Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Azure automation account DSC for On-Premise Virtual Machine on boarding

In my earlier series on on-prem Powershell DSC server I shown how to configure DSC (Desired State configuration) server and its client on windows & linux. Enabling WinRm is one of the main prerequisite for all DSC operations. If I see DSC's future, Microsoft is more and more focusing on Azure DSC (desired state configuration), Azure adds cloud-based management layer to DSC, you can use it as DevOps tool to continuous delivery platform in your environment, Its good tool for avoiding configuration drifts when configuring and managing servers cloud and on-prem servers. One of the reason you might not be using on-prem Powershell DSC pull server, because it doesn't scale very well and doesn't have good reporting features. Azure DSC solve these and other problems, it can scale to hundreds or thousands of nodes, Azure DSC has very nice intuitive UI for managing nodes, configuration and reports. Its very easy with Azure portal. Below are the components of Azure DSC pull server, you can refer it as I go step by step within this blog.

DSC resource: These are the DSC module used to configure Server features and roles (IIS server, third party applications), files and folders etc.
DSC configuration: This contains a configuration, basically it is a script (Kind of function) which has declarative syntax to configure a server.
Azure DSC node: Server (computer) that is registered and configuration managed by Azure DSC, Below given server types are supported by

  • Azure virtual machines
  • Physical/virtual Windows machines on-premises, or in a cloud other than Azure/AWS
  • Physical/virtual Linux machines on-premises, in Azure, or in a cloud other than Azure
  • Azure virtual machines (classic)
  • Amazon Web Services (AWS) EC2 instances

Node configuration: It is a MOF file generated using DSC resource and configuration. Managed Object Format (MOF) is the language used to describe Common Information Model (CIM) classes.
Compilation job: It is a process of converting DSC configuration into Mof document

Powershell azure dsc desired state configuration diagram, compilation jobs, dsc nodes, dsc compiled configuration automation account dsc script, dsc resource.png

Create an Automation Account

An Automation Account is a container for your Azure Automation resources. It provides a way to separate your environments or further organize your Automation workflows and resources.

Process automation that simplifies cloud management

Azure Automation allows you to automate the creation, deployment, monitoring, and maintenance of resources in your Azure environment and across external systems. Azure uses a highly scalable and reliable workflow execution engine to simplify cloud management. Orchestrate time-consuming and frequently repeated tasks across Azure and third-party systems.

Integrate into the systems you depend on

With Automation, you can connect into any system that exposes an API over typical Internet protocols. Azure Automation includes integration into many Azure services, including:

  • Web Sites (management)
  • Cloud Services (management)
  • Virtual Machines (management and WinRM support)
  • Storage (management)
  • SQL Server (management and SQL support)

Need your workflows to integrate into another service? Extend Azure Automation to third-party solutions simply by importing an existing PowerShell module or writing your own in C# or Windows PowerShell.

Lest start with Azure Automation DSC which is is part of Azure automation account service. To deploy it go to All Services, search Automation Account. 

Microsoft Azure Automation Account All Services Azure dsc Desired state configuration DSC configuration node compiled automation account free setup onboard aws or on prem computer.png

I don't have any automation accounts added yet, Create a new one by clicking Add, Provide below information (which are self explanatory).

Name, Subscription, Resource Group, Location 

One of the item create Azure Run As accounts to keep yes for now, when you create a Run As account, it creates a new service principal user in Azure Active Directory and assigns the Contributor role to this user at the subscription level. If you don't want to use Run As account, instead you can use managed identities for Azure resources to authenticate to your Azure services.

Microsoft Azure Add automation Account All services Resource group free subscription sponsership Azure create automation account Run as Account powershell desired state configuration azure DSC as a code.png

Once creation of resource complete, press Refresh on automation account to make it new resource visible on azure portal and double click it. From configuration management, select State Configuration (DSC) and choose Configurations, there will be no data in it, click Add button to select DSC script configuration file.

Microsoft Windows Azure Automation Account Desired State Configuration (DSC) Compose configurations Configuration management devops azure powershell script ps1.png

Here I have written my DSC configuration ps1 file and it is a small template example, contents are as below, This is just defining a state and declarative, which will create a text file on c drive with some content.

Configuration Filedemo
{

    Node 'localhost'
    {
        File CreateFile 
        {
            Ensure = 'Present'
            DestinationPath = 'C:\Test.txt'
            Contents = 'Hello World!'
        }
    }
}

Upload PS1 to a configuration file, it must be smaller than 1 MB to import. You can also update a existing configuration script by importing file with same name. Give it some good description. (Name field is taken from script, it is a configuration name)

Microsoft Azure Windows Create new Automation Accounts Import configuration file powershell azure dsc desired state configuration DSC resource ensure present file dsc module state configuration (DSC).png

Refresh the configurations, there will be a new DSC configuration listed. Click on it twice, which opens option to compile it.

