PowerShell Desired State Configuration (DSC) Journey – Day 16

When I started this original project my intention was to work through all of the individual DSC Resources one at a time, hoping that I could get through them all before they released some more.  Well, that didn’t happen.  On Friday the PowerShell Team released DSC Resource Kit Wave #3, which is freaking awesome.  So, instead of working through the rest on my list, I am just going to start working on a project I probably should have been working on anyways.  I want to build a Configuration to replace using Virtual Machine Manager Templates, with the goal being to be able to deploy multiple, identically configured servers at one time.  I want to do this for a demo I am going to be doing (hopefully before I leave for the PowerShell Summit).

The information on the Hyper-V module can be found here, and I will also be referencing this post on building Composite DSC Resources.  After a lot of time spent looking at the documentation, I am just going to follow along with the example on the TechNet page in creating the various parameters and pieces of the Hyper-V portion of my Configuration.

First, let’s start with the xVMSwitch Resource.

Here is what I started off my Configuration with.

ProTip:  Don’t import the Module before declaring your parameters like I did above.  It will fail miserably.  I should also mention that all of these examples will be done on my PC using Hyper-V Manager because I don’t have access to a functional lab that will allow me to do what I want to do here.  I Invoke the Configuration and get a .MOF file for my PC.

I then push out that Configuration file to my PC using this command.

Here is the Verbose output and a screenshot showing the completed switch.  It amazes me how fast this completed.  If I create a new VMSwitch through the GUI and select the “Use Guest OS” option my computer literally locks up for 5 minutes.


Tomorrow I will work on creating the .VHDX file(s) that are required.

PowerShell Desired State Configuration (DSC) Journey – Day 15

Yesterday I explored the Archive Resource.  Today I am going to look at the Role Resource.  When you look at Get-DSCResource it isn’t called Role.  It’s called WindowsFeature.  Make complete sense right?  Here are the expanded properties.

Alright.  Let’s do this.  You can find plenty of examples where people have installed one or two features using DSC.  Am I going to do that?  Absolutely not.  Let’s put this thing to the test.  To get a list of all the Windows Features available to install run this command.

Alright.  Let’s try to break some stuff.  Here is all the code that I added to my ServerConfig Configuration.  I immediately want to see if I can include multiple names in one Resource block.  I am also trying to break the LogPath Property.  It says to specify a path to a log file, so I am including a log file name in here so we will see what happens with that.

The Consistency scheduled task on DSCTest didn’t run nearly long enough for this to have worked.  Let’s go to the log and see what I broke.

And.  This is taking a long time to return anything.  That’s usually a sign that DSC itself is doing something.  Nope.  It came back right as I finished typing that.  Of course :).

Alright, it clearly didn’t like my Feature Names.  Let’s change the formatting a bit and try again.

It likes that even less (which completely makes sense, but I had to check!).  Here is the error.

Alright, let’s try this instead.

PowerShell ISE right away gives the second Name definition a squiggly which if you mouse over it plainly tells you that “Duplicate property resource definitions are not allowed in an instance definition”.  Well that certainly solves that.  Here is my new Configuration.

And the scheduled task is running.  While it is doing that, I am going to work on something else.  I imagine that’s going to take a while.

Checking back, I don’t see any of my Roles installed, but when I open the Add Roles and Features wizard it plainly tells me that the server has a pending restart.  Good sign!  I also check the C:\Scripts folder and see all of my specified text files in there, and it does look like everything ran.  Exciting stuff.

dsc26Time to reboot the server!  After the reboot, looking at the LocalConfigurationManager on DSCTest, it is set to reboot if needed, I wonder why it didn’t do that.  Or if I just didn’t wait long enough for it to reboot?  Either way, all the things got installed.

Now let’s install some IIS Management Tools and see if DSC will remove them.

I double check using Get-WindowsFeature and it is installed.  So let’s run our scheduled task and see if it gets removed.



If you are curious here is what my log file looks like when the IIS Management Tools were removed.

I am off tomorrow but I will pick back up next week.  I think it’s time for some more Custom Resources.  Hyper-V Anyone?

Orchestrator Runbook Fails – Failed to get members of collection. The SMS Provider reported an error

The TechNet Forum thread is here if you are interested, but I wanted to write a quick blog for my reference in the future.

I created an Orchestrator Runbook that would get all the devices in an SCCM collection, and then put them into Maintenance Mode in SCOM.  However, every time I ran the runbook and put in the collection name, it failed with this error:

Full Error is:  “Failed to get members of collection ‘{Collection Name from “Initialize Data”}’.”. The SMS Provider reported an error. Details: Generic failure

After my SCCM admin and I exhausted all the options we could think of, I went to the forums.  The answer turned out to be surprisingly simple.

I had just typed the text {Collection Name from “Initialize Data”}.  What I needed to do was in the Collection, Right Click, Subscribe, Published Data and select Collection Name.  Once I did that for the Get Collection Member and Start/Stop Maintenance Mode, it ran perfectly!

PowerShell Desired State Configuration (DSC) Journey – Day 14

On Monday I ran into some issues with the Environment Resource (I am not done with that either, I just need some time to setup my home lab).  Today I am going to mess around with the Archive Resource.  And in a weird, ongoing issue, the Consistency scheduled task is still running.  So let’s reboot the server like usual before we start.

Archive Resource information can be found here.  The Properties of the Resource are shown below.

I have a .zip file of PowerShell scripts that I want to unzip and ensure always exist in the C:\Scripts directory.  Here is the code that I added to my Configuration script.  I chose to include the Checksum Property because that pretty much ensures that I will break something.

And I was right!  Here is the relevant information in the Trace-cDSCOperation output.

Fair enough.  The TechNet article lists a Validate Property but it has no description, and their example doesn’t use it.  This should be fun.  If I type the word Validate in ISE, highlight it, and do Ctrl + Right Click + Start Intellisense it tells me that it is looking for a bool value.  New code is below.

Great Success!  Here is the contents of my Scripts folder.


My Checksum is based on the modifiedDate, so let’s modify the .Zip file by removing some scripts and see what happens.  I removed the first 5-7 scripts from the .Zip file and forced DSCTest to Pull it’s Configuration again.  There shouldn’t be any changes because the files that are currently in the .Zip file already exist.  And…..I was correct!  There were no changes to the contents of the C:\Scripts folder.

One last test before I head to a meeting.  Let’s set Ensure = “Absent” and let’s see what happens.  What should happen is that every script that currently resides in the .Zip file should be removed.  Boom!


Good day today!  Looking at the Built-In DSC Resource List, I think tomorrow I will explore the DSC Role Resource.


PowerShell Desired State Configuration (DSC) Journey – Day 13

When we left off last week I was messing around with the Log resource and found out some interesting things about the Package resource and non MSI application installation.

Today I am going to explore using the Archive and Environment resources.  I am getting a little adventurous here attempting to tackle two at a time but I feel like I am confident enough with the DSC Resources at this point that it shouldn’t be an issue.

First up is the Environment Resource.  The Environment Resource has the Properties Name, DependsOn, Ensure, Path, and Value.  Only Name is mandatory.  Which is interesting.  I don’t know why you would Name an Environmental Variable and then not set anything else for it.  Everything is pretty self explanatory except for the Path Property.  The TechNet article says this about the Property.  “Defines the environment variable that is being configured. Set this property to $true if the variable is the Path variable; otherwise, set it to $false. The default is $false. If the variable being configured is the Path variable, the value provided through the Value property will be appended to the existing value.”  So, let’s test this both ways, with the path variable both $true and $false.

Here is the code I have added to my ServerConfig Configuration.

So, if this does what I want it to, it should add C:\Scripts to the $path variable on DSCTest as well as add an environmental variable for C:\Scripts.  Here is what I have currently for my $env:Path variable.

I Invoke the Configuration and go to run the Scheduled Task to force a Pull and once again it’s running.  And has been since Friday night basically.  Awesome.  Is anyone else seeing this kind of behavior from the Scheduled Task?

Anyways, after the reboot the DSCRestartBootTask completed successfully.  However, the $env:path variable doesn’t have C:\Scripts listed.  However, this did happen.

Well, that’s not what was supposed to happen.  Seems pretty clear.  “Set this property to $true if the variable is the Path variable; otherwise, set it to $false. If the variable being configured is the Path variable, the value provided through the Value property will be appended to the existing value.”  Lies!  Let’s try using the Program Files directory and see if that works.  And yes, the C:\Scripts does exist, my Configuration script ensures that :).

No dice.  It did this instead, since I didn’t delete the Environmental Variables I created previously, which is good to know.


Alright, that didn’t work.  So.  Uh.  I guess let’s just try it without the Ensure value.  Which shouldn’t matter at all, but let’s try it anyways.  I change my code to this, and try it again.

