Where did Compliance Server Go ?

This topic contains 30 replies, has 6 voices, and was last updated by Profile photo of Zuldan Zuldan 8 months ago.

  • Author
    Posts
  • #36332
    Profile photo of Arie H
    Arie H
    Participant

    To a world of better compliance, probably 🙂

    Hi all,

    Based on questions in the forum and the lack of descriptive examples, i wrote down
    some examples scripts to ease up the configuration and usage.

    Quick Background – To enable nodes to report status to a central location, v4 DSC
    had an option to create a compliance server via a resource inside
    xPSDesiredStateConfiguration with a matching IsComplianceServer toggle bit in the
    Pull Server creation script.

    In V5 theres no more ComplianceServer, thoght the Compliance server resource and
    toggle are still inside, most likely for backward compatibility.

    You will see a couple examples for v5 DSC that still use the resource and the toggle,
    including, unfortunatly again, Sample_xDscWebService.ps1 that comes with the latest
    version 3.7.0.0 of xPSDesiredStateConfiguration resource.

    Do note, from tests done by Justin King, if you want to use the new method of node
    registration via RegistrationKey, you really do NOT want to use IsComplianceServer=$True 🙂

    More Info:

    That said the PowerShell documentation on Microsoft site as its being updated from the
    GITHub repo does contain fixed examples if somewhat limited in explaining. Its being
    update quite often and published to the public. Hop to the PowerShell DSC Docs GitHub link if youre into contributing.

    More Info:
    https://msdn.microsoft.com/en-us/powershell/dsc/pullserver
    https://github.com/PowerShell/PowerShell-Docs

    Scenario
    Srv1 was our Pull Server
    Srv3 is our Pull client getting resources from Srv1

    We dont want the reporting to be registered at SRV1, so we build a new Pull Server
    on Srv2 and update the LCM on Srv3 accordingly.

    Note that you can also separate the resource a.k.a. modules to be pulled from another
    server. Secondly, im not going into how to get a certificate or install it, as its out of scope.

    CreatePullServer_SRV1.ps1

    
    # Configuration for creating a PullServer V2 (PS 5.0)
    Configuration CreatePullServer
    
    {
    
         param
    
        (
    
             [ValidateNotNullOrEmpty()][string] $ComputerName,
    
             [ValidateNotNullOrEmpty()][String] $CertificateThumbprint
    
        )
    
    
        Import-DSCResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 3.7.0.0
    
    
        Node $ComputerName
    
        {
    
             WindowsFeature DSCServiceFeature
    
            {
    
                Ensure     = 'Present'
    
                Name       = 'DSC-Service'
    
            }
    
    
            xDscWebService PSDSCPullServer
    
            {
    
                 Ensure                       =  'Present'
    
                 EndpointName                 =  'PSDSCPullServer'
    
                 Port                         =  8080
    
                 PhysicalPath                 =  'D:\WebSites\PSDSCPullServer'
    
                 CertificateThumbPrint        =  $CertificateThumbprint
    
                 State                        =  'Started'
    
                 ModulePath                   =  'C:\Program Files\WindowsPowerShell\DscService\Modules'
    
                 ConfigurationPath            =  'C:\Program Files\WindowsPowerShell\DscService\Configuration'
    
                 RegistrationKeyPath          =  'C:\Program Files\WindowsPowerShell\DscService'
    
                 AcceptSelfSignedCertificates =  $false
    
                 IsComplianceServer           =  $false
    
                 DependsOn                    =  '[File]RegistrationKeyFile'
    
             }
    
     
              File RegistrationKeyFile
    
             {
    
                Ensure          = 'Present'
    
                Type            = 'File'
    
                DestinationPath = 'C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys.txt'
    
                Contents        = '5e2e5153-62b8-44a3-958e-198eafc7218a'
    
                DependsOn       = '[WindowsFeature]DSCServiceFeature'
    
             }
    
        }
    
    }
    
    # Certificate should also be installed at the target server beforehand
    
    $myCertPath = '.\DSCPullServer.pfx'
    $myCertThumbprint = (Get-PfxCertificate -FilePath $myCertPath).Thumbprint
    
    
    CreatePullServer -ComputerName SRV1 -CertificateThumbprint  $myCertThumbprint -OutputPath  '.\'
    
    Start-DscConfiguration -ComputerName SRV1 -path '.\'  -Force -Wait -Verbose
      
    

    I've bound the creation of the pull server to the creation of the RegistraionKeys.txt but you
    can obviously remove that.

