In my earlier series on on-prem Powershell DSC server I shown how to configure DSC (Desired State configuration) server and its client on windows & linux. Enabling WinRm is one of the main prerequisite for all DSC operations. If I see DSC's future, Microsoft is more and more focusing on Azure DSC (desired state configuration), Azure adds cloud-based management layer to DSC, you can use it as DevOps tool to continuous delivery platform in your environment, Its good tool for avoiding configuration drifts when configuring and managing servers cloud and on-prem servers. One of the reason you might not be using on-prem Powershell DSC pull server, because it doesn't scale very well and doesn't have good reporting features. Azure DSC solve these and other problems, it can scale to hundreds or thousands of nodes, Azure DSC has very nice intuitive UI for managing nodes, configuration and reports. Its very easy with Azure portal. Below are the components of Azure DSC pull server, you can refer it as I go step by step within this blog.
DSC resource: These are the DSC module used to configure Server features and roles (IIS server, third party applications), files and folders etc.
DSC configuration: This contains a configuration, basically it is a script (Kind of function) which has declarative syntax to configure a server.
Azure DSC node: Server (computer) that is registered and configuration managed by Azure DSC, Below given server types are supported by
- Azure virtual machines
- Physical/virtual Windows machines on-premises, or in a cloud other than Azure/AWS
- Physical/virtual Linux machines on-premises, in Azure, or in a cloud other than Azure
- Azure virtual machines (classic)
- Amazon Web Services (AWS) EC2 instances
Node configuration: It is a MOF file generated using DSC resource and configuration. Managed Object Format (MOF) is the language used to describe Common Information Model (CIM) classes.
Compilation job: It is a process of converting DSC configuration into Mof document
Create an Automation Account
An Automation Account is a container for your Azure Automation resources. It provides a way to separate your environments or further organize your Automation workflows and resources.
Process automation that simplifies cloud management
Azure Automation allows you to automate the creation, deployment, monitoring, and maintenance of resources in your Azure environment and across external systems. Azure uses a highly scalable and reliable workflow execution engine to simplify cloud management. Orchestrate time-consuming and frequently repeated tasks across Azure and third-party systems.
Integrate into the systems you depend on
With Automation, you can connect into any system that exposes an API over typical Internet protocols. Azure Automation includes integration into many Azure services, including:
- Web Sites (management)
- Cloud Services (management)
- Virtual Machines (management and WinRM support)
- Storage (management)
- SQL Server (management and SQL support)
Need your workflows to integrate into another service? Extend Azure Automation to third-party solutions simply by importing an existing PowerShell module or writing your own in C# or Windows PowerShell.
Lest start with Azure Automation DSC which is is part of Azure automation account service. To deploy it go to All Services, search Automation Account.
I don't have any automation accounts added yet, Create a new one by clicking Add, Provide below information (which are self explanatory).
Name, Subscription, Resource Group, Location
One of the item create Azure Run As accounts to keep yes for now, when you create a Run As account, it creates a new service principal user in Azure Active Directory and assigns the Contributor role to this user at the subscription level. If you don't want to use Run As account, instead you can use managed identities for Azure resources to authenticate to your Azure services.
Once creation of resource complete, press Refresh on automation account to make it new resource visible on azure portal and double click it. From configuration management, select State Configuration (DSC) and choose Configurations, there will be no data in it, click Add button to select DSC script configuration file.
Here I have written my DSC configuration ps1 file and it is a small template example, contents are as below, This is just defining a state and declarative, which will create a text file on c drive with some content.
Configuration Filedemo
{
Node 'localhost'
{
File CreateFile
{
Ensure = 'Present'
DestinationPath = 'C:\Test.txt'
Contents = 'Hello World!'
}
}
}
Upload PS1 to a configuration file, it must be smaller than 1 MB to import. You can also update a existing configuration script by importing file with same name. Give it some good description. (Name field is taken from script, it is a configuration name)
Refresh the configurations, there will be a new DSC configuration listed. Click on it twice, which opens option to compile it.
Click compile the uploaded dsc code configuration (It generates MOF file in the background), Any node configurations generated will automatically placed on the Azure Automation DSC pull server, if node configurations with the same name exist on the pull server, they will be overwritten. Press yes. Job is put into queue and will take few seconds to complete compilation job. On the compiled configurations refresh, note down the configuration name, It will be required in next steps.
Other series
Part 1: Build your first Microsoft PowerShell DSC pull server
Part 2: Generate target server node config for PowerShell DSC pull server
Part 3: Configure PowerShell DSC Local configuration manager LCM in pull mode and update configuration
How to force a PowerShell DSC client to refresh configuration from pull server
I will require keys (Azure DSC URL and Access key) to connect Azure dsc pull server from on prem server, Note down them as well.
Configuration on Azure DSC is completed, next step is configuring LCM (Local configuration manager) of On-Premise VM. Make sure you are running PowerShell version 5.x and above on the server. Below is the break down of code. There is in detailed document provided by microsoft on https://docs.microsoft.com/en-us/powershell/dsc/managing-nodes/metaconfig.
Line 1: This is small but helpful, All my metadata need to be generated under a folder where you are right now, I am changing directory to c:\temp, all the meta mof will be created under same folder
Line 3 to 43: This is a DSC configuration (function), I have taken most of the properties value as defaults, you can refer to below chart to make changes.