And not surprisingly it just added it to the System Variables list.  I am going to try something really wacky before I head to Google to see what is out there about this.

Then, I have an idea.  An idea that makes me feel dumb, but I do it and share it with you anyways.

Nope, not even that did the trick.  I thought for sure that removing the $True from within double quotes would do the trick.  That maybe since DSC couldn’t recognize the bool value inside of quotes it was just defaulting to $False.  I add the Ensure = “Present” line to the code and try that.  Nope.  Still just adds a new environmental variable.

At this point I am completely out of ideas, and Google is no help on this issue at all.  I am probably doing something wrong but I have no idea what it is.  Any suggestions are more than welcome 🙂 .  Looks like the Archive resource is going to have to wait until tomorrow.

PowerShell Desired State Configuration (DSC) Journey – Day 12

Today I am going to do some work with the Log Resource.  The TechNet Article for Resource is pretty straightforward.  I have been thinking about how I would use this for a day now, and I really haven’t come up with anything useful because as I covered here the DSC Diagnostics Module provides some really good logging.  I feel like this is a Resource that was built for the future (and maybe it works better for Custom Resources??) than for using the out of box ones.  Nevertheless, let’s do some logging!

First thing to note is that the Log Message will appear in the Microsoft-Windows-Desired State Configuration/Analytic Event Log.  There are only 2 Properties, Message and Depends on.  Pretty straightforward.  Let’s add a couple of Logs to the Configuration I have been using and see what happens.  Here are the lines that I added.

I intentionally used Parameter names in the Message blocks to see if it actually uses them.  It looks like it should work in the ISE Editor, so lets find out.  I Invoke the Configuration, send it to the Pull Server, and force DSCTest to pull its Configuration.

While doing this, I noticed that for the second day in a row the Consistency scheduled task on DSCTest had been running non stop since 2:38AM this morning.  Yesterday I rebooted the server and it fixed the problem.  Today I ended the task and set it to kill itself if it ran for more than an hour.  It was set to 3 days by default, which I don’t agree with at all.  I start the scheduled task again and it just runs and never does anything.  Typically it runs for about 15 seconds and then it’s done.  It’s scheduled to run on it’s own in 3 minutes so I will just wait for that and see what happens.  It started, but then it doesn’t stop.  It had been running for a good 5 minutes now before I end it.

I also tried doing it the way Don Jones suggested in the comments to this post.

And I just got this error message for my trouble.

Which doesn’t make any sense because I am using PowerShell as a Domain Admin and I have rights to do everything else I have ever needed to do.  Time for the magical reboot server trick!

After the reboot the DSCRestartBootTask ran successfully and I was able to get this information.

Which is interesting.  So then let’s do this.  I have shortened the output to show the interesting parts.

It appears to be failing because of this.

I never checked back yesterday after BGInfo got installed but it clearly doesn’t like the fact that it can’t verify the ProductID.  So, let’s try something here.  Also I should note at this point that none of my messages got logged because the Configuration failed.

I set the BGInfoInstall Package Resources to Absent and try again. No dice.  Same errors.  Well.  Crap.  Clearly I will need to do some playing around with this.  For the sake of testing the Log Resource I remove those entries from my Configuration and try it again.  And it works.  Let’s check out the log file.

There are a lot of entries like the one below, but none with my actual message.  So let me try changing one to not include a parameter name.

The Trace of the DSCOperation has entries like this, but again, none with my message in them.

I changed my Log Success to this, and then Invoked the Configuration again.

In doing this, I must have been blind previously because it did log what I had in there.  Here are some examples of what it looks like.

That’s all I have time for today , but I am seeing a lot of inconsistencies in the logging.  I ran the exact Configuration again, and the only thing it logged was the Log ScriptFolder Resource, there were no entries for Log Success or Log DNSServerAddress.


PowerShell Desired State Configuration (DSC) Journey – Day 11

Yesterday I worked with the File Resource to ensure that the path C:\Scripts existed and that my BGInfo files were inside of it.  Today I am going to attempt to use the Package resource to run the BGInfo Files.

First thing I need to do is find out what the settings for the Package Resource are.

There are 3 mandatory settings, Name, Path, and ProductID.  I did some digging around for information on what the ProductID requires in a situation like this, and didn’t find much.  So I am just going to make one up and see what happens.

Here is the code I added to my Configuration script.

I have the server Pull this configuration and it fails.  I am not going to show the entire thing here, but this is the relevant part.

