Demo DSC – Part 1

This is the first in a series of posts outlining how I presented a demo of Desired State Configuration (DSC) for the organization I work for. This was never intended to demonstrate all the features and capabilities of DSC (there’s a lot!), but instead was done to show at a high level the kinds of things that are possible and to start a discussion about where it fits into our organization immediately and going forward.

My demo was done using 4 Server 2012 R2 Virtual Machines on a single VMWare ESXi host. Because this environment was in a lab (with some unique networking challenges) and to make things easier for me during the demo I just copied the set of files from a Windows 8.1 machine on the same network as the host onto each VM individually.  I built and ran this demo using Wave 9 DSC Resources.  I switched to Wave 10 halfway through and had a problem with the xComputerManagement Resource (In Wave 10 it doesn’t properly evaluate the condition of whether or not the Computer Names match or not), and switched back to Wave 9 after that to avoid any further problems.  You will also notice in the script that I hardcoded credentials which is definitely not the recommended way to do it in a production environment.

The first thing I wanted to do was to build a Domain Controller on a brand new domain, that would be the foundation for showcasing other features of DSC in the rest of the demo. My outline for this part of the demo looked like this:

  1. Show New Server Build
    1. Show how nothing is configured (name, domain, time zone, IEESC, IP address etc)
    2. Open ISE, Run BuildDC Script. Show computer rename and restart section.
    3. Will restart – Talk about what just happened.
  2. Continue Server Build Post Reboot
    1. Login after reboot, show post Reboot scheduled task kicking off
      1. Show IP address change
      2. Wait for restart again (Approx 3:15 total at this point)
    2. Login after restart with Domain credentials
      1. Show Firewall Status
      2. Event Log Configuration
      3. Time Zone Configuration
  3. Run entire Configuration again to show nothing happens.

Here is the entire BuildDC Configuration Script in it’s entirety.  It’s also available on GitHub.

 

$ConfigData =@{
    AllNodes = @(
        @{NodeName = 'localhost';
          PSDSCAllowPlainTextPassword = $True
          }
    )
 
}
 
Configuration BuildDC{
 
    Param(
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$NodeName,
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$ComputerName,
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$Domain,
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$IP,
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$Gateway,
 
        [parameter(Mandatory=$True)]
        [ValidateNotNullorEmpty()]
        [string]$Subnet
 
        #[pscredential]$DomainAdminCred,
        #[pscredential]$SafeModeAdminCred
 
    )#Param
 
    #unsecure, not safe or recommended way to do this
    $Creds = ConvertTo-SecureString "Passw0rd!" -AsPlainText -Force
    $DomainAdminCred = New-Object System.Management.Automation.PSCredential ("Administrator", $Creds)
    $SafeModeAdminCred = New-Object System.Management.Automation.PSCredential ("Administrator", $Creds)
 
    Import-DscResource -ModuleName xActiveDirectory,xNetworking,xComputerManagement,xPendingReboot,xSystemSecurity,xRemoteDesktopAdmin,xTimeZone,xWinEventLog
 
    Node $NodeName{
 
        LocalConfigurationManager{
            RebootNodeifNeeded = $True
        }
 
        xComputer RenameDC{
           Name = $ComputerName
       }
 
        File Scripts{
            Ensure = "Present"
            Type = "Directory"
            DestinationPath = "C:\Scripts"
        }
 
        xIEESC SetAdminIEESC{
            UserRole = "Administrators"
            IsEnabled = $False           
        }
 
        xUAC UAC{
            Setting = "NeverNotifyAndDisableAll"         
        }
 
        xTimeZone ServerTime{
            TimeZone = "Central Standard Time"
 
        }
 
        xRemoteDesktopAdmin RemoteDesktopSettings
        {
           Ensure = 'Present'
           UserAuthentication = 'Nonsecure'
        }
 
        xIPAddress SiteDCIP{
            IPAddress = $IP
            DefaultGateway = $Gateway
            SubnetMask = $Subnet
            AddressFamily = "IPv4"
            InterfaceAlias = "Ethernet"
            DependsOn = "[File]Scripts"
        }
 
        WindowsFeature AD-Domain-Services {
            Ensure = "Present"
            Name   = "AD-Domain-Services"
            DependsOn = "[xIPAddress]SiteDCIP"
        }
        WindowsFeature RSAT-AD-AdminCenter {
            Ensure = "Present"
            Name   = "RSAT-AD-AdminCenter"
        }
        WindowsFeature RSAT-ADDS {
            Ensure = "Present"
            Name   = "RSAT-ADDS"
        }
        WindowsFeature RSAT-AD-PowerShell {
            Ensure = "Present"
            Name   = "RSAT-AD-PowerShell"
        }
        WindowsFeature RSAT-AD-Tools {
            Ensure = "Present"
            Name   = "RSAT-AD-Tools"
        }
        WindowsFeature RSAT-Role-Tools {
            Ensure = "Present"
            Name   = "RSAT-Role-Tools"
        }
        WindowsFeature Telnet-Client{
            Ensure = "Present"
            Name = "Telnet-Client"
        }
 
        Service ADDomainWebServices{
            State = "Running"
            StartupType = "Automatic"
            BuiltInAccount = "LocalSystem"
            Name = "ADWS"
        }
 
        xADDomain BuildSiteDC{
            DomainAdministratorCredential = $DomainAdminCred
            SafeModeAdministratorPassword = $SafeModeAdminCred
            DomainName = $Domain
            DependsOn = "[WindowsFeature]AD-Domain-Services","[Service]ADDomainWebServices"                     
        }
 
        xPendingReboot PostDomainDeploy{
            Name = "Test for reboot after building a domain"
        }
        
        xDNSServerAddress DCDNS{
            Address = $IP
            InterfaceAlias = "Ethernet"
            AddressFamily = "IPv4"
            DependsOn = "[xPendingReboot]PostDomainDeploy"
        }
        
        xWinEventLog DirectoryService{
            LogName = "Directory Service"
            DependsOn = "[xDNSServerAddress]DCDNS"
            LogMOde = "Circular"
            MaximumSizeInBytes = 16MB
        }
        
 
    }#Node
 
 
}#Configuration
 
BuildDC -NodeName localhost -Domain YourDomain.com -IP $SomeIP -Gateway $SomeGateway -Subnet 24 -OutputPath C:\Scripts\BuildDC -ConfigurationData $ConfigData -ComputerName $YourComputerName
Set-DscLocalConfigurationManager -Path $YourPath
Get-DSCLocalConfigurationManager
Start-DscConfiguration -Wait -Force -Verbose -Path $YourPath

Leave a Reply