    The code for SRV2, follows:

    Note i didnt change the RegistrationKey as its not needed, but of course you can, as long
    as you remember to change it in the LCM script as well.

    And most importantly, we are NOT using IsComplianceServer at all. I used it in the script
    just to not have any doubts and not take it for granted that $false is the default value 🙂

    CreatePullServer_SRV2.ps1

    
    # Configuration for creating a PullServer for ReportServer V2 (PS 5.0)
    Configuration CreatePullServer
    
    {
    
         param
    
        (
    
             [ValidateNotNullOrEmpty()][string] $ComputerName,
    
             [ValidateNotNullOrEmpty()][String] $CertificateThumbprint
    
        )
    
    
        Import-DSCResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion 3.7.0.0
    
    
        Node $ComputerName
    
        {
    
             WindowsFeature DSCServiceFeature
    
            {
    
                Ensure     = 'Present'
    
                Name       = 'DSC-Service'
    
            }
    
    
            xDscWebService PSDSCPullServer
    
            {
    
                 Ensure                       =  'Present'
    
                 EndpointName                 =  'PSDSCReportServer'
    
                 Port                         =  8080
    
                 PhysicalPath                 =  'D:\WebSites\PSDSCReportServer'
    
                 CertificateThumbPrint        =  $CertificateThumbprint
    
                 State                        =  'Started'
    
                 ModulePath                   =  'C:\Program Files\WindowsPowerShell\DscService\Modules'
    
                 ConfigurationPath            =  'C:\Program Files\WindowsPowerShell\DscService\Configuration'
    
                 RegistrationKeyPath          =  'C:\Program Files\WindowsPowerShell\DscService'
    
                 AcceptSelfSignedCertificates =  $false
    
                 IsComplianceServer           =  $false
    
                 DependsOn                    =  '[File]RegistrationKeyFile'
    
             }
    
     
              File RegistrationKeyFile
    
             {
    
                Ensure          = 'Present'
    
                Type            = 'File'
    
                DestinationPath = 'C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys.txt'
    
                Contents        = '5e2e5153-62b8-44a3-958e-198eafc7218a'
    
                DependsOn       = '[WindowsFeature]DSCServiceFeature'
    
             }
    
        }
    
    }
    
    # Certificate should also be installed at the target server beforehand
    
    $myCertPath = '.\DSCPullServer.pfx'
    $myCertThumbprint = (Get-PfxCertificate -FilePath $myCertPath).Thumbprint
     
    
    CreatePullServer -ComputerName SRV2 -CertificateThumbprint  $myCertThumbprint -OutputPath  '.\'
    
    Start-DscConfiguration -ComputerName SRV2 -path '.\'  -Force -Wait -Verbose 
    
    

    And last but not least SRV3 LCM script

    MetaConfig_SplitReport.ps1

    
    # Configuration for creating a LCM V2 (PS 5.0)
    [DSCLocalConfigurationManager()]
    
    Configuration LCMMetaConfig
    
    {
    
         param
    
        (
    
             [ValidateNotNullOrEmpty()][string] $ComputerName
    
        )
        
    
        node $ComputerName
    
        {
    
             Settings
    
            {
    
                RefreshMode='Pull'
    
                ConfigurationMode              = 'ApplyAndMonitor'
    
                ActionAfterReboot              = 'ContinueConfiguration'
    
                RebootNodeIfNeeded             = $false
    
                ConfigurationModeFrequencyMins = '15'
    
                RefreshFrequencyMins           = '30'
    
                AllowModuleOverwrite           = $true
    
            }
    
     
             ConfigurationRepositoryWeb PullServerConfig
    
            {
    
                ServerURL                     = 'https://SRV1:8080/PSDSCPullServer.svc'
    
                RegistrationKey               = '5e2e5153-62b8-44a3-958e-198eafc7218a'
    
                ConfigurationNames            = @("SRV_Base")
    
            }
     
    
             ReportServerWeb ReportServerConfig
    
            {
    
                ServerURL                    = 'https://SRV2:8080/PSDSCReportServer.svc'
    
                RegistrationKey              = '5e2e5153-62b8-44a3-958e-198eafc7218a'
    
            }
    
        }
    
    }
    
     
    
    LCMMetaConfig -ComputerName SRV3 -OutputPath '.\' 
    
    Set-DscLocalConfigurationManager -ComputerName SRV3 -Path '.\'  -Verbose
    
    
    

    Initialy, you do not want to split the locations.

