Configuration Instance Document The Windows PowerShell script that

­generates­the­definition­of­the­desired­state.

2. MOF file­ The­Managed­Object­Format­(MOF)­file­that­contains­the­compiled­

definition­of­the­desired­state.

3. Local Configuration Manager The DSC engine on the client system that executes­against­the­MOF­to­retrieve­the­current­configuration,­compare­the­

current­configuration­to­the­MOF,­and/or­apply­the­settings­defined­in­the­MOF.­­

4. Desired State Configuration Pull Server (optional) The repository for the definition­of­the­desired­state.­If­clients­are­configured­to­execute­a­PULL­

instead­of­receiving­a­PUSH,­the­DSC­Pull­Server­hosts­the­configuration­and­

client data required to remediate.

To begin, you need to ensure Windows PowerShell Remoting is enabled on all involved systems (Enable-PSRemoting). I highly recommend leveraging group policy to put this in place. Group policy has been helping IT professionals enforce policy for more than a decade. It is a perfect complement to your DSC implementation.

NOTE In addition to requiring PSRemoting, DSC applies only to x64 bit system with Windows PowerShell 4.0.

Next,­generate­the­Configuration­Instance­Document.­This­Windows­PowerShell­

script­contains­the­definition­and­execution­order­of­what­should­exist­on­the­target­

machine. In this example, your front-end web server requires IIS installed, a set of files­(content),­an­application­installed­(setup­file­such­as­an­MSI)­as­well­as­­specific­

­registry­keys.­The­Configuration­Instance­Document­is­a­script­that­contains­a­

­configuration­block­of­code.­That­configuration­block­contains:­

■

■ Node(s)­ A­specific­target­system;­defined­as­“localhost”;­or­any­targeted­node­

system­(defined­in­a­hash­table).

■

■ Resource(s)­ The­actual­configuration­items­that­you­are­looking­for­as­well­

as their dependencies. For example, the application that must be present has a­­prerequisite­of­IIS.­Two­resources­would­be­specified:­a­resource­name­that­

contains Web-Server and the resource name that contains the application MSI. The application­resource­would­have­a­dependency­set­for­the­resource­that­defines­

Web-Server (see http://technet.microsoft.com/en-us/library/dn249921.aspx).

DSC is extremely extensible and modular. Your script can be very simple or be scaled out. In Windows PowerShell, you create functions and modules for tasks that you call frequently or leverage from multiple scripts. In DSC you can separate configuration­data­and­your­logic­as­well­to­make­it­more­modular.

You­can­control­the­actions­of­the­Local­Configuration­Manager.­­Windows­

­PowerShell­DSC­cmdlets­Get-DscLocalConfigurationManager­and­

­Set-DscLocalConfigurationManager­are­used­to­call­the­Local­Configuration­

­Manager­engine.­Using­the­Windows­PowerShell­­DesiredStateConfigurationSettings­

keyword­in­a­script,­you­can­generate­a­separate­MOF­file­that­contains­an­

­instruction­set­for­the­Local­Configuration­Manager­engine.­The­MOF-generating­

script­can­change­the­functionality­of­the­engine­from­receiving­configuration­

information via a PUSH to executing a PULL from a DSC server. You can change frequency­so­that­it­refreshes­its­configuration­data:

Once the script is built, review it to ensure you have the external dependencies set up:

Configuration CommerceConfig {

# A Configuration block can have zero or more Node blocks Node "FE-WEB-01"

{

# Next, specify one or more resource blocks

# WindowsFeature is one of the built-in resources you can use in a Node block

# This example ensures the Web Server (IIS) role is installed WindowsFeature CommerceSite

{

Ensure = "Present" # To uninstall the role, set Ensure to

"Absent"

Name = "Web-Server"

}

# File is a built-in resource you can use to manage files and directories

# This example ensures files from the source directory are present in the destination directory

File CommerceSite {

Ensure = "Present" # You can also set Ensure to "Absent"

Type = "Directory" # Default is "File"

Recurse = $true

SourcePath = $WebsiteFilePath # This is a path that has web files

DestinationPath = "C:\inetpub\wwwroot" # The path where we want to ensure the web files are present

Requires = "[WindowsFeature]CommerceSite" # This ensures that MyRoleExample completes successfully before this block runs

} } }

$WebsiteFilePath = "\\2012R2PREVIEW\CommerceSiteSource\SiteData"

CommerceConfig

Does­your­web­server­require­file­content?­If­so,­did­you­set­up­a­share­for­

that content to be pulled from? Your DSC Pull Server might make a good repository for these items. In the example above, the share is \\2012R2PREVIEW\

CommerceSiteSource;­however,­the­data­is­located­in­\SiteData.­The­path­specified­

for­files­cannot­be­the­root­of­a­share,­but­must­be­a­folder­underneath­that­share.

Execute­the­Configuration­Instance­Document­(your­Windows­PowerShell­script)­to­

generate­the­MOF­file­containing­the­configuration­instructions:­­

Now comes the really cool part—deploying the DSC job to the client system. The –Path­switch­points­to­the­directory­where­the­MOF­file­exists­(on­the­system­where­

the script is being executed from):

If you include the –Wait and –Verbose switches, you can see the progress of the job (and any errors if they occur):

Check­the­Operational­and­Debug­event­logs­for­DSC.­You­can­find­these­logs­in­

Event Viewer under Applications And Services Logs | Microsoft | Windows | Desired State­Configuration­or­Applications­And­Services­Logs­| Microsoft | Windows | DSC.

You­can­then­test­the­applied­configuration.­The­test­compares­the­desired­state­

configuration­to­the­target­system­and­returns­a­“True”­or­“False”­result:

As­a­verification­test,­delete­a­few­files­from­the­web­server­content­directory­

C:\inetpub\wwwroot and perform the test. Note that the returned result is “False.”

Execute­the­same­DscConfiguration­job­run­previously.­Complete­the­test­and­now­

you can see the returned result is again “True” because the issues were remediated:

Your­environment­and­requirements­define­how­far­you­extend­DSC.­For­example,­

if you have Microsoft System Center Orchestrator or an existing automation tool within your environment, you may choose to leverage that to manage checking state and performing remediation if necessary.

If that is not an available option, you may choose to switch the client from receiving a­PUSH­to­now­autoremediating­via­a­PULL­to­extract­its­MOF­file­from­a­­Desired­

State­Configuration­Pull­Server.­This­is­a­web­service­utilizing­the­ODATA­IIS­

extension. The DSC Pull Server can be set up on Windows Server 2008 R2, 2012, or 2012 R2. For Windows Server 2008 R2 and 2012, you can install the role through a set of Windows PowerShell commands that essentially install all of the necessary components. In Windows Server 2012 R2, the DSC Pull Server is a feature:

Advancements in Windows PowerShell continue to transform the data center landscape. Features like DSC demonstrate how the push toward IaaS is not only achievable, but is here to stay.

Jeff Butte

Senior Consultant, US Public Sector