get to know dsc

Get to Know DSCA PowerShell.org TechSession

RememberFind the latest TechSessions at

http://powershell.org/wp/techsession-webinars/.

Advanced registration is required to attend the live events, where you can participate in Q&A

Recordings posted to YouTube, usually in 48 hours.

TodayWe’ll introduce the DSC technology, explain what

it is (and isn’t), and provide some guidance for using it.

We’ll also look at where it currently falls short, and try to predict where it’ll go next.

This will be about 50/50 lecture and demo……and you’re encouraged to ask questions as we

go, using the Q&A panel in GoToWebinar.

Basic InformationLevel: 100-200

Technology introduction and feature overviewPlanning and architecture

Pre-requisites:Solid experience with Windows PowerShell and Windows administration

What is DSC?A means of declaratively specifying the

configuration a computer should adopt.Mainly focused on servers at this time.Rather than writing a script that checks the config

and then corrects it, you simply specify the config. Microsoft (and others) provide the code that does the checking and fixing.

ApplicabilityPart of WMF 4 and laterWin2008R2, Win7, and laterIncluded in Win2012R2 and Win8.1Note that because Win8.1 was a free update, WMF

4 does not technically apply to Win8; the expectation is that you’ll upgrade to 8.1.

Much more limited resource availability on Win2008R2 and Win7, meaning DSC is there, but it can do less.

Architecture

“Target Node”Because not every node is a computer these daysAlthough presently, an LCM exists only for

Windows and Linux

*LCM=Local Configuration Manager, the client-side bit of DSC that does all the dirty work

Configuration ScriptsThese can contain zero logic, to incredibly complex

logic.They run once on your authoring computer, and

produce a static MOF.

The MOF is what you deploy. Keep in mind that the MOF is static – it doesn’t contain code or logic.

A configuration can be written to target one computer, or contain logic that allows it to produce MOFs for multiple computers.

Let’s take a look…

ResourcesA Configuration Script (and thus, the MOF it produces)

references one or more Resources.

Resources are what actually check the config, and when necessary fix it.

Non-core resources must be explicitly imported.Use Get-DscResource to discover installed resources.A Config can reference any resource that will be available on

the target node (e.g., you can code a Config for Linux on Windows)

Resources should be available on the authoring system (for IntelliSense and whatnot)

One Machine, One MOFYou can only deploy a single MOF to a given

computer.To “modularize,” you can…

Add logic to a monolithic configuration script so that it produces “customized” MOFs per computer

Save a configuration as a resource, and then “include” it in another, top-level composite configuration

Composite Configurations

Composite Configuration

for Domain Controllers

Composite Configuration

for aux. DNS servers

Configuration forAD DS

Configuration forDNS servers

Configuration forall company

servers

DSC ResourcesSeveral come bundled with WMF 4MANY MANY MORE are in the DSC Resource Kit (at

Wave 4 as of June 2014)Resource Kit also includes Diagnostics and Resource

Designer modulesA Resource is a special PowerShell script module, and

multiple Resources can be bundled into a single Resource Module. The RM is what gets distributed; the R is what gets referenced in a configuration script

Let’s see one…

Deploying ResourcesContaining module should go in \Program Files\

WindowsPowerShell\ModulesThis is in PSModulePath as of WMF4.Simple file copy is sufficient…

However, resources usually have their own dependencies, usually other PowerShell modules.

Deploying MOFsPUSH Mode

Uses WinRM to deploy the MOF and kick off the Local Configuration Manager (LCM)

You must deploy all Resource Modules referenced in the MOF

PULL ModeConfigure machines’ LCM to grab their config from a

central Web or file serverThey can also grab needed Resource Modules from the

pull serverAvailable on 2008R2+ (harder to install on older OS)

“Compliance” ServerAdditional optional feature of a Web-based pull

serverGives machines a place to check back in with their

current state of conformityThis is only a status code, not a detailed

“difference” report.By default, stored in a Win Internal DB; can be

pointed to SQL Server.

“Diffs”LCMs can be configured to Apply (e.g., look at the

config) and Monitor (report back)…

…and Apply and AutoCorrect (e.g., look at the config and do something about it)

DSC is designed to ensure there are no differences; while the technology does support the concept of “report back and tell me what’s non-conforming” there are presently no tools which do so.

Mental SwitchWe’re used to asking “what changed?” for

troubleshooting.With DSC, if you’re doing it right, the answer is

always nothing. Which is why it doesn’t natively report back with a difference. There is no difference.

You can extract this information from diagnostic logs, but difference reporting isn’t the main goal of the technology.

What’s MissingFull resource coverage (improving almost

monthly)Tooling (aside from ISE, there basically is nothing)Documentation (“The DSC Book” is about the best

starting point; see also articles on PowerShellMagazine.com and the PowerShell team blog; it’s all a bit scattered at present).

What DSC Isn’tA catchall replacement for everythingE.g., you’d use DSC to configure WSUS, not to

deploy updates

Sketchy AreasSoftware installation is a little primitive – the

current Package resource is a bit finickyBroad availability of OneGet (WMF 5) will probably

help move this further toward the goal

SecurityThe LCM runs as SYSTEM, so it has almost no

authority off-computerAnything you need to do non-local (e.g., retrieve a

package from a file server) will need to be given a credential

You can specify, in a config, the thumbprint of a certificate (which you must pre-deploy to nodes) that can be used to decrypt credentials in the config

HTTPS!Pull Servers should be set up using SSL – this is

what they want by defaultWithout SSL, you get NO AUTHENTICATION OF THE

PULL SERVER IDENTITY THIS IS A MASSIVE SECURITY FAIL AND YOU WILL PROBABLY GO TO HELL AND YOU’VE GOT NOBODY TO BLAME BUT YOURSELF PLEASE DON’T USE A NON-HTTPS PULL SERVER THANK YOU VERY MUCH.

This Isn’t GPO (Yet)There is no connection to Active Directory.Targeting is basically manual, or whatever logic

you build.There’s no apply-time dynamic targeting or

filtering (MOFs are static).You get only one MOF per computer (which

complicates authoring, but massively simplifies everything else).

Let’s Take Some QuestionsI know you’ve got ‘em… ask away.

Follow-Up ResourcesThe DSC Book (soon to be retitled The Free DSC

Book) at PowerShell.org (on the “Resources” menu)

The DSC Hub at PowerShell.org (including our GitHub repo)

Watch for a DSC Microsoft Virtual Academy from Don Jones and Jeffrey Snover in 2014Q4

DSC Q&A Forum at PowerShell.org

Thank You!Find the latest TechSessions at

http://powershell.org/wp/techsession-webinars/.

Advanced registration is required to attend the live events, where you can participate in Q&A

Recordings posted to YouTube, usually in 48 hours.Ask follow-up questions in the Forums on

PowerShell.org.