    Unless you manage 1000 servers, then you might say the traffic back and forth
    especialy every 30 min (if thats the LCM settings you set) plus pulling the resources
    when there are changes, might be an excess on the network bandwith.
    Even more if the server you installed the Pull Server on, isnt a dedicated one and has
    more web sites.

    The main reason the separation was made is basically for Push mode, to allow those
    using that method to still get a central repository for node status.

    Remember that in LCM v5, you can now query two new parameters

    LCMState
    LCMStateDetail

    To get the current state information, but its limited and obviously holds no history.

    More Info:
    https://msdn.microsoft.com/en-us/powershell/wmf/dsc_statestatus

    OK, Pull Server and Report Server sorted.
    What do i do with it exactly ??

    Well the Report Server is an OData endpoint which exposes the information via REST
    API. This means you can use Invoke-WebRequest to get JSON back and then parse it.

    This is a bit out of scope for this time, but do follow the link and im sure
    you can find other links generaly explaining what Invoke-WebRequest is and how to
    handle JSON objects.

    https://msdn.microsoft.com/en-us/powershell/dsc/reportserver

    Hope this clears some questions previously posted and maybe future ones.

    Changes will be done to this post to reflect changes in the future 🙂

    Have fun DSCing or maybe Complying ? 🙂

    Arie H.

  • #36619
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Thanks, Arie!

  • #36641
    Profile photo of Arie H
    Arie H
    Participant

    Pleasure.

    Do go over https://powershell.org/forums/topic/reportserver-or-complianceserver/

    If you haven't yet for Erics post. Still hope he can re-confirm my question as it potentially changes my post and script.

  • #36786
    Profile photo of Zuldan
    Zuldan
    Participant

    @Arie, going by your example above. If I wanted to setup a pull server and a reporting server on 1 server then all I need to do is just setup a Pull server, and then point nodes to the Pull server address and tell them to use that as a reporting server?

    So in your example, SRV1 and SRV2 are both pull servers and reporting servers, you're just telling the nodes to use SRV2 for reporting?

  • #36789
    Profile photo of Arie H
    Arie H
    Participant

    Yes exactly to the second question. Any creation of a Pull server creates a local database, for holding node information.

    That's why you need to register a node by RegistrationKeys. So yes, the lcm of the node will register to one server for configuration and will register to the other pull server for reporting, it will just not pull configurations from the second server.

    I doubt people will use this in a pull server method unless, as I pointed in my post, they have allot of nodes to manage or are seeing heavy traffic to the iis web server as its not a dedicated pull server. The ability to point the lcm to a Reporting sever was mainly done for Push mode.

    The only other usage in a Pull Server scenario is if they use PartialConfiguriation, then potentialy you can get one partial config from SRV1 and a second partial config from SRV2 while reporting to SRV2. I wonder if they thought about "partial reporting" when we use partial configs. Food for thought and tests I guess.

    As for your first question, my understanding and logic as its based on the online documentation, is that if you create a pull server it will act as all three components, config, resource, reporting by default, with out you needing to set anything in the LCM apart for ConfigurationRepositoryWeb.

    However...if you follow the link in last post and read Eric's reply it kinda changes things which is why I asked for a reconfirmation. Judging by Nana's reply, and the latest online documentation, then my initial thought was right and you don't need to use any ReportServerWeb block in the LCM if you want that one pull server to be all the mini roles.

  • #36817
    Profile photo of Zuldan
    Zuldan
    Participant

    Hi Arie, I had a go at this today. I could not get this new PS5 ReportServer working. As far as I can tell it doesn't seem to exist at all. I tried a WIDE range of configurations and multiple server deployments / snapshot reverting.

    I get this in event log "Http Client 4eaf16f4-5787-4918-a5bf-8eade295b015 failed for WebReportManager for configuration The attempt to send status report to the server https://labserver01.lab.local:8080/PSDSCPullServer.svc/Node(ConfigurationId='4eaf16f4-5787-4918-a5bf-8eade295b015')/SendStatusReport returned unexpected response code BadRequest."

    I can say that the "Compliance" system appears to work perfectly in PS5. See below...

