There is no question that PowerShell is an excellent tool for modern DevOps operations and configuration management. PowerShell Desired State Configuration (DSC) provides a declarative model for configuration management, allowing engineers to detail how they want infrastructure to “look” and then allow PowerShell to perform that configuration.
Table of Contents
What is PowerShell Desired State Configuration (DSC)?
Desired State Configuration (DSC) allows you to configure Windows and applications using a configuration file and PowerShell DSC resource configuration. As in other configuration management systems (Puppet or Ansible), when using DSC configurations, the administrator can describe the required configuration (target state) in the configuration file and then use PowerShell to apply it to one or several computers/servers. With PowerShell Desired State Configuration, you can greatly simplify the deployment and configuration of servers and workstations by configuring your OSs as code.
DSC first appeared in PowerShell 4.0 (a version of the Windows Management Framework introduced in Windows Server 2012 R2).
Beyond the Basics: Enhancing Efficiency with Built-in DSC Resources
DSC’s power is amplified by its wide array of built-in resources. These DSC resources facilitate numerous configuration tasks, from file and service management to controlling registry settings. By leveraging these resources, administrators can precisely control system configurations and boost operational efficiency.
Advanced DSC Configuration
To further illustrate the power of PowerShell DSC, let’s examine how to utilize advanced features such as the Local Configuration Manager (LCM). The LCM is the engine of DSC, which runs on every target node and manages the application of DSC configurations. Interacting with DSC resources ensures that the system is in its desired state and maintains that state.
Exploring Third-Party DSC Resources
Beyond the built-in resources, PowerShell DSC supports third-party DSC resources, further broadening the range of configuration management possibilities. These external resources, found on the PowerShell Gallery, allow for seamless integration of DSC with various tools and technologies, thus promoting a holistic approach to configuration management.
Staying in the Loop: DSC Event Tracking
One critical aspect of DSC is keeping track of configuration changes and activities. This can be achieved via DSC events, which offer a comprehensive overview of DSC operations. DSC events are key to understanding the changes applied to your system and are crucial for troubleshooting configuration issues.
DSC Resource configuration
As mentioned above, the administrator must create a configuration file describing the Windows state. You can use the built-in resources (file, environment, registry, script, service, user) or third-party DSC resources. Windows 10 (Windows Server 2016) has 23 types of built-in DSC resources. You can display them using the Get-DSCResource command:
- File
- SignatureValidation
- Archive
- Environment
- Group
- GroupSet
- Log
- Package
- ProcessSet
- Registry
- Script
- Service
- ServiceSet
- User
- WaitForAll
- WaitForAny
- WaitForSome
- WindowsFeature
- WindowsFeatureSet
- WindowsOptionalFeature
- WindowsOptionalFeatureSet
- WindowsPackageCab
- WindowsProcess
To demonstrate how DSC works, we will create a simple configuration file. Suppose our task is to configure the server as follows: disable the BranchCache service, start the notepad.exe process, allow RDP access in the registry (the parameter fDenyTSConnections is set to 0), and create the C:\PS directory on the local drive.
Note. Read our post on how to check Windows Services status with PowerShell.
The Configuration keyword is used to create the DSC configuration file. Create the dsc_test.ps1 file with the following code:
Configuration TestConfiguration
{
Node dc01
{
#Disable BranchCache Service
Service PeerDistSvc {
Name = "PeerDistSvc"
StartupType = "Disabled"
State = "Stopped"
}
#Enable RDP
Registry fDenyTSConnections {
Ensure = "Present"
Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
ValueName = "fDenyTSConnections"
ValueData = "0"
ValueType = "Dword"
}
#Create C:\PS folder
File InstallDir {
Ensure = "Present"
Type = "Directory"
DestinationPath = "C:\PS"
}
#Run Notepad.exe
WindowsProcess Notepad
{
Ensure = "Present"
Path = "C:\WINDOWS\system32\notepad.exe"
Arguments = ""
}
}
}
TestConfiguration
Hint. In one configuration file, you can describe the state of one or more hosts.
Run this PS1 script file. As a result, the dc01.mof file will appear in the current directory.
Based on the configuration file for each node, a separate file is generated in the MOF file format (Management Object Format). You can manually view the contents of the MOF file:
To apply the settings from the DSC configuration file to the server, you need to apply the settings from the MOF file.
There are two ways to apply MOF files.
