Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
System Center

Deploying a Desired State Configuration Web Host Using DSC

In a previous post related to deploying a web pull DSC host (“Deploying a Desired State Configuration Web Host Using PowerShell“), I presented a script which would put all the components into place in a manual fashion to get a new DSC pull server online and working. However, this script approach – while useful in illustrating the components required to get the service functional – does not play into the whole concept of configuration using desired state services. In this post, we will try again, but we will leverage some new modules that Microsoft’s DSC team has created for us. More accurately referred to as providers to actually commission a DSC pull server, using DSC.

To get started, we will need to download the latest version of the package from the Microsoft TechNet Gallery to our designated server, and as with all Internet downloads, unblock the file and extract its content.

Desired State Configuration: Install the Module (Provider)

Our first task will be to place the module in the correct location on our server. Launch your PowerShell console, and navigate to the folder you just extracted. For example: Downloads\xPSDesiredStateConfiguration_1.0

cd $env:UserProfile\Downloads\xPSDesiredStateConfiguration_1.0
copy .\xPSDesiredStateConfiguration_1.0 $env:ProgramFiles\WindowsPowerShell\Modules –Recurse –Force

With our new module (provider) now located in its new home, we can proceed to establish our new service.

Desired State Configuration provider

Create a Configuration for our DSC Pull Server

In the the following snip-it, we define a DSC Configuration which is to be applied to the current server (localhost), to configure both our DSC Pull Server and a DSC Compliance Server, referencing the new module we just published and its xPSDesiredStateConfiguration resource provider.

Configuration Assert_DSCWebService
{
  param (
    [ValidateNotNullOrEmpty()]
    [String] $certificateThumbprint
  )

  Import-DSCResource -ModuleName xPSDesiredStateConfiguration

  Node localhost
  {
    WindowsFeature DSCServiceFeature
    {
      Ensure = "Present"
      Name   = "DSC-Service"
    }

    xDSCWebService PSDSCPullServer
    {
      Ensure                  = "Present"
      EndPointName            = "PSDSCPullServer"
      CertificateThumbprint   = $certificateThumbprint
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
      ConfigurationPath       = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
      ModulePath              = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
      Port                    = 80
      IsComplianceServer      = $false
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"
    }

    xDSCWebService PSDSCComplianceServer
    {
      Ensure                  = "Present"
      EndPointName            = "PSDSCComplianceServer"
      CertificateThumbprint   = "AllowUnencryptedTraffic"
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
      Port                    = 81
      IsComplianceServer      = $true
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"
    }
  }
}

In the previous post, I chose not to use SSL to secure the connection to the DSC pull server – an option I would never consider in a production deployment, but for the simplicity of demonstration we can leave out the extra steps. Similarly in this example I will also choose to use a non-SSL protected site, however you can easily change this for production.

The following command will execute the DSC configuration we just defined to provide a MOF file that will be used to apply the configuration. Our DSC configuration, named Assert_DSCWebService, will be executed just like any PowerShell function and provide the defined parameters (in this example, to define a non-SSL configuration).

Assert_DSCService –certificateThumbPrint “AllowUnencryptedTraffic” –OutputPath .

If you choose to use SSL, you simply require to have the certificate already in the computer store of your server and pass its thumbprint to the command, which will then validate that you have provided a valid match before completing its work.

Assert_DSCService –certificateThumbPrint “123213123123123123123” –OutputPath .

Desired State Configuration DSC pull server

Apply the Configuration

All that remains now is for us to apply our new DSC configuration to the local server. We will use the Start-DSCConfiguration command, instruct it to provide verbose feedback, and wait for the job to complete, so that we can monitor what is actually happening.

Start-DSCConfiguration –Path .\Assert_DSCWebService –Wait –Verbose –Force

Desired State Configuration

Once complete, we can check that the web services are online and working using our web browser. Assuming no issues were encountered we should be once again online, but this time using DSC itself to provision the service!

Related Topics:

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.