So like I suspected it clearly does not enjoy my ProductID, but doesn’t tell me how long it needs to be or what the format should be (although I strongly suspect I know what they should be).

The example on the TechNet page for this resource as ACDDCDAF-80C6-41E6-A1B9-8ABD8A05027E so I will just use that format but modify it in the Configuration to see if that works.

I am going to try this for the ProductID and see how it works.  NFM12345-1234-NFMN-1234-OMA123NE1234 and NFM12345-1234-NFMN-1234-OMA123NE5678.

Nope, no dice.  Same error.  This leads me down a Google rabbit hole involving MSIEXEC and ProductID searches.  Then it dawns on me that there truly is no ProductID, so what if I just use “” for the Product ID?

Boom!  Both files work and BGInfo is installed.  The proper directory in Program Files is created, the proper file is moved into the Startup folder and the BGInfo is showing on the desktop.

Here is the final version of the code.

Looking at the list of built-in DSC Resources I haven’t touched yet, I think I am going to go with learning the Log Resource tomorrow.

PowerShell Desired State Configuration (DSC) Journey – Day 10

Yesterday I talked about troubleshooting what was wrong with DSCTest server being unable to pull the module file from the Pull Server.  After a couple of breaks and some reading I figured it out (the answer is at the end of the article), and everything is working great.

Today, I am going to back to the File resource that I started with originally.  As part of our server builds we put BGInfo on all the servers, and we have a .bat file that runs that configures the way we want it.  So I am going to add to my Server Config Configuration (with an eye towards using this is as a composite resource not too far down the line) to copy these files, and then use the Package resource to install it.  Hopefully.  One other thing that I should mention is that I went ahead and downloaded all of the community DSC resources from here and going forward will be using them instead of the Microsoft provided ones.

First, I need to do two things. I want to ensure that the C:\Scripts folder always exists.  Once I know that exists, I want to copy the BGInfo folder and files into that location.  Here is the code that I added into my Configuration to do this.

Nothing fancy there.  Now to test this, I need to make sure I use the same GUID that I used before when I told DSCTest which configuration to look to pull from the Pull Server.  To get this I just browse to \\PullServer\C$\Program Files\WindowsPowerShell\DSCService\Configuration, get the GUID and set $guid = GUID in PowerShell.  I Invoke the Configuration to generate the .MOF file.  I then push that .MOF file out to the PullServer.  Since it has the same GUID as before, and DSCTest knows to look for that GUID, it should automatically pick it up.  I verified it’s the right GUID by entering into a PSSession on DSCTest and running Get-DSCLocalConfigurationManager.  The ConfigurationID should match the GUID, and mine does.

And this doesn’t work.  It pulls the Configuration fine, but it says that DSCTest is in compliance and everything is fine.  I went through a lot of troubleshooting steps, double and triple checking things before I figured out what the problem was.  It’s wonderful and all that you keep the GUID the same, but if you don’t generate a new checksum it won’t matter.  Lesson learned.  Once I did that it created the file.

Now that I have ensured my Scripts folder will be present, I need to copy my BGInfo folder and files into it.  To do that I have the code below.

I Invoke the Configuration, Copy the file to the PullServer, GENERATE A NEW CHECKSUM(!!!) and run the scheduled task on DSCTest.  BAM!



Lesson(s) Learned:  Even if the GUI is the same, if you update the Configuration and generate a new .MOF you need to generate a new Checksum. This can be done by using the command New-DSCChecksum -Force -Destination $dest.

Tomorrow:  I try to use the Package resource to install BGInfo.

If you are curious here is the full log of the implementation of the Configuration.  Warning.  This is long.




PowerShell Desired State Configuration (DSC) Journey – Day 9

First, some DSC related links from the weekend.  I got caught up on these today, and like usual learned quite a bit from the articles.

From The Scripting Guys:

Use Configuration File to Apply PowerShell DSC to Multiple Servers

PowerShell, Network Adapters and Domain Name System

Troubleshoot with PowerShell DSC Diagnostics Module

That last link is particularly timely, because I am still struggling with being able to Pull a Configuration from my Pull Server.  I am hoping I can use the DSC Diagnostics Module to determine what is going on.  I will say this, if I copy the xNetworking Module from my Pull Server to my DSCTest Server, the Configuration is applied within minutes.  For some reason the DSCTest server doesn’t think it can find the xNetworking Module on the Pull Server.

And here are the results.  The relevant stuff is at the bottom, I am including all of it for the sake of context.