    Pull Server Config

    WindowsFeature DSCServiceFeature
    {
        Ensure = 'Present'
        Name   = 'DSC-Service'
    }
    
    xDscWebService PSDSCPullServer
    {
        Ensure                  = 'Present'
        EndpointName            = 'PSDSCPullServer'
        Port                    = 8080
        PhysicalPath            = 'C:\inetpub\wwwroot\PSDSCPullServer'
        CertificateThumbPrint   = $Node.DSCHTTPSThumprint
        ModulePath              = 'C:\Program Files\WindowsPowerShell\DscService\Modules'
        ConfigurationPath       = 'C:\Program Files\WindowsPowerShell\DscService\Configuration'
        State                   = 'Started'
        DependsOn               = '[WindowsFeature]DSCServiceFeature'
    }
    
    WindowsFeature WinAuth 
    { 
        Ensure = 'Present'
        Name   = 'Web-Windows-Auth'
    }
    
    xDscWebService PSDSCComplianceServer
    {
        Ensure                  = 'Present'
        EndpointName            = 'PSDSCComplianceServer'
        Port                    = 9080
        PhysicalPath            = 'C:\inetpub\wwwroot\PSDSCComplianceServer'
        CertificateThumbPrint   = $Node.DSCHTTPSThumprint
        State                   = 'Started'
        IsComplianceServer      = $True
        DependsOn               = '[WindowsFeature]DSCServiceFeature','[xDSCWebService]PSDSCPullServer','[WindowsFeature]WinAuth'
    }
    

    Node LCM Config

    Node $ServerName {
    	Settings
        {
    		AllowModuleOverwrite = $True
            ConfigurationMode =  $ConfigurationMode
    		RefreshMode = 'Pull'
            RefreshFrequencyMins = $RefreshFrequencyMins
            RebootNodeIfNeeded = $RebootIfNeeded
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins
    		ConfigurationID = $GUID
            CertificateID = $CertThumbprint
            DebugMode = $DebugMode
        }
    
        ConfigurationRepositoryWeb DSCHTTP 
        {
            ServerURL = "https://labserver01.lab.local:8080/PSDSCPullServer.svc"
            AllowUnsecureConnection = -not($Secure)
        }
    
    }
    

    Test 1:

    Start-Process -FilePath iexplore.exe -ArgumentList 'https://labserver01.lab.local:9080/PSDSCComplianceServer.svc/$metadata'
    

    Test 2:

    (Invoke-RestMethod -Uri 'https://labserver01.lab.local:9080/PSDSCComplianceServer.svc/Status' -UseDefaultCredentials -Method Get -Headers @{Accept="application/json"}).Value
    

    TargetName : 192.168.32.24
    ConfigurationId : 9355df0b-2fcf-46f2-a3fb-8877940bc9a4
    ServerCheckSum : AF4135C145A1A373AA53C635E34C3087102BEBFBBFEAB32773154758B8C88C01
    TargetCheckSum : AF4135C145A1A373AA53C635E34C3087102BEBFBBFEAB32773154758B8C88C01
    NodeCompliant : True
    LastComplianceTime : 2016-03-22T05:51:45.1207538Z
    LastHeartbeatTime : 2016-03-22T05:51:45.1207538Z
    Dirty : True
    StatusCode : 0

  • #36825
    Profile photo of Arie H
    Arie H
    Participant

    The sample you used is a v4 and not a v5, so "I can say that the "Compliance" system appears to work perfectly in PS5." Needs to be changed to P4.

    I'll run the script again this week to follow the trail, based on the original reply by Eric and update.

  • #36827
    Profile photo of Zuldan
    Zuldan
    Participant

    Hi Arie, now you are confusion me 😉 Maybe it's better to say....

    "The PS4 method of reporting works perfectly within PS5".

    So PS5 supports a "Reporting Server" (new method) and a "Compliance Server" (old method).

    The sample I gave was the PS4 reporting method within PS5.

  • #36834
    Profile photo of Arie H
    Arie H
    Participant

    Hehe true. That's because PS5 is backward compatible. But you're back to handling GUIDs which is meh 😉

  • #36835
    Profile photo of Zuldan
    Zuldan
    Participant

    The Configuration ID method rocks if you're using your own custom built CMDB 😉 in our environment everything is 100% automated when deploying servers. I never have to look at GUIDs.