Line 45 to 52: Here are the information I highlighted in light yellow will required to be connected. (All the information is already collected from keys and compiled configuration name). I am invoking LCM DSC configuration script on line 52 and generating meta MOF file.
Line 56: Using MOF and (pushing) configuring VM's Local Configuration Manager (LCM)
Below are the resources settings I am using on DSC LCM script.
- ConfigurationRepositoryWeb: specifies an HTTP pull service for configurations.
- ResourceRepositoryWeb: specifies an HTTP pull service for modules.
- ReportServerWeb: specifies an HTTP pull service to which reports are sent.
Below are properties and there descriptions.
Property | Description |
RefreshFrequencyMins | The time interval, in minutes, at which the LCM checks a pull service to get updated configurations. This value is ignored if the LCM is not configured in pull mode. The default value is 30. |
ConfigurationModeFrequencyMins | How often, in minutes, the current configuration is checked and applied. This property is ignored if the ConfigurationMode property is set to ApplyOnly. The default value is 15. |
RefreshMode | Specifies how the LCM gets configurations. The possible values are "Disabled", "Push", and "Pull".
|
ConfigurationMode |
Specifies how the LCM actually applies the configuration to the target nodes. Possible values are "ApplyOnly","ApplyAndMonitor", and "ApplyAndAutoCorrect".
|
AllowModuleOverwrite | $TRUE if new configurations downloaded from the pull service are allowed to overwrite the old ones on the target node. Otherwise, $FALSE. |
RebootNodeIfNeeded | Set this to $true to allow resources to reboot the Node using the $global:DSCMachineStatus flag. Otherwise, you will have to manually reboot the node for any configuration that requires it. The default value is $false. To use this setting when a reboot condition is enacted by something other than DSC (such as Windows Installer), combine this setting with the xPendingReboot module. |
ActionAfterReboot | Specifies what happens after a reboot during the application of a configuration. The possible values are "ContinueConfiguration" and "StopConfiguration".
|
ServerURL | The URL of the configuration service. |
RegistrationKey | A GUID that identifies the node to the pull service. |
ConfigurationNames | An array of names of configurations to be pulled by the target node. These are used only if the node is registered with the pull service by using a RegistrationKey. |
This script is available on github and can also be downloaded here.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
cd c:\temp [DscLocalConfigurationManager()] #DscLocalConfigurationManager attribute. Configuration AzureDscLcmConfig #Configuraion DSC script Starts { param ( [Parameter(Mandatory=$True)][String[]]$ComputerName, [Parameter(Mandatory=$True)][String]$AzureDscServerUrl, [Parameter(Mandatory=$True)][String]$AzureDscRegistrationKey, [Parameter(Mandatory=$True)][String]$AzureDSCNodeConfigurationName ) Node $ComputerName { $ConfigurationNames = @($AzureDSCNodeConfigurationName) Settings { RefreshFrequencyMins = 30 ConfigurationModeFrequencyMins = 15 RefreshMode = 'Pull' ConfigurationMode = 'ApplyAndMonitor' AllowModuleOverwrite = $False RebootNodeIfNeeded = $False ActionAfterReboot = 'ContinueConfiguration' } ConfigurationRepositoryWeb AzureAutomationDSC { ServerUrl = $AzureDscServerUrl RegistrationKey = $AzureDscRegistrationKey ConfigurationNames = $ConfigurationNames } ResourceRepositoryWeb AzureAutomationDSC { ServerUrl = $AzureDscServerUrl RegistrationKey = $AzureDscRegistrationKey } ReportServerWeb AzureAutomationDSC { ServerUrl = $AzureDscServerUrl RegistrationKey = $AzureDscRegistrationKey } } } $Params = @{ ComputerName = @($env:COMPUTERNAME) AzureDscServerUrl = 'https://wus2-agentservice-prod-1.azure-automation.net/accounts/dd4d88ef-e37a-41b3-ba6d-fda11354b725' AzureDscRegistrationKey = 'zrnxVStK6tHDPB7Div3vtDDZ24Ow0oR3aeLU+LbbBqXt2+6KaCYt/cCciTjMz6j9yHhxjxyTSvcIUCDxfSJxew==' AzureDSCNodeConfigurationName = 'CreateFileDemo.localhost' } AzureDscLcmConfig @Params Set-DscLocalConfigurationManager -Path C:\temp\AzureDscLcmConfig -Verbose |
I have run complete script, below is the output from Line 45 to 54. <Computername>.Meta.Mof file is generated. By running Set-DscLocalConfigurationManager using mof file it can be seen in the verbose output that it is applying Azure DSC as a pull server and other modifying other configurations.
It takes around 15 to 30 min depending on the frequency time you set in the LCM, If I refresh the Nodes option of State configuration (DSC) on azure, On-premises VM shows up in the list and it is compliant (it will take some time).
Part 1: Configure PowerShell remoting between Windows and Linux
Part 2: Getting started with Powershell Desired State Configuration (DSC) on Linux
Once the server shows compliant on the Azure DSC, Check the C drive on VM, there must be test file created with defined text in the configuration.
If you want to to expedite the process of updating dsc configuration immediately, you can use below commands.
Update-DscConfiguration -Wait -Verbose
Get-DscConfigurationStatus
Useful articles
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER