Benutzer:MovGP0/Powershell/DSC/SMB Pull Server

   MovGP0        Über mich        Hilfen        Artikel        Weblinks        Literatur        Zitate        Notizen        Programmierung        MSCert        Physik      

SMB Pull Server

Bearbeiten
  • Resources that needs to be configured
    • Service
    • xSMBShare
    • cADUser
  • no need for an HTTP server
Drawbacks
  • Firewall
  • No Compliance server
  • No SSL encryption
  • ACL planning; pull server runs in LocalSystem context
  • may require updates

Server Setup

Bearbeiten
  • Windows Server 2012 R2+
  • create SMB share and configure ACL
  • add DSC-Service Windows Feature
  • Set-ExecutionPolicy to at least RemoteSigned

Deployment of required Resources

Bearbeiten
  • Specify module path in $env:PSModules
    ie. $env:ProgramFiles\WindowsPowerShell\Modules
  • Module must be zipped
    • Format is ModuleName_SemanticVersion.zip
    • Do not include in $PSHome\Modules
    • .NET may has issues with creating .zip files (use 3rd party library)
  • Calculate checksum of the .zip file using New-DSCCheckSum
  • Copy zipped resources and checksums to shared folder

Deployment of Configurations

Bearbeiten
Configuration MyConfiguration {
    Node "Server01" {
        LocalConfigurationManager {
            ConfigurationMode = "ApplyAutoCorrect"
            ConfigurationID = $guid
            RefreshMode = "Pull"
            RefreshFrequencyMins = 30
            DownloadManagerName = "DscFileDownloadManager"
            DownloadManagerCustomData = @{
                SourcePath = "\\FileServer02\DscConfigurations"
            }
        }
    }
}
  • Create .mof files and rename them with the GUIDs of the LCM of the target servers
    • server01.mofed00a7f0-6177-4c70-82b7-f1ede8aa6ab8.mof
  • Calculate checksum of the .mof files using New-DSCCheckSum
  • Copy renamed .mof files and checksums to share
    • client will only pull when checksum has changed
  • Reconfigure client LCMs as needed
  • Wait for refresh intervall or force server for pull

Configure LCM on Client

Bearbeiten
  • RefreshMode = "PULL"
  • Configure overwriting modules
  • Set ConfigurationID (GUID)
  • Configure DownloadManager
  • Configure RefreshFrequency
  • Define Credentials
    • especially with SMB file shares
Configuration MyConfiguration {
    Node "Server01" {
        LocalConfigurationManager {
            AllowModuleOverwrite = $true 
            ConfigurationMode = "ApplyAndMonitor"
            ConfigurationID = $guid
            RefreshMode = "Pull"
            RefreshFrequencyMins = 30
            DownloadManagerName = "DscFileDownloadManager"
            DownloadManagerCustomData = @{
                SourcePath = "\\FileServer02\DscConfigurations"
            }
        }
    }
}

Force Client to Pull

Bearbeiten
$args = @{
    Computername = "Server01"
    Namespace = "root/Microsoft/Windows/DesiredStateConfiguration"
    ClassName = "MSFT_DSCLocalConfigurationManager"
    MethodName = "PerformRequiredConfigurationChecks"
    Arguments = @{
        Flags = [uint32] 1
    }
}

Invoke-CimMethod -Arguments $args

Setup SMB Share

Bearbeiten

Imperatively

Bearbeiten
$computer = "chi-fp03"
Invoke-Command { mkdir C:\DSCConfigurations } -Computername $computer 

$paramHash = @{
    Name = "DSCConfig";
    Path = "C:\DSCConfigurations";
    CimSession = $computer;
    FullAccess = "lan\Domain Admins";
    ReadAccess = "Everyone";
}

New-SmbShare @paramHash
Get-SmbShare DSCConfig -CimSession $computer 
Add-WindowsFeature DSC-Service -Computername $computer -Verbose

Declaratively

Bearbeiten
Configuration SetupSMBPull {
    param {
        [System.Management.Automation.Credential()]$Credential
    }

    Import-DscResource -ModuleName cFileShare 

    Node $AllNodes.NodeName {
        File DSCFolder {
            DestinationPath = $node.Path;
            Ensure = 'Present';
            Credential = $Credential;
            SourcePath = $node.SourcePath;
            Recurse = $true;
            Force = $true;
            Type = 'Directory'
        }
    }

    cCreateFileShare $node.Sharename {
        Path = $node.Path;
        ShareName = $node.shareName;
        DependsOn = '[File]DSCFolder';
        Ensure = 'Present';
    }

    cSetSharePermission $node.Sharename {
        ShareName = $node.ShareName;
        ChangeAccessUsers = @($node.ChangeAccess);
        DependsOn = "[cCreateFileShare]$($node.Sharename)";
        Ensure = 'Present';
        FullAccessUsers = @($node.FullAccess);
        ReadAccessUsers = @($node.ReadAccess);
    }

    WindowsFeature DSCService {
        Name = 'DSC-Service';
        Ensure = 'Present';
    }