    Registration keys are nice for testing/lab environment (edit the registration key .txt file;-P) but if you have the backend workflow system setup, Configuration IDs are the way to go. Well that's my personal opinion anyway.

  • #36843
    Profile photo of Zuldan
    Zuldan
    Participant

    Arie, they have removed IsComplianceServer in xPSDesiredStateConfiguration v3.8.0.0. Noooo! Now I have no way to get a server report from a pull server.

    See https://github.com/PowerShell/xPSDesiredStateConfiguration/pull/86/files

    Do you have a working example of using the new method (Report Server)? I can't find any articles or official DSC docs that show you how to setup the new reporting way (what the pull server config and node lcm look like etc). I'm guessing your sample has not been tested because you don't show any report queries. I tried your sample but without the registration keys and it doesn't work (as per my previous post). I really hope they haven't made registrations keys a requirement for the new reporting method. It's not documented anywhere.

  • #36845
    Profile photo of Arie H
    Arie H
    Participant

    .....and there goes the backward compatibility I was referring to.
    At least they removed the bug forcing us to use mdb as a data source which led to inability to install pull server on core without GUI...

    Use 3.7.0.0 or don't swap to wmf 5.0.
    I'll push my testing.

  • #36850
    Profile photo of Zuldan
    Zuldan
    Participant

    I heavily use partial configurations so I'm stuck with PS5. I'll be forced to stay on 3.7.0.0 unless your test shows that this new mystical reporting system actually works 😉 Looking forward to your tests (hopefully with and without registration keys).

  • #36851
    Profile photo of Arie H
    Arie H
    Participant

    I left an issue on their github repo just to be sure.

  • #36853
    Profile photo of Zuldan
    Zuldan
    Participant

    I just added my 2 cents to your github repo post. Hopefully someone can clear up the confusions.

    https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/93

  • #36870
    Profile photo of Arie H
    Arie H
    Participant

    Are you sure you used my scripts ?
    Going over the error message you posted before your scripts is a bit mind boggling as you're getting an error about a ConfigurationID, which I dont use as its a v4 method. If anything the error should have been mentioning the AgentID...

  • #36892
    Profile photo of Arie H
    Arie H
    Participant

    It seems the latest updates to the online doc and 3.8.0.0 do require you to add a ReportServerWeb block to the LCM in cases where the pull server is also your report server. Though theres some inconsistency in the samples so i opened a new issue and closed the first one.

  • #36893
    Profile photo of Zuldan
    Zuldan
    Participant

    Hi Arie, I now have proof (at least I think so) that the new report server system in PS v5 does not work in a Configuration ID setup.

    I created Sample_RegistrationKeys.ps1 which sets up a DSC Pull Server, configures a nodes LCM and then retrieves some report data.

    I then cloned Sample_RegistrationKeys.ps1 to Sample_ConfigurationIDs.ps1 and simply commented out the registration key related stuff and added a configuration ID.

    Sample_RegistrationKeys.ps1 (h-ttps://gist.github.com/Zuldan/c679bae20de0c2dcf1aa)
    Sample_ConfigurationIDs.ps1 (h-ttps://gist.github.com/Zuldan/c0fd292838b8d35c6383)

    (remove the '-' from https)

    Sample_RegistrationKeys.ps1 is able to retrieve report data
    Sample_ConfigurationIDs.ps1 cannot retrieve report data

    I think the clue may sit here https://msdn.microsoft.com/en-us/powershell/dsc/pullserver

    "The lack of the ConfigurationID property in the metaconfiguration file implicitly means that pull server is supporting the V2 version of the pull server protocol so an initial registration is required. Conversely, the presents of a ConfigurationID means that the V1 version of the pull server protocol is used and there is no registration processing."

    I'm taking that as when a ConfigurationID is used, the reporting mode is v1 and the new Report Server only works with reporting mode v2?

    This error appears in the the DSC WinEvent log on the node when Sample_ConfigurationIDs.ps1 is used.

    Log Name: Microsoft-Windows-DSC/Operational
    Source: Microsoft-Windows-DSC
    Date: 3/23/2016 4:32:51 PM
    Event ID: 4260
    Task Category: None
    Level: Error
    Keywords:
    User: SYSTEM
    Computer: LABSERVER02
    Description:
    Job {AAFECED4-F0B8-11E5-80C7-005056B644A2} :
    Http Client 1d545e3b-60c3-47a0-bf65-5afc05182fd1 failed for WebReportManager for configuration The attempt to send status report to the server https://LABSERVER01:8080/PSDSCPullServer.svc/Node(ConfigurationId='1d545e3b-60c3-47a0-bf65-5afc05182fd1')/SendStatusReport returned unexpected response code BadRequest..

