Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
System Center

Deploying a Desired State Configuration Web Host Using DSC

In a previous post related to deploying a web pull DSC host (“Deploying a Desired State Configuration Web Host Using PowerShell“), I presented a script which would put all the components into place in a manual fashion to get a new DSC pull server online and working. However, this script approach – while useful in illustrating the components required to get the service functional – does not play into the whole concept of configuration using desired state services. In this post, we will try again, but we will leverage some new modules that Microsoft’s DSC team has created for us. More accurately referred to as providers to actually commission a DSC pull server, using DSC.

To get started, we will need to download the latest version of the package from the Microsoft TechNet Gallery to our designated server, and as with all Internet downloads, unblock the file and extract its content.

Desired State Configuration: Install the Module (Provider)

Our first task will be to place the module in the correct location on our server. Launch your PowerShell console, and navigate to the folder you just extracted. For example: Downloads\xPSDesiredStateConfiguration_1.0

​ cd $env:UserProfile\Downloads\xPSDesiredStateConfiguration_1.0
copy .\xPSDesiredStateConfiguration_1.0 $env:ProgramFiles\WindowsPowerShell\Modules –Recurse –Force

With our new module (provider) now located in its new home, we can proceed to establish our new service.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Desired State Configuration provider

Create a Configuration for our DSC Pull Server

In the the following snip-it, we define a DSC Configuration which is to be applied to the current server (localhost), to configure both our DSC Pull Server and a DSC Compliance Server, referencing the new module we just published and its xPSDesiredStateConfiguration resource provider.

​ Configuration Assert_DSCWebService
  param (
    [String] $certificateThumbprint

  Import-DSCResource -ModuleName xPSDesiredStateConfiguration

  Node localhost
    WindowsFeature DSCServiceFeature
      Ensure = "Present"
      Name   = "DSC-Service"

    xDSCWebService PSDSCPullServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCPullServer"
      CertificateThumbprint   = $certificateThumbprint
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
      ConfigurationPath       = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
      ModulePath              = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
      Port                    = 80
      IsComplianceServer      = $false
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

    xDSCWebService PSDSCComplianceServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCComplianceServer"
      CertificateThumbprint   = "AllowUnencryptedTraffic"
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
      Port                    = 81
      IsComplianceServer      = $true
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

In the previous post, I chose not to use SSL to secure the connection to the DSC pull server – an option I would never consider in a production deployment, but for the simplicity of demonstration we can leave out the extra steps. Similarly in this example I will also choose to use a non-SSL protected site, however you can easily change this for production.

The following command will execute the DSC configuration we just defined to provide a MOF file that will be used to apply the configuration. Our DSC configuration, named Assert_DSCWebService, will be executed just like any PowerShell function and provide the defined parameters (in this example, to define a non-SSL configuration).

​ Assert_DSCService –certificateThumbPrint “AllowUnencryptedTraffic” –OutputPath .

If you choose to use SSL, you simply require to have the certificate already in the computer store of your server and pass its thumbprint to the command, which will then validate that you have provided a valid match before completing its work.

​ Assert_DSCService –certificateThumbPrint “123213123123123123123” –OutputPath .

Desired State Configuration DSC pull server

Apply the Configuration

All that remains now is for us to apply our new DSC configuration to the local server. We will use the Start-DSCConfiguration command, instruct it to provide verbose feedback, and wait for the job to complete, so that we can monitor what is actually happening.

​ Start-DSCConfiguration –Path .\Assert_DSCWebService –Wait –Verbose –Force

Desired State Configuration

Once complete, we can check that the web services are online and working using our web browser. Assuming no issues were encountered we should be once again online, but this time using DSC itself to provision the service!

Related Topics:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: