PowerShell Desired State Configuration

Instead of speaking about PowerShell 5.0 which is offered to us by Microsoft since twodays, I’ll talk today about Desired State Configuration (DSC) the killer feature of PowerShell 4.0. I won’t talk about the rythm of the PowerShell releases ūüėÄ

What’s DSC ?

Do you know puppet ? i’m not talking about one of the scariest Stephen King book: Chucky, but the automation tools to deliver and configure IT infrastructure. Desired State Configuration is the Microsoft version of puppet¬†

Why you should use DSC ?

System administrators worries daily work is ensure that Windows Servers are always up t o date, are always secured and nothing is doing wrong a screwed delivery of installation of Windows.

Theses bring many actions, many processes some of them can be automatized, some of them no. Hopefully since the start of PowerShell most of them can be autmatized, but building a script to handle the configuration and the provisionning of a server is fastidious and every little change in the delivery cost longs hours of work scripting.

Also the check of this configuration is important to be sure that users have not installed crappy tools, and to ensure that your IIS farm is not corrupted.

More specifically, the use of DSC to deliver cloud infrastructure, is in my opinion where you’ll have the more improvement. It’ll cost less hours/days/months of scripting to ensure a proper system configuration why DSC resources reusables for all customers. Just use a Windows vhd/vmdk and with DSC you’ll have proper configuration.

How DSC works ?

Here we go ! Let’s talk about PowerShell ūüôā

At first, let’s see cmdlets for DSC

We have functions and cmdlets available. To start a DSC configuration, we first need to build a MOF file which will contains the DS Configuration. To ensure this task, we will use the Configuration function. DSC effectively use Managed Object Format file, a standard created by DMTF (Distributed Management Task Force) – if you read this blog ofently, you already have heard of this – in order to standardize the automation for ALL plateforms, this means, you’ll can in the future handle non Windows deployments, well maybe not in the few weeks ūüėČ

If you launch the following one-liner, you’ll see that MOF are closely connected to CIM


By the way, why MOF and CIM are related ? The reason is explained on the DMTF site:

The Common Information Model (CIM) is described in the DMTF’s Managed Object Format (MOF), a language based on IDL (the Object Management Group’s Interface Definition Language). The MOF syntax is a way to describe object-oriented class and instance definitions in textual form, with the goals of human readability and parsing by a compiler. The main components of a MOF specification are textual descriptions of element qualifiers (meta-data about classes, properties, methods, etc.), comments and compiler directives, and the specific class and instance definitions that convey the semantics of the CIM Schema.

By default the resources availables for creating a MOF file for DSC in Configuration function are the followings:

Microsoft Server products releasing “waves” of additional resources, for today, 3 kits are availables :

  • Resource kit wave 1:¬†http://blogs.msdn.com/b/powershell/archive/2013/12/26/holiday-gift-desired-state-configuration-dsc-resource-kit-wave-1.aspx
  • Resource kit wave 2:¬†http://blogs.msdn.com/b/powershell/archive/2014/02/07/need-more-dsc-resources-announcing-dsc-resource-kit-wave-2.aspx
  • Resource kit wave 3:¬†http://blogs.msdn.com/b/powershell/archive/2014/03/28/dsc-resource-kit-wave-3.aspx

/!\ Resources have to be installed on every server/computer you want to configure !

PowerShell team specify that it’s in the best practice to copy DSC modules in “C:\Program Files\WindowsPowerShell\Modules\PSDesiredStateConfiguration”. Once copied, the Get-Resource has improved is result !

I won’t explain each of the resource, they are explained in PowerShell Team blog ūüėČ

How to create configuration script ?

As we said earlier in this post, the goal is to “execute” MOF file on computer/server. To create this MOF file, we have to write a configuration script.

Basically, a configuration script is just a function. Parameters are possible, modules can be loaded, etc…

Each resource block can have properties, to list all, nothing complicated here. In bonus, Microsoft gave us for each resource the syntax to use and work with !

Ok, now that i know the syntax for a file block, ¬†let’s script a configuration to check the presence of a specific file.

Note that i declare the parameter $Server as a strings array, so we can’t procude MOF file for multiple server with one command, pretty cool isn’t it ?

To generate MOF files for each server just execute the ps1 file with this script

Both MOF files are created, one for each node.

In addition, you can create depencies between blocks in your configuration script with the property DependsOn !


 How execute configuration ?

Nothing complicated here.

  1. Be sure that PowerShell remoting is enable on target(s)
  2. Ensure that execution policy is set correctly
  3. Execute the following command DSC Configuration
As you see, it’ll create a job and execute it, so you can all long during the configuration, control the flow of the job and monitoring it.

Another option exists: DSC Pull Server. DSC Pull Server will be the main place where server deployed will get their configuration to be executed locally.

To do this, we’ll use DSC to configure the Pull Server

The MOF files will have a CheckSum, this will be used by client to ensure the validity of the file, alos the MOF file have to be a GUID.

First generate the MOF file on the remote server.

After that rename it with a GUID name.
And now copy it to the “configuration” directory of pull server, it’s now the time to regenerate a Checksum on the pull server.
And now, execute the configuartion file to tell the node to get his configuration from the pull server.
Here we go, every 15 minutes, the node will get his configuration updated accordingly to the GUID specified to he MOF file.

It’s also possible to use HTTPS or even a SMB share for a pull server you can find grea resources about them on the internet or check the links at the end of the post ūüôā

How test configuration

Ok, we have seen how to push a configuration to a server, but how test if our server match our configuration ? And how re-push this config is case of ?

It’s very easy to use…

The cmdlet return True or False depends of the success ūüėČ

If you want to test a remote server, you’ll have to declare a CIM Session and use it.

As you seen, to ensure stability on all your datacenter it’s an easy way, you’ll just have to schedule a Test task with remoting ūüôā

This is all for DSC for today, i hope you’ll get time to test it: you’ll love it for sure right after ūüėÄ DSC is a KILLER feature, and this is just the start in my option, every Microsoft products will have their ressources and be sure, that your time spent on deployments will drastrically drop down !


Ressources that helped me for this post:

  • http://powershell.org/wp/2013/10/02/building-a-desired-state-configuration-infrastructure/
  • https://github.com/PowerShellOrg/ebooks/tree/master/DSC