    If you could kindly have a peak at the samples when you get a chance to see if maybe I'm doing something wrong. If you can't see any issues then I'm going to raise it on UserVoice or Github and request the owners of the xPSDesiredStateConfiguration repo not to remove IsComplianceServer yet, because if they do, people who use ConfigurationID's will have no way to report if they want to use v3.8.0.0

  • #36896
    Profile photo of Arie H
    Arie H
    Participant

    The scripts seem ok, except the GetReport function at the end of the ConfigurationID sample needs to point to "$serviceURL/Nodes(ConfigurationID='$ConfigID')/Reports"

    And the GetReport function usage needs to change to get the ConfigurationID

  • #36897
    Profile photo of Zuldan
    Zuldan
    Participant

    Perfect! thanks for the heads up. I'll make the adjustment and raise an issue on Github with the samples.

    Some other questions you may know the answer to...

    1. When retrieving report data for an agentid (registration key mode), how do you tell if the node is Compliant or not? There is a field that says "Success" but that could mean anything.

    2. How do you retrieve the status of all nodes in the report database? This was pretty easy to do with a compliance server.

  • #36899
    Profile photo of Arie H
    Arie H
    Participant

    Good question.

    I dont know yet the full structure to the json in StatusData, but from the code at the bottom part of the how to use the report server page

    https://msdn.microsoft.com/en-us/powershell/dsc/reportserver

    Youll see that resources that are in their desired state will be in $resources. Question is if there's a section called ResourcesNotInDesiredState or similar. It's one of my tests to initially cause the state to change and see what the log states.

    I do think, that if you want real time status, I'd actually query the LCM directly via

    https://msdn.microsoft.com/en-us/powershell/wmf/dsc_statestatus

    or use Test-DscConfiguration

    as for getting all the agent status, dont think it will be hard to iterate through all the agentid available. But that leads to a different question, how long does history stays in the db, and what happens to data of nodes that have been decommissioned

  • #36918
    Profile photo of Matt Prahl
    Matt Prahl
    Participant

    Thanks for all of this great information. Does anyone know a way that I can query the Report Server to find all the agent IDs that have reported their status?

  • #36920
    Profile photo of Zuldan
    Zuldan
    Participant

    @Arie, I don't really need realtime stats, even 30 min off would be fine. The problem is the boss wants to see the status of all the servers on a single webpage and making a connection to 200+ servers to get LCM status is going to be really inefficient if all that data already sits at the report server, I mean that was what the report server was designed for. I already have a nice webpage for servers using the Compliance server. Surely the report server has a way to provide the status for all servers like the Compliance server can.

    @Matt once I've sorted out my ConfigurationID issue I'm going to go hunting for a Odata explorer tool which will hopefully help me discover data is available. I'll report back here with what I find.

    Edit: found one, haven't tried it yet. OData Powershell Explorer https://psodata.codeplex.com

    I good starting point is a list of what functions are available. You can see them here...
    https://pullserver:8080/PSDSCPullServer.svc/$metadata

  • #36922
    Profile photo of Zuldan
    Zuldan
    Participant

    Raised an issue for the ConfigurationID issue and reporting.

    https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/97

  • #36947
    Profile photo of Arie H
    Arie H
    Participant

    Dont forget Zuldan, that you can run PS scripts on the remote node so its not going to take much time for all nodes to run it. all you have to worry about is gathering the returned data and display it nicely.

    If you want to run them on your pc instead, you can always use the Wokflow commands to build your small execution engine.

  • #37205
    Profile photo of Arie H
    Arie H
    Participant

    I pitched in my pov on it zuldan. I tried using several tools but can't find a decent model as they didn't implement any Get method to return info. The only way was using the URI method as in the documentation but that forces me to either run it from the node (so I get the local AgentID) or start managing them just fir the sake of the reports, which is then bit silly seeing we moved from being dependant on GUID management for pull servers to the RegistrationKeys method, but now depends on managing the AgentID GUID...