- Push — configuration files are transferred from the administrator’s workstation to remote computers via WinRM (Windows Remote Management). To do this, use the Start-DscConfiguration cmdlet;
- Pull — managed computers connect to a file server (configuration file repository), download and apply settings on their own. Pull DSC configuration is based on a special IIS-based AppPool.
Consider applying the DSC configuration via push mode.
Tip. Before using the Push method, you need to configure the execution policy “Set-ExecutionPolicy RemoteSigned” and enable remote PowerShell using the “Enable-PSRemoting” command.
To do this, use the Start-DscConfiguration command with the -Path argument, which specifies the path to the MOF files’ directory. Apply the previously created configuration file to the current computer:
Start-DscConfiguration -Path C:UsersAdministratorTestConfiguration
Hint. Use- Wait and- Verbose parameters for more detailed information on applying the configuration.
After executing this command, if the computer configuration met the requirements, nothing will change; if not, the settings will change. Settings applied on a computer by the Local Configuration Manager Service. In our example, the directory C:PS was created on the disk, the BranchCahe service stopped, and the notepad.exe process started on behalf of NT AUTHORITYSYSTEM.
Settings made using the DSC may change over time. You can check for discrepancies between the current settings and the configuration file using the Test-DscConfiguration command. For example, we killed the notepad.exe processes and deleted the C:PS directory. Run the command:
Test-DscConfiguration
The cmdlet returned False, which means the server state does not match the configuration.
Using the Get-DscConfiguration command, you can get the value of the current DSC configuration settings.
To remove the current DSC configuration from the computer, run the command:
Remove-DscConfigurationDocument -Stage Current -Verbose
Frequently Asked Questions about PowerShell Desired State Configuration
What is the Role of a MOF File in Desired State Configuration?
The Management Object Format (MOF) file is essential to the DSC process. Generated from a DSC configuration file, each MOF document describes the desired state of a target node. Once created, MOF files are either pushed to the node or pulled by the node, depending on whether you’re using push or pull mode.
Can I Use PowerShell DSC on Non-Windows Platforms?
Yes, with the advent of PowerShell Core (a cross-platform version of PowerShell), you can also use DSC on Linux and MacOS systems. The DSC configurations work the same way, using the platform’s native resources instead of Windows-specific ones.
What is the Difference Between Push and Pull Methods in DSC?
The push method involves manually applying the configuration from the MOF file to the target nodes from an administrator’s workstation, typically using the Start-DscConfiguration cmdlet. On the other hand, the pull method involves setting up a pull server (a central repository) from which the managed nodes fetch and apply the configurations on their own.
How Do I Monitor Changes to a DSC Configuration?
You can monitor changes to DSC configurations using the Test-DscConfiguration command, which checks if the current configuration of a system matches the desired state defined in the DSC configuration file. You can also use the Get-DscConfiguration command to fetch the current DSC configuration settings.
What are DSC Resources and Where Can I Find Them?
DSC resources are PowerShell modules used to describe the state of a specific aspect of a system, such as a file or a Windows feature. They are key components in defining the configuration in a DSC script. You can find built-in DSC resources in the Windows operating system or download additional resources from the PowerShell Gallery.
How does the Local Configuration Manager (LCM) fit into DSC?
The Local Configuration Manager (LCM) is essentially the engine of DSC. Installed on all target nodes, the LCM is responsible for managing the application of DSC configurations and ensuring the system is in its desired state.
Is it Possible to Remove a DSC Configuration from a Node?
Yes, you can remove a current DSC configuration from a node by using the Remove-DscConfigurationDocument cmdlet, followed by the -Stage Current argument.
How Can I Ensure the Same Configuration Across Multiple Nodes?
The DSC allows you to define a “node block” within your configuration file where you list all the nodes that need to have the same configuration. Once you apply the configuration, each listed node will receive the same settings, thus ensuring uniformity across multiple systems.
Wrapping It Up: PowerShell DSC as Your Go-to Configuration Management Tool
Mastering PowerShell DSC empowers you to describe what you want your environment to look like and handles the rest. It automates the configuration of your systems, reduces the possibility of errors, and saves significant time. Whether you’re deploying configurations to a single node or a large cluster of servers, DSC offers a highly effective, flexible, and scalable solution. Knowing how DSC works can be a major asset in maintaining an efficient and stable production environment. As we step further into the world where “infrastructure as code” is the norm, the importance of tools like PowerShell DSC only continues to grow.
