ServerURL = 'http://my-pull-server:8080/PSDSCPullServer.svc'
RegistrationKey = '88d639db-8e69-492d-a095-60e1eabd78e2'
ConfigurationNames = @("ADMachineAgentPackage")
AllowUnsecureConnection = $true

March 4, 2016 at 2:43 pm

Man, you kids with your AllowUnsecureConnection. That's like "AllowLackOfPants." It's not okay, even in a lab environment.

My inclination is to enable a DSC debug trace on the node, re-push the meta config, and then re-pull your config. Then go through the Debug and Analytic logs and see if something more useful pops out. You might do the same on the pull server while you try all that, too, just in case it logs something fun. Don't forget to turn the trace off when you're done with all that.

March 4, 2016 at 2:57 pm

Haha, I should at least use a self signed, eh? I will.

Any guides or references you can point me to for tracing, please? Not sure how exactly to do that with DSC.

March 4, 2016 at 3:02 pm

Well, no, a self-signed cert isn't a shortcut to what SSL provides. If the node doesn't trust the certificate – and it can't with a self-signed one produced on the pull server – then mutual authentication fails. The point of the SSL certificate is to make sure you can't have a bad actor shipping configurations to your nodes, and it's an important consideration. Read "The DSC Book." It's free, right on our Resources menu.

The DSC Resource Kit has a module called DSCDiagnostics. That's got the commands to enable/disable tracing. See

March 4, 2016 at 3:14 pm

Here is some output ::

PS C:\Windows\system32> Trace-xDscOperation -SequenceID 2
Index operation failed; the array index evaluated to null.
At C:\windows\system32\windowspowershell\v1.0\Modules\xDscDiagnostics\xDscDiagnostics.psm1:712 char:9
+ $outputErrorMessage = $errorEvent.Properties[$propertyIndex]. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArrayIndex

Index ComputerName EventType TimeCreated Message
—– ———— ——— ———– ——-
0 dscnode01 OPERATIONAL 3/4/2016 11:07:50 PM Operation Consistency Check or Pull started by user sid S-1-5-21-709736597-1407805334-2645231930-11290 from computer dscnode01.
1 dscnode01 OPERATIONAL 3/4/2016 11:07:51 PM Attempting to register the Dsc agent with AgentId 0D2A02DC-FE3F-11E4-80CB-000D3A004DE3 with the server http://my-pull-server:8080/PSDSC...
2 dscnode01 ERROR 3/4/2016 11:07:51 PM MIResult: 1...

Not really helpful? That was the sequence ID for the error produced from Update-DscConfiguration

March 4, 2016 at 3:23 pm

No, not especially. This stuff is really hard to troubleshoot if you don't have a pretty deep understanding of what's happening AND are sitting right in front of it. However, do keep in mind that this is supported code. If you're having a can-always-reproduce situation, open up a case with Microsoft Product Support. You'll end up not paying if it's a bug or other problem of theirs, and you'll get a fix a lot faster.

March 4, 2016 at 3:52 pm


Can you also please post the pull server DSC script, and did you rmember to put the RegistrationKey.txt in the right folder either manaly or via the pull server creation script ?

March 5, 2016 at 6:04 am

Hi Arie, yes, the txt file is there.

Here is the script for pull server creation ::

# DSC configuration for Pull Server and Compliance Server
# Prerequisite: Certificate "CN=PSDSCPullServerCert" in "CERT:\LocalMachine\MY\" store
# Note: A Certificate may be generated using MakeCert.exe:

configuration Sample_xDscWebService
[string[]]$NodeName = 'localhost',

[string] $certificateThumbPrint

Import-DSCResource -ModuleName xPSDesiredStateConfiguration

Node $NodeName
WindowsFeature DSCServiceFeature
Ensure = "Present"
Name = "DSC-Service"

xDscWebService PSDSCPullServer
Ensure = "Present"
EndpointName = "PSDSCPullServer"
Port = 8080
PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
CertificateThumbPrint = "AllowUnencryptedTraffic"
ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
State = "Started"
DependsOn = "[WindowsFeature]DSCServiceFeature"

xDscWebService PSDSCComplianceServer
Ensure = "Present"
EndpointName = "PSDSCComplianceServer"
Port = 9080
PhysicalPath = "$env:SystemDrive\inetpub\PSDSCComplianceServer"
CertificateThumbPrint = "AllowUnencryptedTraffic"
State = "Started"
IsComplianceServer = $true
DependsOn = @("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer")


March 6, 2016 at 1:15 am


Well for start, remove the entire section of xDscWebService PSDSCComplianceServer, which is the old v4 pull server sample you based your script on. As per previous issue Justin had a few posts ago, it doesn't work well with using the new v5 method of RegistrationKey and CinfigurationName.

Edit: I Am assuming both the node and the pull server run the WMF 5 RTM version