Share this:

Before the PowerShell summit I had no idea of the existence of DSC. We had a hackathon evening where we got to work in groups creating (or rather make an attempt) a DSC Resource. I’ll admit I started out, but being in the room with Lee Homes, Don Jones and Richard Siddaway, who really wants to code then eh? It was awesome being able to interact with these guys!

Back at office I started gathering all information possible about DSC. The DSC Book @PowerShell.Org is a great place to start! If you’re anything like me, you’ll start wondering what makes DSC tick? How does it work under the hood? That’s where “Windows PowerShell Desired State Configuration Revealed” by Ravikanth Chaganti helps.

Ok I’ll go out on a limb here and make an assumption that you already know the basics so as not to bore you. 🙂 If you’re looking for a primer, have a look at Andrew Barnes (aka Scriptimus Prime) Desired State Configuration blog series. Great stuff!!!

Ok so the DSC Resource I’ve created is designed for creating an ADGroup. As luck would have it there’s already a xADUser DSC Resource, I’ve based cADGroup on the logic I found there, hey why reinvent the wheel? 😉

I like how the PowerShell team used a function ValidateProperties with an apply switch.
With -apply the configuration will be set, without only tested.

My first attempt was without using the DSCResourceDesigner. I knew the basics and started from there and I looked a lot into how things were done in xADUser. Turns out it’s not that difficult to apply

Import-Module xDSCResourceDesigner

#Define DSC parameters
$ResourceName = 'PSHOrg_cActiveDirectory'
$FriendlyName = 'cADGroup'
$DomainName = New-xDscResourceProperty -Name DomainName -Type String -Attribute Required
$GroupName = New-xDscResourceProperty -Name GroupName -Type String -Attribute Key
$GroupCategory = New-xDscResourceProperty -Name GroupCategory -Type String -Attribute Required
$GroupScope = New-xDscResourceProperty -Name GroupScope -Type String -Attribute Required
$ADSPath = New-xDscResourceProperty -Name ADSPath -Type String -Attribute Required
$DomainAdministratorCredential = New-xDscResourceProperty -Name DomainAdminCredential -Type PSCredential -Attribute Required
$Ensure = New-xDscResourceProperty -Name Ensure -Type String -Attribute Write -ValidateSet 'Present', 'Absent'

# Create the DSC resource
New-xDscResource `
   -Name 'PSHOrg_cADGroup' `
   -Property $DomainName,$GroupName,$GroupCategory,$GroupScope,$ADSPath,$DomainAdministratorCredential,$Ensure `
   -Path "C:\Program Files\WindowsPowerShell\Modules\$ResourceName" `
   -ClassVersion 1.0 `
   -FriendlyName $FriendlyName `
   -Force

So the DSCResource designer takes care of all the defaults. Things like creating the DSCResources folder, the default module and mof file. Definitely worth looking into if you want to get things right the first time!

Yeah I know, lesson learned.

Ok a quick recap:

• Get-TargetResource returns a hash table
• Test-TargetResource returns a boolean value
• Set-TargetResource, that’s where the magic happens! 🙂

Ok so what do we need to know to create a ADGroup using DSC? Staying close to xADUser I’ll use *-ADGroup cmdlets.

These are the parameters required:

• DomainName
• GroupName
• GroupScope
• ADSPath
• DomainCredentials

Loving the DSCResourceDesigner!

Now to update the module

function Get-TargetResource {
	[CmdletBinding()]
	[OutputType([System.Collections.Hashtable])]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$DomainName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupCategory,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupScope,

		[parameter(Mandatory = $true)]
		[System.String]
		$ADSPath,

		[parameter(Mandatory = $true)]
		[System.Management.Automation.PSCredential]
		$DomainAdminCredential
	)
    try {
        Write-Verbose -Message "Checking if the group $GroupName in domain $DomainName is present ..."
        $group = Get-ADGroup -Identity $GroupName -Credential $DomainAdminCredential
        Write-Verbose -Message "Group $GroupName in domain $DomainName is present."
        $Ensure = 'Present'
    }
    #Group not found
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        Write-Verbose -Message "Group $GroupName account in domain $DomainName is NOT present"
        $Ensure = 'Absent'
    }
    catch {
        Write-Error -Message "Unhandled exception looking up $GroupName account in domain $DomainName."
        throw $_
    }

