Testing configurations and other quirks...

This topic contains 16 replies, has 3 voices, and was last updated by Profile photo of Vifill Sigurdsson Vifill Sigurdsson 2 years, 8 months ago.

  • Author
    Posts
  • #16317
    Profile photo of Jim March
    Jim March
    Participant

    I'm writing some of my first DSC configurations, but I'm wondering what are the best ways to go about testing.

    In production, I plan to use a pull server. But for testing, I've been trying to use just 2 boxes. A target, and a box to push from.

    So for instance, I got ahead of myself and was putting what I thought to be some very basic configurations into a composite resource and trying to execute it against a remote machine. It was leveraging the cWebAdministration.

    I'm trying to think about how to word this without it sounding like I'm rambling, so I'll just bullet a few of the things I ran into.

    – Error: Some Module cannot be loaded because you opted not to run this software now.
    I was putting my modules in the \Program Files\WindowsPowershell\Modules directory. I found [url]http://www.ultimaforsan.com/logs/2014/2/7/powershell-dsc-quirks-part-3.html[/url] a suggestion to put my modules in the C:\Windows\System32\WindowsPowerShell\v1.0\Modules directory.

    That got me farther, but then I encountered a problem with the execution policy. Is everyone signing their scripts? Or using Unrestricted?

    Then I was having problems with it saying that cWebsite was not a valid command or or something like that. It was obviously not liking my composite resource.
    I played with moving the import-dscresource command from inside the composite module, to the configuration script, but never really got past that. (Anyone know where the import command should go?)

    I then just opted to try and just be as simple as possible and do everything in one configuration script.

    All I was trying to do was make sure "Default Web Site" was "Absent", and again I was just getting errors.
    I eventually tracked down that the WebAdministration module has a Mandatory Parameter of PhyscialPath in one of the helper functions. Even though it shouldn't be required to delete the default website.

    Well, anyways... That is already turned into rambling. [b]To the point...[/b]
    Testing these configuration has been a slow painful process, and I'm afraid that once I get something that I think is working and then try and migrate to using a pull server, things will behave differently.

    So is best to test the way I've been doing it? Or is it actually easier to just start with a pull server, and test that way by forcing a refresh?

    Can you still get the verbose output someway when testing in that method?

    Last question? Is anyone using the cAppPool resource from the repository? I can't get it to work at all. I'm getting an error stating that a Get-Targetresource can not be found...

  • #16322
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Yikes.

    [blockquote]- Error: Some Module cannot be loaded because you opted not to run this software now.
    I was putting my modules in the \Program Files\WindowsPowershell\Modules directory. I found http://www.ultimaforsan.com/logs/2014/2/7/powershell-dsc-quirks-part-3.html a suggestion to put my modules in the C:\Windows\System32\WindowsPowerShell\v1.0\Modules directory.[/blockquote]

    Program Files is correct. You need to get your content out of System32 – that's for Microsoft's stuff. If Program Files isn't working, troubleshoot that. Check the PSModulePath environment variable. Sticking stuff in System32 is ultimately going to create more grief than good. I wish people would NOT hand out "guidance" like that, and would instead bug the problem on Connect so that, if it is indeed a problem, it can be fixed properly. There's a reason you're asked not to put things in System32, and it's not just because Microsoft is territorial about a directory.

    That is, unfortunately, exactly the attitude that gave us so many problems moving applications from XP to Win7.

    [blockquote]That got me farther, but then I encountered a problem with the execution policy. Is everyone signing their scripts? Or using Unrestricted?[/blockquote]

    Well, those are hardly the only two options. Most people probably use RemoteSigned. I use Unrestricted, myself. But yeah, DSC resources are script modules, so you have to enable script execution for it to work. Keep in mind that DSC is really targeted toward servers now, and the default execution policy is RemoteSigned on Win2012R2, so on an uplevel OS you wouldn't have noticed this. Downlevel OS, yup, you gotta adjust the policy.

    [blockquote]All I was trying to do was make sure "Default Web Site" was "Absent", and again I was just getting errors.
    I eventually tracked down that the WebAdministration module has a Mandatory Parameter of PhyscialPath in one of the helper functions. Even though it shouldn't be required to delete the default website.[/blockquote]

    You know how your users call you and say they're "getting errors," and you get annoyed because without the actual error, you can't really help them? (grin). Same thing. But it's good that you tracked the item down; if you feel it's a bug, you should log it at Connect.Microsoft.com so the team can look at it and try to fix it.

    [blockquote]So is best to test the way I've been doing it? Or is it actually easier to just start with a pull server, and test that way by forcing a refresh?[/blockquote]

    Possibly. I always start as I mean to finish, which means if my intent is a pull server, I tend to start that way. But the delivery mechanism doesn't really affect how the MOF is applied.

    [blockquote]Can you still get the verbose output someway when testing in that method?[/blockquote]

    You'll want to look into the xDSCDiagnostics module.

