How do I create a single MOF and push it out to multiple nodes

This topic contains 12 replies, has 6 voices, and was last updated by Profile photo of Justin King Justin King 5 months, 3 weeks ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #33845
    Profile photo of Ed O'Connor
    Ed O’Connor
    Participant

    Hi, I am working with/learning DSC and have a question. I have successfully set up the DSC pull Server and am able to use it to configure a node. This part seems pretty straight forward to me. My question is how do I take a configuration and apply it to multiple nodes without having multiple MOF's (one for each node)

    Here is what I have:

    When I specify the two nodes as below this generates two seperate MOF's (one for each server). I don't see why I should need this as the config is the same for both.

    Configuration TestOfficeServers
     {
     param ($MachineName)
     Node $MachineName
    {
    	#Install RSAT ADDS Tools
    		WindowsFeature RSATADDSTools
    		{
    		Ensure = "Present"
    		Name = "RSAT-ADDS-Tools"
    		}
        #Install FS-FileServer
    		WindowsFeature FileServer
    		{
    		Ensure = "Present"
    		Name = "FS-FileServer"
    		}
     }
     }
    
    TestOfficeServers –MachineName 'lab-dsc-02','lab-dsc-03'
    
    

    Next I would set the GUID, checksum and copy to the deployment location

    $Guid1 = [guid]::NewGuid() 
    $Guid2 = [guid]::NewGuid()
    
    $source1 = "OfficeServers\lab-dsc-02.mof" 
    $source2 = "OfficeServers\lab-dsc-03.mof" 
    
    $target1= “\\lab-DSC-01\c$\program files\windowspowershell\dscservice\configuration\$Guid1.mof” 
    $target2= “\\lab-DSC-01\c$\program files\windowspowershell\dscservice\configuration\$Guid2.mof” 
    
    copy $source1 $target1
    copy $source2 $target2
    
    New-DSCCheckSum $target1
    New-DSCCheckSum $target2
    

    Then lastly I configure the nodes to pull the configurations(this is where I get really lost for multiple nodes):

    Configuration SetPullMode
     {
     param([string]$guid)
     Node lab-dsc-02
     {
     LocalConfigurationManager
     {
        ConfigurationID = $guid;
        RefreshMode = 'Pull';
        RefreshFrequencyMins = 30;
        ConfigurationModeFrequencyMins = 30; 
        ConfigurationMode = "ApplyAndAutoCorrect";
        RebootNodeIfNeeded = $True;
        DownloadManagerName = 'WebDownloadManager';
        DownloadManagerCustomData = @{
            ServerUrl = 'http://lab-dsc-01:8080/PSDSCPullServer.svc';
             AllowUnsecureConnection = 'true' }
     }
     }
     }
    SetPullMode –guid $Guid 
    Set-DSCLocalConfigurationManager –Computer lab-dsc-02 -Path ./SetPullMode –Verbose
    
    #33885
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    You can assign the same ConfigurationID GUID to multiple nodes, if you want; that's how they decide which MOF to download from the pull server. (Incidentally, WMF 5 is introducing a separation between AgentID and ConfigurationID, but your LCM output looks like it's WMF 4.)

    #33887
    Profile photo of Ed O'Connor
    Ed O’Connor
    Participant

    Thanks Dave, I have read that I can but can't figure out how 🙁 Could you provide a short sample on how this would be done.

    In the original powershell script to create the MOF I need to define the node it applies to via the -machinename switch, then again I need to state the node in the pullconfig. How do I get around specifying a single node in the script that creates the MOF, as in my example if I specify two servers/nodes it creates two MOF's.

    #33891
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    You don't need to compile a MOF for each node, if they're going to be identical. In fact, you can just generate a GUID (or use one that you already know), and use that right in the config:

    # Assuming a GUID of 2ab78d06-f0cf-435c-9cb7-485213873edc
    
    Configuration TestOfficeServers
     {
     Node '2ab78d06-f0cf-435c-9cb7-485213873edc'
    {
    	#Install RSAT ADDS Tools
    		WindowsFeature RSATADDSTools
    		{
    		Ensure = "Present"
    		Name = "RSAT-ADDS-Tools"
    		}
        #Install FS-FileServer
    		WindowsFeature FileServer
    		{
    		Ensure = "Present"
    		Name = "FS-FileServer"
    		}
     }
     }
    

    That will compile straight to 2ab78d06-f0cf-435c-9cb7-485213873edc.mof, and you don't need to rename it. Just generate a checksum and send it up to the pull servers.

    #33892
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Then you would just call your SetPullMode function using the same GUID (2ab78d06-f0cf-435c-9cb7-485213873edc, in the example) for all servers that share the same MOF.

    #33895
    Profile photo of Ed O'Connor
    Ed O’Connor
    Participant

    Awesome, thank you. I was worried because when I looked in the MOF that gets generated it did have a section for node.

    #35109
    Profile photo of Peter Cashen
    Peter Cashen
    Participant

    Hi,

    This is a bit of a 'revelation' for me...

    So far I've been unable to get an answer on this, and just took it for granted that if I had 200 nodes, then I'd need 200 mof files and 200 checksum files... even if they all had the same config!

    However, now it seems that they don't!?

    I'm basically doing a Get-Computers from an OU, adding them to an array and then creating the mof files using a foreach ... i.e. 200 mof files.

    I thought this was a good way, as when I do the Get-Computers I pull the ObjectGUID also, so don't need to generate any new GUIDs, I can just use the ones I've pulled.

    So question is... how do I use the single mof file in this instance... what do I need to do on the local clients to ensure that they all pull the same mof file?

    Thanks in advance

    #35111
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    As long as the computers LCMs are all configured with the same GUID, then you only need a MOF / Checksum with that one GUID. They'll all pull the same one.

    #35240
    Profile photo of Flynn Bundy
    Flynn Bundy
    Participant

    If you need any more information on the process that Dave mentioned earlier 'WMF 5 is introducing a separation between AgentID and ConfigurationID'

    feel free to check out a quick video I made explaining how this works.

    #37213
    Profile photo of Clayton McKenzie
    Clayton McKenzie
    Participant

    Is it possible to secure the communication in this scenario in order to be able to use Credentials in the shared.mof ?

    #37215
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    All of the client nodes would need to have the same certificate and private key installed, which is not ideal, but technically possible. You'd use that certificate when compiling the MOF, and any PSCredential parameters to the resources would have their passwords encrypted.

    #37216
    Profile photo of Clayton McKenzie
    Clayton McKenzie
    Participant

    Thanks Dave,
    I could really use a link to show how to set that up reasonably securely... I am using Group Policy (via a Powershell Script) to do the initial client registration so collecting a specific .cer file from an internal UNC Path and installing it by script as part of the registration process is a possibility.
    That's a good video Flynn, thanks for sharing.

    #37252
    Profile photo of Justin King
    Justin King
    Participant

    "reasonably securely" is going to be different from client to client. The key take away here is that if they clients wish to share the MOF, they need to share the certificate private key so they can decry-pt the credentials. As such there are a couple things you have to keep in mind:

    1. How secure is the UNC path you are storing the certificate? Remember this houses the private key, so if it's compromised they can see everything being pulled on _any_ box. A lot of potential passwords are being held by this key.
    2. How long is the certificate valid for and what is your update process? Certs expire, so you either have to increase the validity date or devise a reliable update strategy as every server in your environment could potentially "expire" at the same time.
    3. How do you make the public key available to those compiling MOF files? Or do you _not_ do this and automate that? Otherside of the tooling question, but it needs to be asked due to the risk of this key getting out.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.