    $returnValue = @{
        DomainName = $DomainName
        GroupName = $GroupName
        GroupCategory = $GroupCategory
        GroupScope =  $GroupScope
        ADSPath = $ADSPath
        Ensure = $Ensure
    }
    $returnValue
}

function Set-TargetResource {
	[CmdletBinding()]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$DomainName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupCategory,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupScope,

		[parameter(Mandatory = $true)]
		[System.String]
		$ADSPath,

		[parameter(Mandatory = $true)]
		[System.Management.Automation.PSCredential]
		$DomainAdminCredential,

		[ValidateSet('Present','Absent')]
		[System.String]
		$Ensure
	)

    try {
        ValidateProperties @PSBoundParameters -Apply
    }
    catch {
        Write-Error -Message "Error setting ADGroup $GroupName in domain $DomainName. $_"
        throw $_
    }

}

function Test-TargetResource
{
	[CmdletBinding()]
	[OutputType([System.Boolean])]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$DomainName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupName,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupCategory,

		[parameter(Mandatory = $true)]
		[System.String]
		$GroupScope,

		[parameter(Mandatory = $true)]
		[System.String]
		$ADSPath,

		[parameter(Mandatory = $true)]
		[System.Management.Automation.PSCredential]
		$DomainAdminCredential,

		[ValidateSet('Present','Absent')]
		[System.String]
		$Ensure
	)

    try {
        $parameters = $PSBoundParameters.Remove('Debug');
        ValidateProperties @PSBoundParameters
    }
    catch {
        Write-Error -Message "Error testing AD User $UserName in domain $DomainName. $_"
        throw $_
    }
}

function ValidateProperties {
    param (
        [Parameter(Mandatory)]
        [string]$DomainName,

        [Parameter(Mandatory)]
        [string]$GroupName,

        [Parameter(Mandatory)]
        [string]$GroupCategory,

        [Parameter(Mandatory)]
        [string]$GroupScope,

        [Parameter(Mandatory)]
        [string]$ADSPath,

        [Parameter(Mandatory)]
        [PSCredential]$DomainAdminCredential,

        [ValidateSet('Present','Absent')]
        [string]$Ensure,          

        [Switch]$Apply
    )

    # Check if group exists
    try {
        Write-Verbose -Message "Checking if the group $GroupName in domain $DomainName is present ..."
        $group = Get-ADGroup -Identity $GroupName -Credential $DomainAdminCredential

        if ($group) {
            Write-Verbose -Message "Group $GroupName in domain $DomainName is present."
            if( $Apply ) {
                if ($Ensure -ne 'Present'){
                    Remove-ADGroup -Identity $GroupName -Credential $DomainAdminCredential -Confirm:$false
                    Write-Verbose -Message "Group $GroupName account in domain $DomainName has been deleted"
                }
            }
            Else{
                return ($Ensure -eq 'Present')
            }
        }
    }
    #Group not found
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        Write-Verbose -Message "Group $GroupName account in domain $DomainName is NOT present"
        if($Apply) {
            if( $Ensure -ne 'Absent' ) {
                $params = @{
                    Name = $GroupName
                    SamAccountName = $GroupName
                    GroupCategory = $GroupCategory
                    GroupScope = $GroupScope
                    Path = $ADSPath
                    Credential = $DomainAdminCredential
                }
                New-ADGRoup @params
                Write-Verbose -Message "Group $GroupName account in domain $DomainName has been created"
            }
        }
        else {
            return ( $Ensure -eq 'Absent' )
        }
    }
}

Export-ModuleMember -Function *-TargetResource

At the heart of it is the ValidateProperties function. Did I mention that I like the way the PowerShell team solved this? 🙂 The logic is as follows:

See if the group exists. If apply switch has been provided and Ensure is ‘Absent’ then remove the group, else return (Ensure -eq Present). If the group doesn’t exist (using catch ADIdentityNotFoundException) see if apply switch has been provided. if Ensure isn’t equal to Absent create the group, else return (Ensure -eq Absent)

I’ll admit, I had to revise it quite a few times. The Test-TargetResource is the trickiest part in my opinion.