Microsoft Azure free subscription sponsership Create a automation account desired state configuration (DSC) Complied configurations import dsc script upload ps1 configuration diagnose solve problems IAM.png

Click compile the uploaded dsc code configuration (It generates MOF file in the background), Any node configurations generated will automatically placed on the Azure Automation DSC pull server, if node configurations with the same name exist on the pull server, they will be overwritten. Press yes. Job is put into queue and will take few seconds to complete compilation job. On the compiled configurations refresh, note down the configuration name, It will be required in next steps.

Azure automation DSC desire state configuration Account automation compile dsc, compiled configurations deployment to pull servers compilation jobs powershell declarative node configuration.png

Other series
Part 1: Build your first Microsoft PowerShell DSC pull server
Part 2: Generate target server node config for PowerShell DSC pull server
Part 3: Configure PowerShell DSC Local configuration manager LCM in pull mode and update configuration
How to force a PowerShell DSC client to refresh configuration from pull server

I will require keys (Azure DSC URL and Access key) to connect Azure dsc pull server from on prem server, Note down them as well.

Microsoft Azure automation account dsc desired state configuration agentservice-prod1.azure-automation.net Account settings Keys Primary secondary access key regenerate powershell dsc state configuration.png

Configuration on Azure DSC is completed, next step is configuring LCM (Local configuration manager) of On-Premise VM. Make sure you are running PowerShell version 5.x and above on the server. Below is the break down of code. There is in detailed document provided by microsoft on https://docs.microsoft.com/en-us/powershell/dsc/managing-nodes/metaconfig

Line 1: This is small but helpful, All my metadata need to be generated under a folder where you are right now, I am changing directory to c:\temp, all the meta mof will be created under same folder
Line 3 to 43: This is a DSC configuration (function), I have taken most of the properties value as defaults, you can refer to below chart to make changes.
Line 45 to 52:  Here are the information I highlighted in light yellow will required to be connected. (All the information is already collected from keys and compiled configuration name). I am invoking LCM DSC configuration script on line 52 and generating meta MOF file.
Line 56: Using MOF and (pushing) configuring VM's Local Configuration Manager (LCM)

Below are the resources settings I am using on DSC LCM script.

  • ConfigurationRepositoryWeb: specifies an HTTP pull service for configurations.
  • ResourceRepositoryWeb: specifies an HTTP pull service for modules.
  • ReportServerWeb: specifies an HTTP pull service to which reports are sent.

Below are properties and there descriptions.

PropertyDescription
RefreshFrequencyMinsThe time interval, in minutes, at which the LCM checks a pull service to get updated configurations. This value is ignored if the LCM is not configured in pull mode. The default value is 30.
ConfigurationModeFrequencyMinsHow often, in minutes, the current configuration is checked and applied. This property is ignored if the ConfigurationMode property is set to ApplyOnly. The default value is 15.
RefreshModeSpecifies how the LCM gets configurations. The possible values are "Disabled", "Push", and "Pull".
  • Disabled: DSC configurations are disabled for this node.
  • Push: Configurations are initiated by calling the Start-DscConfiguration cmdlet. The configuration is applied immediately to the node. This is the default value.
  • Pull: The node is configured to regularly check for configurations from a pull service or SMB path. If this property is set to Pull, you must specify an HTTP (service) or SMB (share) path in a ConfigurationRepositoryWeb or ConfigurationRepositoryShare block.
ConfigurationMode

Specifies how the LCM actually applies the configuration to the target nodes. Possible values are "ApplyOnly","ApplyAndMonitor", and "ApplyAndAutoCorrect".

  • ApplyOnly: DSC applies the configuration and does nothing further unless a new configuration is pushed to the target node or when a new configuration is pulled from a service. After initial application of a new configuration, DSC does not check for drift from a previously configured state. Note that DSC will attempt to apply the configuration until it is successful before ApplyOnly takes effect.
  • ApplyAndMonitor: This is the default value. The LCM applies any new configurations. After initial application of a new configuration, if the target node drifts from the desired state, DSC reports the discrepancy in logs. Note that DSC will attempt to apply the configuration until it is successful before ApplyAndMonitor takes effect.
  • ApplyAndAutoCorrect: DSC applies any new configurations. After initial application of a new configuration, if the target node drifts from the desired state, DSC reports the discrepancy in logs, and then re-applies the current configuration.
AllowModuleOverwrite$TRUE if new configurations downloaded from the pull service are allowed to overwrite the old ones on the target node. Otherwise, $FALSE.
RebootNodeIfNeededSet this to $true to allow resources to reboot the Node using the $global:DSCMachineStatus flag. Otherwise, you will have to manually reboot the node for any configuration that requires it. The default value is $false. To use this setting when a reboot condition is enacted by something other than DSC (such as Windows Installer), combine this setting with the xPendingReboot module.
ActionAfterRebootSpecifies what happens after a reboot during the application of a configuration. The possible values are "ContinueConfiguration" and "StopConfiguration".
  • ContinueConfiguration: Continue applying the current configuration after machine reboot. This is the default value
  • StopConfiguration: Stop the current configuration after machine reboot.
ServerURLThe URL of the configuration service.
RegistrationKeyA GUID that identifies the node to the pull service.
ConfigurationNamesAn array of names of configurations to be pulled by the target node. These are used only if the node is registered with the pull service by using a RegistrationKey.