    Really hope they push in more info on this and implement a more richer report server

  • #37206
    Profile photo of Matt Prahl
    Matt Prahl
    Participant

    @Arie H, I've had a similar result when querying the API. The only other thing I've gotten to work is the following:

    Invoke-RestMethod -Uri "https://dscpullserver.domain.local/PSDSCPullServer.svc/Nodes(AgentId= '9B616A2C-DB70-11F5-80C2-121DD8C7201D')" -ContentType "application/json;odata=minimalmetadata;streaming=true;charset=utf-8" -Headers @{Accept = "application/json";ProtocolVersion = "2.0"}
    
    Invoke-RestMethod -Uri "https://dscpullserver.domain.local/PSDSCPullServer.svc/Nodes(AgentId= '9B616A2C-DB70-11F5-80C2-121DD8C7201D')/Reports" -ContentType "application/json;odata=minimalmetadata;streaming=true;charset=utf-8" -Headers @{Accept = "application/json";ProtocolVersion = "2.0"}
    
  • #37329
    Profile photo of Andrew Palmer
    Andrew Palmer
    Participant

    @Zuldan

    Did you get any further with this? Like yourself I am after a status page to see if each node is in it's desired state, much like what we get with the compliance server.

  • #37346
    Profile photo of Justin King
    Justin King
    Participant

    I've found the function works as expected, you simply HAVE to use a registration key in the reportingserver block, even if you plan to otherwise use the LCM in ConfigurationID mode.

    Basically the new reportingserver does NOT have any backwards compatibility, thus must rely on AgentID (and thus requires you to setup using registration key).

    Hope that helps.

    EDIT: for better clarity:

    [DSCLocalConfigurationManager()]
    configuration PullClientConfigID
    {
        Node localhost
        {
            Settings
            {
                RefreshMode = 'Pull'
                RefreshFrequencyMins = 30 
                RebootNodeIfNeeded = $true
                ConfigurationID = 'e151f804-9b5f-4dc9-9620-bd087ccfab4d'
            }
    
            ConfigurationRepositoryWeb CONTOSO-PullSrv
            {
                ServerURL = 'https://CONTOSO-PullSrv:8080/PSDSCPullServer.svc'
                # do not put a registration key in this block; it will conflict with the configurationID
            }
    
            ReportServerWeb CONTOSO-ReportSrv
            {
                ServerURL = 'https://CONTOSO-ReportSrv:8080/PSDSCPullServer.svc'
                RegistrationKey = '30ef9bd8-9acf-4e01-8374-4dc35710fc90'
                #DO put a registrationkey in this block
            }
        }
    }
    

    I should also state I've not tried it against the latest pull server (just found out they switched from a windb to ESEDB ... no idea if that shakes things up).

  • #37348
    Profile photo of Zuldan
    Zuldan
    Participant

    @Andrew Palmer, Microsoft has confirmed that there is no way to retrieve all the nodes at once like we could with the Compliance Server. So you would need to keep a record of AgentID's or ConfiurationID's (depending what you use) and then query each node 1 by 1. Maybe PS5.1 will have this feature later this year? We can only hope. Actually we should probably start up a UserVoice for that.

    @Justin King, apparently using a Report Server with just ConfigurationID's is possible. I'm currently working with NarineM (MSFT) to get the exact code to make it work. See https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/97

    NarineM (MSFT) – "If the node is setup to use ConfigurationID , ConfigurationID.mof has to present on the pull/reporting server (in the DSCService\Configuration folder). This ID is used by reporting server to authorize the client for send report operation. If a file with the name .mof does not present on the reporting server, the server would reject the client request to send a report.

    It is similar to registrationKey scenario where the node has to be setup with a registration key and that key is required to present on the reporting server (in DSCService\RegitrationKey.txt file) . This key is used by the reporting server to authorize the client for sending status report operations."

  • #37453
    Profile photo of Zuldan
    Zuldan
    Participant

    @Justin King, I'm really interested in your idea. Any chance you could show us code on what ConfigID + a Reg Key looks like (beginning to end + a report)? I didn't know you could configure a node to use a ConfigID and have it use a reg key.

    Here is a sample of how to create a full DSC setup which produces a report at the end using Reg keys
    https:// gist.github.com/Zuldan/c679bae20de0c2dcf1aa

    and here is one for ConfigID's https:// gist.github.com/Zuldan/c0fd292838b8d35c6383

    This is totally optional and I don't expect you do it all but if you could modify either sample so that they are using both a ConfigID and Reg key that would be awesome.

You must be logged in to reply to this topic.