    LocalConfigurationManager {
        CertificateID = $node.Thumbprint;
    }
}
. .\Export-MachineCert.ps1
$cert = Export-MachineCert -Computername "Server01" -Path C:\Certs 

$ConfigData = @{
    AllNodes = @{
        NodeName = "Server01";
        CertificateFile = $cert.path;
        Thumbprint = $cert.thumbprint;
        Path = C:\dscconfiguration;
        ShareName = 'DSCConfig';
        SourcePath = '\\server03\DscResourceZip';
        ChangeAccess = 'lan\Administrator';
        ReadAccess = "Everyone";
        FullAccess = 'lan\Domain Admins';
    }
}
$paramHash = @{
    Credential = "lan\myuser";
    ConfigurationData = $ConfigData;
    OutputPath = 'C:\DSC\NewPullSMB';
    Verbose = $true;
}

SetUpSMBPull @ParamHash

$path = 'C:\Program Files\WindowsPowerShell\Modules\cFileShare'
$destination = '\\server03\c$\Program Files\WindowsPowerShell\Modules'
Copy-Item -Path $path -Destination $destination -Container -Force -Recurse -PassThru

Set-DscLocalConfigurationManager -Path 'C:\DSC\PullSMB' -Verbose 
Start-DscConfiguration -ComputerName $computer -Path 'C:\DSC\PullSMB'

Get-SmbShare -CimSession $computer
Get-SmbShareAccess :Name dscconfig -CimSession $computer | Format-List

Copy zipped custom resources

Bearbeiten

Hint: Use install-package to install DSC Resources from the PowerShell Gallery.

Get-DscResource | 
Where path -match "^c:\\Program Files\\WindowsPowerShell\\Modules" | 
Select -expandProperty Module -Unique | 
ForEach {
    $out = "{0}_{1}.zip" -f $_.Name, $_.Version
    $zip = Join-Path -Path "\\$computer\DSCConfig" -ChildPath $out 
    New-ZipArchive -Path $_.ModuleBase -OutputPath $zip -Passthru 
    Start-Sleep -Seconds 1

    if(Test-Path $zip) {
        try{
            New-DscChecksum -ConfigurationPath $zip -ErrorAction Stop 
        }
        catch{
            Write-Warning "Failed to create checksum for $zip"
        }
    }
    else{
        Write-Warning "Failed to find $zip"
    }
}

Create and copy configurations

Bearbeiten
Configuration Demo{
    param(
        [string]$guid, 
        [System.Management.Automation.Credential()]$Credential = [System.Management.]
    )

    Import-DscResource -ModuleName 'xNetworking','xTimeZone'
    
    Node $Allnodes.nodename {
        xTimeZone Eastern {
            TimeZone = "Eastern Standard Time"
        }
    }

    File Work{
        DestinationPath = 'C:\MyWork';
        Ensure = "Present";
        Force = $true;
        Type = 'Directory'
    }

    xDnsServerAddress Google {
        Address = '8.8.8.8','4.4.4.4','8.8.4.4';
        InterfaceAlias = 'Ethernet 2';
        AddressFamily = 'IPv4';
    }

    Group Demo {
        GroupName = 'Demo';
        Description = 'My Demo Group';
        Ensure = 'Present';
        Credential = $Credential;
        MembersToInclude = 'lan\myuser'
    }

    LocalConfigurationManager{
        AllowModuleOverwrite = $true;
        ConfigurationID = $guid;
        ConfigurationMode = 'ApplyAndMonitor';
        RefreshMode = 'Pull';
        DownloadManagerName = 'DscFileDownloadManager';
        DownloadManagerCustomData = @{
            SourcePath = '\\Server01\DSCConfig';
        };
        CertificateID = $node.Thumbprint;
    }
}
$ConfigData = @{
    AllNodes = @{
        NodeName = "Server01";
        CertificateFile = 'C:\Certs\server01.cer';
        Thumbprint = "..."
    }
}


Export-MachineCert -Computername "Server01" -Path 'C:\Certs'
$guid = [guid]::NewGuid().guid 

$paramHash = @{
    guid = $guid;
    Credential = 'lan\Administrator';
    OutputPath = 'c:\DSC\DemoPull';
    ConfigurationData = $ConfigData;
    Verbose = $true
}

DemoPull @paramHash

Configure LCM

Bearbeiten
Get-DscLocalConfigurationManager -CimSession "Server01"
Set-DscLocalConfigurationManager -ComputerName "Server01" 'C:\DSC\DemoPull'

copy MOF with GUID to Pull Server

Bearbeiten
$src = 'C:\DSC\PullDemo\server01.mof'
$dst = Join-Path -Path "\\$computer\DscConfig" -CildPath "$guid.mof"

Copy-Item -Path $scr -Destination $des -PassThru
New-DscChecksum $dst

dir \\$Computer\DSCConfig | Group Extension

force the configuration

Bearbeiten
. .\Invoke-Pull.ps1 
Invoke-Pull -Computername 'Server01' -Verbose 
Get-DscConfiguration -CimSession "Server01" -Verbose
Test-DscConfiguration -CimSession "Server01" -Verbose