    [blockquote]Last question?[/blockquote]

    Sure.

    [blockquote]Is anyone using the cAppPool resource from the repository? I can't get it to work at all. I'm getting an error stating that a Get-Targetresource can not be found…[/blockquote]

    Ping @stevenmurawski on Twitter. He probably uses it all the time – I think it's actually his code.

  • #16323
    Profile photo of Jim March
    Jim March
    Participant

    Don Jones wrote:Yikes.

    Program Files is correct. You need to get your content out of System32 – that's for Microsoft's stuff. If Program Files isn't working, troubleshoot that. Check the PSModulePath environment variable. Sticking stuff in System32 is ultimately going to create more grief than good. I wish people would NOT hand out "guidance" like that, and would instead bug the problem on Connect so that, if it is indeed a problem, it can be fixed properly. There's a reason you're asked not to put things in System32, and it's not just because Microsoft is territorial about a directory.

    That is, unfortunately, exactly the attitude that gave us so many problems moving applications from XP to Win7.

    Yeah, I agree with that... Just getting frustrated that even the most basic examples are not executing for me. This is on fresh installs of Windows 2012 R2.

    So I moved the module back to /Program Files/
    And I get this...

    PS C:\Users\a_jmarch> Start-DscConfiguration -Path .\MyWeb -wait -Verbose
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer JMARCH02 with user sid S-1-5-21-3595392803-2728658066-1154433773-43208.
    VERBOSE: [JMARCH02]: LCM:  [ Start  Set      ]
    VERBOSE: [JMARCH02]: LCM:  [ End    Set      ]
    Importing module MSFT_xWebsite failed with error - File C:\Program 
    Files\WindowsPowerShell\Modules\xWebAdministration\DscResources\MSFT_xWebsite\MSFT_xWebsite.psm1 cannot be loaded because 
    you opted not to run this software now.
        + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : ImportModuleFailed
        + PSComputerName        : localhost
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.295 seconds

    Any ideas?

    The module path is good...

    PS C:\Users\a_jmarch> $env:PSModulePath -split ";"
    C:\Users\a_jmarch\Documents\WindowsPowerShell\Modules
    C:\Program Files\WindowsPowerShell\Modules
    C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\

    And my composite resource that lives in Program Files executes fine, although at the moment it only calls the built in DSC resource WinodwsFeature.

  • #16324
    Profile photo of Jim March
    Jim March
    Participant

    Jeeeeez, I don't know what the hell is going on...

    On a wim, I tried this: Unblock-File "C:\Program Files\WindowsPowerShell\Modules\xWebAdministration\DscResources\MSFT_xWebsite\MSFT_xWebsite.psm1"

    But I was still getting the error... I had bookmarked a command that kills off the DSC WMI instance and re-ran my config. It executed farther, but then bombed on the xWebAppPool. I followed the same process to unblock, and kill wmi and the script executed.

    PS C:\Users\a_jmarch> Unblock-File "C:\Program Files\WindowsPowerShell\Modules\xWebAdministration\DscResources\MSFT_xWebsite\MSFT_xWebsite.psm1"
    
    PS C:\Users\a_jmarch> Start-DscConfiguration -Path .\MyWeb -wait -Verbose
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer JMARCH02 with user sid S-1-5-21-3595392803-2728658066-1154433773-43208.
    VERBOSE: [JMARCH02]: LCM:  [ Start  Set      ]
    VERBOSE: [JMARCH02]: LCM:  [ End    Set      ]
    Importing module MSFT_xWebsite failed with error - File C:\Program 
    Files\WindowsPowerShell\Modules\xWebAdministration\DscResources\MSFT_xWebsite\MSFT_xWebsite.psm1 cannot be loaded because 
    you opted not to run this software now.
        + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : ImportModuleFailed
        + PSComputerName        : localhost
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.145 seconds
    
    PS C:\Users\a_jmarch> gps wmi* | ?{ $_.Modules.ModuleName -like "*DSC*" } | Stop-Process -Confirm:$false -Force
    
    PS C:\Users\a_jmarch> Start-DscConfiguration -Path .\MyWeb -wait -Verbose
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer JMARCH02 with user sid S-1-5-21-3595392803-2728658066-1154433773-43208.
    VERBOSE: [JMARCH02]: LCM:  [ Start  Set      ]
    VERBOSE: [JMARCH02]: LCM:  [ End    Set      ]
    Importing module MSFT_xWebAppPool failed with error - File C:\Program 
    Files\WindowsPowerShell\Modules\xWebAdministration\DscResources\MSFT_xWebAppPool\MSFT_xWebAppPool.psm1 cannot be loaded 
    because you opted not to run this software now.
        + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : ImportModuleFailed
        + PSComputerName        : localhost
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.421 seconds

    How do I know if a file is blocked or not? Or what is causing it to be blocked...