This script is available on github and can also be downloaded here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
cd c:\temp

[DscLocalConfigurationManager()] #DscLocalConfigurationManager attribute.
Configuration AzureDscLcmConfig #Configuraion DSC script Starts
{ 
    param 
    ( 
        [Parameter(Mandatory=$True)][String[]]$ComputerName,  
        [Parameter(Mandatory=$True)][String]$AzureDscServerUrl,
        [Parameter(Mandatory=$True)][String]$AzureDscRegistrationKey,
        [Parameter(Mandatory=$True)][String]$AzureDSCNodeConfigurationName
    )
    Node $ComputerName
    {
        $ConfigurationNames = @($AzureDSCNodeConfigurationName)
        Settings 
        { 
            RefreshFrequencyMins = 30
            ConfigurationModeFrequencyMins = 15
            RefreshMode = 'Pull'
            ConfigurationMode = 'ApplyAndMonitor' 
            AllowModuleOverwrite = $False
            RebootNodeIfNeeded = $False 
            ActionAfterReboot = 'ContinueConfiguration'            
        }
        ConfigurationRepositoryWeb AzureAutomationDSC 
        { 
            ServerUrl = $AzureDscServerUrl
            RegistrationKey = $AzureDscRegistrationKey
            ConfigurationNames = $ConfigurationNames
        }
        ResourceRepositoryWeb AzureAutomationDSC
        {
            ServerUrl = $AzureDscServerUrl
            RegistrationKey = $AzureDscRegistrationKey
        }
        ReportServerWeb AzureAutomationDSC 
        { 
            ServerUrl = $AzureDscServerUrl 
            RegistrationKey = $AzureDscRegistrationKey
        }
    } 
}

$Params = @{
    ComputerName = @($env:COMPUTERNAME)
    AzureDscServerUrl = 'https://wus2-agentservice-prod-1.azure-automation.net/accounts/dd4d88ef-e37a-41b3-ba6d-fda11354b725'
    AzureDscRegistrationKey = 'zrnxVStK6tHDPB7Div3vtDDZ24Ow0oR3aeLU+LbbBqXt2+6KaCYt/cCciTjMz6j9yHhxjxyTSvcIUCDxfSJxew=='
    AzureDSCNodeConfigurationName = 'CreateFileDemo.localhost'
}

AzureDscLcmConfig @Params

Set-DscLocalConfigurationManager -Path C:\temp\AzureDscLcmConfig -Verbose

I have run complete script, below is the output from Line 45 to 54. <Computername>.Meta.Mof file is generated. By running Set-DscLocalConfigurationManager using mof file it can be seen in the verbose output that it is applying Azure DSC as a pull server and other modifying other configurations.

Microsoft Azure Powershell DSC desired state configuration Azure DSC Server URL registration key set-dsclocalconfigurationManager verbose azure dsc node configuration name msft dscresource mof MSFT.png

It takes around 15 to 30 min depending on the frequency time you set in the LCM, If I refresh the Nodes option of State configuration (DSC) on azure, On-premises VM shows up in the list and it is compliant (it will take some time).

Microsoft Azure Desired state configuration dsc automation account Nodes Configuration status onboarding server compiled configuration powershell lcm local configuration manager metadata configuration.png

Part 1: Configure PowerShell remoting between Windows and Linux
Part 2: Getting started with Powershell Desired State Configuration (DSC) on Linux

Once the server shows compliant on the Azure DSC, Check the C drive on VM, there must be test file created with defined text in the configuration.

Powershell Azure file dsc resource demo, Azure automation account dsc desired state configuration powershell devops, get-dscresource properties powershell dsc azure dsc pull server.png

If you want to to expedite the process of updating dsc configuration immediately, you can use below commands.

Update-DscConfiguration -Wait -Verbose
Get-DscConfigurationStatus

microsoft azure dsc desired state configuration node configuration update-dscconfiguration wait verbose get-dscconfiguration invoke-VimMethod configure onboard onprem vms azure dsc.png

Useful articles
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS  
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED 
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY 
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER

Go Back

Comment

Blog Search

Page Views

12273709

Follow me on Blogarama