New DSC Pull Server on 2016

Welcome Forums DSC (Desired State Configuration) New DSC Pull Server on 2016

This topic contains 7 replies, has 3 voices, and was last updated by

 
Keymaster
3 months, 3 weeks ago.

  • Author
    Posts
  • #104794

    Participant
    Points: 0
    Rank: Member

    So I have this new Pull Server, and mind you this is my first foray into DSC, and i got it setup with a SSL cert and all that jazz and was able to confirm it's at least providing the proper response when I perform this:

    ([xml](Invoke-WebRequest "https://$($fqdn):8080/psdscpullserver.svc" | % Content)).service.workspace.collection.href
    

    I get the expected result of

    Configurations
    Modules
    Action
    Module
    StatusReport
    Node
    Reports
    Nodes

    So I'm thinking all is good, so I go to do my pull client registration and wham, I get this,

    he client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or
    WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
    

    Well, I'm using a secure config over IIS, so WinRM shouldn't be a factor. So my question is, what am I missing here? My configs are below, and I wish I knew where things where being logged so I would have something to look at, but even the IIS logs are pretty sparse.

    Pull Server Config

    
        param 
        (
            [string[]]$NodeName = 'localhost',
    
            [ValidateNotNullOrEmpty()]
            [string] $certificateThumbPrint,
    
            [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
        )
    
       Import-DSCResource -ModuleName xPSDesiredStateConfiguration
       Import-DSCResource -ModuleName PSDesiredStateConfiguration
       Import-DSCResource -ModuleName xWebAdministration
       Import-DSCResource -ModuleName xComputerManagement
       
        Node $NodeName
        {
             LocalConfigurationManager
             {
                ConfigurationMode    = "ApplyAndMonitor" #https://docs.microsoft.com/en-us/powershell/dsc/metaconfig
                RebootNodeIfNeeded   = $false
             }
    
             WindowsFeature IISMgmt
             {
                 Ensure     = "Present"
                 Name       = "Web-Mgmt-Console"
                 Source     = "c:\i386\sources\sxs"
             }
    
             WindowsFeature DSCServiceFeature
             {
                Ensure = "Present"
                Name   = "DSC-Service"
                Source = "c:\i386\sources\sxs"
             }
    
             WindowsFeature WinAuth 
             {
                Ensure = "Present"
                Name   = "web-Windows-Auth"
                Source = "c:\i386\sources\sxs"
             }
    
             WindowsFeature NETHTTPActivation
             { 
                Ensure = "Present"
                Name   = "NET-HTTP-Activation"
                Source = "c:\i386\sources\sxs"
             }
    
            WindowsFeature ISE
            {
             Ensure = "Absent"
             Name   = "PowerShell-ISE"
             Source = "c:\i386\sources\sxs"
            }
             
            xDscWebService PSDSCPullServer
            {
                Ensure                        = "Present"
                EndpointName                  = "PSDSCPullServer"
                Port                          = 8080
                PhysicalPath                  = "$env:SystemDrive\inetpub\PSDSCPullServer"
                CertificateThumbPrint         = $certificateThumbPrint
                ModulePath                    = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
                ConfigurationPath             = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
                State                         = "Started"
                DependsOn                     = @("[WindowsFeature]DSCServiceFeature",
                                                 "[WindowsFeature]WinAuth",
                                                 "[WindowsFeature]NETHTTPActivation")
                AcceptSelfSignedCertificates  = $false
                Enable32BitAppOnWin64         = $false
                UseSecurityBestPractices      = $false
            }
    
            File RegistrationKeyFile
            {
                Ensure          = 'Present'
                Type            = 'File'
                DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
                Contents        = $RegistrationKey
            }
    
            #Stop the default WebSite
            xWebSite StopDefaultSite
            {
               Ensure       = "Present"
               Name         = "Default Web Site"
               State        = "Stopped"
               PhysicalPath = "$env:SystemDrive\inetpub\wwwroot"
               DependsOn    = "[WindowsFeature]DSCServiceFeature"
            }
        }
    }
    

    Client Registration

    [DSCLocalConfigurationManager()]
    configuration PullClientRegistration
    {
       param
       (
          [ValidateNotNullOrEmpty()]
          [string]$NodeName,
    
          [ValidateNotNullOrEmpty()]
          [string]$RegistrationKey,
    
          [ValidateNotNullOrEmpty()]
          [string]$PullServer
       )
       Node $NodeName
       {     
          
          Settings
          {
             RefreshMode                      = 'Pull'
             RebootNodeIfNeeded               = $false
             ConfigurationMode                = "ApplyAndMonitor"
             ConfigurationModeFrequencyMins   = 15
          }
    
          ConfigurationRepositoryWeb $PullServer
          {
             ServerURL                  = "https://$($PullServer):8080/PSDSCPullServer.svc"
             RegistrationKey            = $RegistrationKey
             ConfigurationNames         = @('ClientConfig')
             AllowUnsecureConnection    = $false
             #ConfigurationNames = @($Target)
          }
    
          ReportServerWeb $PullServer
          {
             ServerURL       = "https://$($PullServer):8080/PSDSCPullServer.svc"
             RegistrationKey = $RegistrationKey
          }
       }
    }
    

    Test ClientConfig

    configuration ClientConfig
    {
        Import-DscResource -ModuleName PSDesiredStateConfiguration
        
        Node localhost
        {
          WindowsFeature ISE
          {
             Ensure = "Absent"
             Name   = "PowerShell-ISE"
             Source = "c:\i386\sources\sxs"
            }
            
           Service EPOPS
           {
              Name          = "End Point Operations Management Agent"
              StartupType   = "Automatic"
              State         = "Running"
           }
        }
    }
    
  • #104837
    Syl

    Participant
    Points: 6
    Rank: Member

    WinRM is required by DSC(cmdlet like Start-DSCConfiguration uses it)

    Here is an article on running DSC with WinRM disabled, but it looks more trouble then it's worth.

    Using DSC with the WinRM service disabled

  • #104848

    Participant
    Points: 0
    Rank: Member

    I thought the point of the DSC Pull server using HTTPS was so one didn't have to have WinRM configured everywhere?

  • #104852

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    Nnnnooo... DSC wants to use WinRM regardless of whether you use HTTP or HTTPS. It's not using WinRM to talk to the pull server; that indeed happens over HTTP(S). It wants to use it to talk to itself locally, because DSC operates out of the CIM repository, and CIM uses WinRM. This isn't PowerShell Remoting (e.g., MS-PSRP protocol); it's CIM. So you don't have to Enable-PSRemoting, but you do need CIM to be usable.

  • #104966

    Participant
    Points: 0
    Rank: Member

    That actually makes a lot of sense explained that way, I just wish the docs would say that and clearly state it as a pre-req for DSC.
    Now to try and figure out how to fully use the Pull Server config, not as straight forward as I was hoping to do something as simple as remove PowerShell ISE and ensure a service is running on a Pull Client. Start small and go bigger LOL.

  • #104971

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    You may want to pick up "The DSC Book" from Leanpub. I spent a lot of time writing this all down 🙂 in it.

    Pull Client isn't a service; the LCM runs as a scheduled task and is trigged via the CIM repository. ISE has nothing to do with it.

  • #104990

    Participant
    Points: 0
    Rank: Member

    Oh ISE was just an example of how DSC can manage a server without having to touch each and every server, and ISE is one of those things that's not good to have on a server generally and not impactful to add and remove at will.
    As far as the book, yeah, $60 is a bit steep for something that should be straight forward and simple. I mean I manage a global Windows and VMware infrastructure and do C#, PowerShell, and Perl programming to provide automation, DSC should be dirt simple one would think in comparison.
    Nevertheless I will take a look at it, maybe a business expense...

  • #104993

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    It's actually a fairly complex technology with a lot of subtle nuances and some serious need for smart design. I think VMware is pretty complex, too; I remember spending a good bit more than $60 to learn it back in the day [grin].

    And you certainly _can_ learn DSC from the docs. I did. It just takes a lot of work, and a lot of experimentation.

The topic ‘New DSC Pull Server on 2016’ is closed to new replies.