Agenda

Quick recap of Desired State Configuration (DSC)

Practical DSC – On-Prem

Practical DSC - Azure

Reverse DSC

Desired State Configuration (DSC)

• Requires PowerShell 4 or greater (WMF);

• Responsible for bringing/keeping a machine in its Desired State;

• Available both On-Prem and in Azure Automation & IaaS;

Before we begin…

• Local Configuration Manager (LCM):

Engine responsible for ensuring the current machine is in its Desired State;

• DSC Module:

Represents a package responsible for configuring various aspects of a system. A module is normally associatedwith a software component (e.g. xEchange, xActiveDirectory, SharePointDSC, etc.);

• DSC Resource:

Responsible for configuring a specific aspect of a software. Each DSC Module is made of one or several resources(e.g. User, Mailbox, SPWebApplication, etc.);

DSC Modules and Resources

xActiveDirectory

• MSFT_xADGroup

• MSFT_xADUser

• […]

xSCOM

• MSFT_xSCOMManagementPack

• MSFT_xSCOMReportingServerSetup

• […]

SharePointDSC

• MSFT_SPWebApplication

• MSFT_SPSite

• MSFT_SPSearchServiceApplication

• [..]

xExchange

• MSFT_xExchMailboxDatabase

• MSFT_xExchEventLogLevel

• […]

DSC Configuration Script

• Where you define your Desired State.

• PS1 script defining a special « Configuration » keyword (behaves like a method);

• Upon calling the configuration, generates a .MOF file;

What Does it Look Like?

Start-DSCConfiguration

• PowerShell cmdlet that sends the .MOF info to the Local Configuration Manager;

• Tells the LCM to start bringing the current machine in its Desired State right now;

• Asynchronous by default, use –Wait to make synchronous call;

• Used for « Push » Refresh Mode;

Troubleshooting DSCApplications and Services Logs > Microsoft > Windows > Desired State Configuration > Operational

Secure Credentials

• By default securables are stored as plain text in the MOF file;

• Need to certificate to encrypt the content in MOF file;

• Specify the Certificate (.cer) and its Thumbprint in the configuration data;

Local Configuration Manager

• Responsible for:

• Determining refresh mode (push or pull);

• Determining pull frequency;

• Associating the nodes with the pull servers;

• Handle partial DSC;

Local Configuration Manager […]

• Keeps the MOF in memory as a DSCConfigurationDocument object;

• Get-DSCConfiguration returns the MOF currently in memory;

• Remove-DSCConfigurationDocument –Stage Current removes the current MOF from memory;

LCM Refresh Modes

• Disabled:

• No DSC configuration specified;

• Push:

• Configurations were started by the Start-DSCConfiguration cmdlet;

• Configurations are applied immediately to the node;

• Default value;

• Pull:

• Regurarly ping a central server (a.k.a. Pull Server) to check

compliance with specified Desired State;

LCM Refresh Frequency

• Only applicable to Pull Server mode;

• Specify, in minutes, intervals for pinging the Pull Server;

• Default is 30 minutes;

• Valid range is between 30 and 44640 minutes (31 days);

LCM Configuration Modes

• ApplyOnly:

• Once the configuration is applied, LCM doesn’t do anything else unlessa new Configuration is received;

• ApplyAndMonitor:

• Apply the configuration, checks on a regular basis if the configuration drifted from Desired State and log discrepencies (Default);

• ApplyAndAutoCorrect:

• Apply the configuration, checks on a regular basis for

compliance, log discrepencies and automatically bring the

machine back in to its Desired State.

LCM Configuration Frequency

• Time interval, in minutes, where the LCM checks the current state to see if it steered away from Desired State;

• Default is 15 minutes;

• Valid range is between 15 and 44640 minutes (31 days).

Partial DSC• New in WMF 5.0;

• Allows for the Desired State to be fragmented into several configurations;

• Enables better control over Governance of each partial DSC;

• Ex:

• Team A controls IIS, Team B controls SQL Server;

• Team A is responsible for deploying VM and OS, Team B is responsible for the Application layer;

• LCM is responsible for putting the fragments back together on the machines.

Mixed Refresh Mode• There are really only two Refresh Modes:

• Push

• Pull

• In partial DSC, each fragment can be associated with whatever RefreshMode;

• For a single server, you can have some DSC fragments using Push whileothers use Pull;

• Can be pulled from multiple Pull Servers.

Azure Automation DSC (AADSC)• Need to create an Azure Automation Account;

• Allows us to publish DSC configuration scripts in the cloud;

• DSC Configuration Scripts are compiled and checked for validity;

• Acts just like an On-Premises Pull server would;

• DSC Script can be assigned to VM by creating a custom extension;

AADSC Assets• Types of Assets:

• Schedules

• Modules

• Certificates

• Connections

• Variables

• Credentials

A SharePoint DSC Module• Open Source at:

• http://github.com/PowerShell/SharePointDSC

• Was the first DSC Resource to lose its ‘x’;

• Current version is 1.4.0.0.

• Currently looking at options to convert existing AutoSPInstaller scripts intoDSC Configuration script;

A Look Inside• SPWebApplication

• SPSite

• SPWeb

• SPManagedAccount

• SPFeature

• …

Anatomy of a DSC Resource

• Set-TargetResource -> Here is how I want you to configure me!

• Get-TargetResource -> How am I currently configured?

• Test-TargetResource -> Am I in my Desired State?

LCM

Desired State Info

Get-TargetResource

Test-TargetResource

Current State Info

Is Current = Desired

Yes

Set-TargetResourceNo

So…

• Get-TargetResource is included in every resource…

• Get-TargetResource returns me the current state of any given server for a resource…

• Using PowerShell we can dynamically call into all Get-TargetResourcemethods inside a Module…

Introducing a new concept

Reverse DSC!https://github.com/PowerShell/SharePointDsc/pull/396/files

The “Ahhhh” moment

• I can get an exact picture of how my existing environment is configured!

• I can export the result of calling all Get-TargetResource as a DSC script!

• I can use that script to create an exact replica of an existing environment or on-board an existing environment onto DSC!

• …I can even take an on-premises environment…..take that Reverse DSC and…. push a replica in Azure!

Imagine the possibilities

• Analyze best practices

• Quickly replicate on-prem to Azure;

• Compare configuration drifts between 2 environments;

• Replicate a client’s environment for troubleshooting;

• Enroll existing environment onto DSC for Monitoring and compliance;

• DEV/TEST

• DEVOps

• ….