I then run the following command to get more detail about Sequence ID 1.

And here is the full Message I got from the trace. The really relevant stuff is at the bottom.

Now, for whatever reason it doesn’t think it can find the xNetworking module to download it.  I first want to double check my Pull Server Configuration.

The ModulePath is set above.  I am certain I copied all the Module files into that directory, but I will double check.  Nope, I am not crazy.


And just to check I open up the xNetworking.psd1 file and the very first line states that

# Version number of this module.
ModuleVersion = ‘2.0’

So that looks fine as well.  At this point I am kind of stumped.  I am not sure what the problem is.  All the modules also exist in the C:\Program Files\WindowsPowerShell\Modules directory.  While doing some playing around and looking at the Configurations for my Pull Server and DSCTest I am wondering where the name of the Download Manager comes in.  I just used the Configuration in Don Jones DSC-Ebook, and it seems to have worked fine for him.  But I am wondering if it needs to be something besides WebDownloadManager.  The TechNet Article for Local Configuration Manager states that DownloadManagerName “Indicates the name of the Configuration and module download manager.”  Well.  That doesn’t really help me.  I do some Google searching and see that same name, WebDownloadManager used a bunch, so it must the Default and be OK to use.

I did a bunch more searching and came across this article that talks about configuring Pull mode over SMB.  In the update at the end it talks about how he needed to set folder permissions to access his share, so I think maybe that the can be the problem.  I share out the C:\Program Files\WindowsPowerShell\DSCService\Modules folder to Everyone, giving them Full Control, and wait and see what happens.

If it checks in to Pull before I leave again today, I will update this post, otherwise I will continue tomorrow.

Update 4:24 PM.  Still failing.  Looking like I may have to try the DSCFileDownloadManager configuration tomorrow and see if I have any more luck.

Update 6:14 PM  I figured out what was wrong.  Reading further in the DSC E-Book, it talks about deploying custom resources.  Apparently even the Microsoft released Resources, such as xNetworking, which do not come with the default DSC Configuration need their own checksum file.  I created a .zip file named xNetworking_2.0.zip in the C:\Program Files\WindowsPowerShell\DSCService\Modules directory (from the extracted xNetworking folder in my modules directory).  I then ran the New-DSCChecksum command against that file to create the checksum file.  I then manually run the scheduled task on the DSCTTest server, and boom, configured!

PowerShell Desired State Configuration (DSC) Journey – Day 8

When we left off yesterday I was stuck getting my DSC Pull Server working properly.  The fix turned out to be easy.  Don’t configure a server to be a DSC Pull Server unless it’s Server 2012 R2.  Server 2012 doesn’t have the feature to make it work properly.  Once I upgraded my server to 2012 R2 and ran through the steps again everything worked great.

Now that my DSC Pull Server is working, can I pull an actual configuration from it?  I have a brand new Server 2012 R2 Server Core VM that isn’t configured for anything right now.  Here is the Configuration I would like to push to it.

I skipped a bunch of testing this on my part, but don’t set an IP address without first setting the DNS Address.  It doesn’t work out very well.  I Invoke the Configuration by running a command like this (all these values are made up)

The network adapter on the VM is currently configured for DHCP.  Let’s get this Configuration sent to the Pull Server and have my Server Core VM pull it.  Again, we are following the steps in the DSC E-Book.

I run Get-DSCLocalConfiguration manager on my Server Core VM and can see that the RefreshMode is set to Push:

First step.  Create a new GUID.

Second step.  Copy the file.

Third step.  Create a new CheckSum.

Fourth step.  Tell a computer to Pull a Configuration.

We run that script and magic happens (after about 10 minutes).  The server is configured with the static IP, Gateway, SubnetMask and DNS Server Addresses that I specified.  We can also see now that the server is Configured for Pull mode.


Now, something I discovered while writing this article.  I tested this before I wrote this.  I set my VM back to using DHCP and then watched as the VM was checking in, but not doing anything.  While waiting to see if anything was happening, I got around to reading this article by Steven Murawski.  And wouldn’t you know it.  I needed to change a setting on the Local DSC Configuration Server on my Server Core VM.  The updated TechNet documentation can be found here.

Here is my updated SetPullModeConfiguration.

And the output from DSC:

And the screenshot for more proof:


The FrequencyMins don’t match what I set, I am guessing there are limits to how low those can go.  Once I did that it pulled the correct Configuration down and applied it, returning the Server Core VM to the correct IP settings.