  • #16325
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Problem is, I can't find anyone else running into that error. I'm still asking around.

  • #16326
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Just to make sure we're on the same page: The machine DOES have IIS installed, and DOES have PowerShell v4, and DOES have KB2883200, and DOES have the WebAdministration PowerShell module. What version of Windows?

  • #16327
    Profile photo of Don Jones
    Don Jones
    Keymaster

    (and, BTW, Unblock-File don't enter into it. I'd really like to troubleshoot this, but it's important to not just try random stuff, because then it's hard to figure out what the current state is... appreciate your patience; let me ask some folks on this)

  • #16329
    Profile photo of Jim March
    Jim March
    Participant

    I can definitely reproduce it. Happens with a fresh install. I have a gut feeling that it has something to do with the way I'm copying/extracting the module to the machine.

    I'm copying it over there from my local workstation which is in a different domain than our QA/Dev environment. I'm just wondering if the Creator/Owner being PROD\user and then being executed by DEV\User would cause an issue.

    Just to make sure we're on the same page: The machine DOES have IIS installed, and DOES have PowerShell v4, and DOES have KB2883200, and DOES have the WebAdministration PowerShell module. What version of Windows?

    Definitely. It's a 2012 R2 server with all the latest updates. I did try and install that KB previously, and it said it was already installed.

  • #16330
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Well, then let's chase that feeling. Can you delete the copy of the module that's on the server now, and re-extract it **on that machine** rather than copying it over from another? Or go and change the owner and permissions to a local account?

  • #16335
    Profile photo of Jim March
    Jim March
    Participant

    Same error...

    I tried to manually import the module, and I got the pop up saying that executing scripts from the internet is dangerous, blah blah... Use Unblock-File to execute.

    See attached screenshot....

    If I'm only one having this issue, it must be some setting we are pushing with a Group Policy or something... Or McAffee. I blame everything on them. 🙂

  • #16338
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You can also set your execution policy to Bypass – that'll stop that prompt, and isn't any "less secure" than Unrestricted. As a note, only IE, Firefox, and Outlook apply that bit to the file header; if you download the file through some other means, it won't be an "Internet download" as far as Windows is concerned. So it's a pretty minimal "security feature" in the first place.

    And you might well be right. There absolutely could be something pushed down in a GPO, in SRP or AppLocker, stopping this. But I'm still interested in finding out where the error comes from, definitively. I've pinged a product team member to have a look when they get a sec. It'd be interesting to have you try this on a non-domain machine, then, to take GPO out of the picture. Or, as you say, McAffee could be triggering the same thing. Absolutely possible.

  • #16339
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Try setting to Bypass and doing this again. I'm starting to think this really might be policy-related – System32 has some immunities, which is why moving it there might be helping. I found https://github.com/MSOpenTech/inst4wa/issues/3, which was having the same problem in a non-DSC context, also related to WebAdministration. This doesn't rule out McAffee controlling the execution policy in some other fashion.

  • #16340
    Profile photo of Jim March
    Jim March
    Participant

    Setting the Execution Policy to Bypass did the trick....

    Is it possible that the flag is set on the files inside of the ZIP? I downloaded it from here: http://gallery.technet.microsoft.com/scriptcenter/xWebAdministration-Module-3c8bb6be

    And I'm pretty certain I got it via Chrome from my local box.

  • #16341
    Profile photo of Don Jones
    Don Jones
    Keymaster

    If the bit is flipped on a ZIP file, Windows will flip the bits on the contents when it extracts the files. OK – so this was definitely an execution policy thing. Good to know.

  • #18325
    Profile photo of Vifill Sigurdsson
    Vifill Sigurdsson
    Participant

    I have the same problem:

    Importing module MSFT_xWebAppPool failed with error – File C:\Program Files\WindowsPowerShell\Modules\dsc\reskit\xWebAdministration\DscResources\MSFT
    _xWebAppPool\MSFT_xWebAppPool.psm1 cannot be loaded because you opted not to run this software now.

    Other module work well. (xWebsite)
    and the execution-policy is Unrestricted.

  • #18326
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Bypass and Unrestricted aren't the same; you need to make sure that the file doesn't have the "downloaded from Internet" header bit flipped, if you haven't already run Unblock-File. But, try Bypass.

    Also, as a tip for using these forums, consider posting a fresh post rather than replying to something more than a week or so old. I just happened to catch this one, but older posts aren't monitored as closely.

  • #18338
    Profile photo of Vifill Sigurdsson
    Vifill Sigurdsson
    Participant

    Thanks. Unblock-file solved the problem.
    unblock-file "C:\Program Files\WindowsPowerShell\Modules\dsc\reskit\xWebAdministration\DscResources\MSFT_xWebAppPool\MSFT_xWebAppPool.psm1"

You must be logged in to reply to this topic.