Here’s the code code create the mof files, Ofcourse this works in my environment:

$ConfigData = @{
    AllNodes = @(
        @{
            NodeName                    = '*'
            PSDscAllowPlainTextPassword = $True
        }
        @{
            NodeName     = 'dc-dsc-01'
        }
    )
}
configuration CreateDomainGroup{
  param(
    [string[]]$ComputerName,
    [string]$UserDomain,
    [pscredential]$Credential
  )

  Import-DscResource -ModuleName 'PSHORG_cActiveDirectory'

  node $ComputerName{

    cADGroup ComputerAdminGroup {
        Ensure = 'Present'
        GroupName = "DEL-$ComputerName-ADM"
        GroupScope = 'Global'
        GroupCategory = 'Security'
        ADSPath = 'OU=Delegation,OU=Resources,DC=pshirwin,DC=local'
        DomainName = $UserDomain
        DomainAdminCredential = $Credential
    }
  }
}

$Cred = Get-Credential

CreateDomainGroup -Credential $Cred -ConfigurationData $ConfigData -OutputPath "$pwd\modules\CreateDomainGroup" -ComputerName 'DC-DSC-01' -UserDomain $env:USERDOMAIN
Start-DscConfiguration -Path .\modules\CreateDomainGroup -Wait -Verbose -ComputerName DC-DSC-01 -Force

I know PSDSCAllowPlainTextPasswords are not done! Baby steps… 🙂

Now for something different
So that was my first attempt at creating a DSC Resource. I was quite proud of myself! But then I started thinking (Oh boy here we go…) Deleting and Creating Security Groups means that even though the object looks the same, the SID (Security Identifier) will be different. If for some reason after an extended period of time the group has been deleted (using a script or adac or dsa, take your pick) It will be recreated, only it will have a different SID.  Any resource that’s using that group (Think NTFS security rights) will have a rogue ACE entry. So in this case, configuring the LocalConfigurationManager to ‘ApplyOnly’ might be a wise choice. And as I’m writing this…  if you want more in-depth knowledge have a look at Ravikanth Chaganti book!

Infrastructure, make way for DSC

The future versions of DSC will be based on DSC Classes, that’s how quick DSC is evolving. DSC Classes does require WMF 5.0 at the moment. if you’re interested in PowerShell & Classes have a look at Doug Finke’s blog on the subject And if you really wanna get started with DSC Classes, Ben Gelens has just the thing for you, a DSC Class template!!! Gotta love the PowerShell community!!!

This just in: Microsoft Publishes DSC Resource Kit in GitHub.

I guess GitHub will be where we can get hands on DSC Resources in the future!

DSC is rapidly taking over the Infrastructure scene, so hop on while you still can! The best way to learn about DSC is by using it! I know this doesn’t cover all the ins and outs, but I hope it has conviced you that you should be looking into DSC…

Ttyl,

Urv

You down with DSC? Yeah you know me!!!

‘Sup, PSHomies? Oh it’s not a thing yet but it will be… 😉

Back on the DSC wagon. My takeaway from the 2014 European PowerShell Summit was that DSC is where it’s at! Then at TechEd 2014@Barcelona, I saw Mark Russinovich openly embrace Docker, I knew something was up.

Yesterday (08-04-2015) Jeffrey Snover announced the nano server!!! What??? You’re not excited??? Here’s why you should be.

Here’s an excerpt from the announcement:

All management is performed remotely via WMI and PowerShell. We are also adding Windows Server Roles and Features using Features on Demand and DISM. We are improving remote manageability via PowerShell with Desired State Configuration as well as remote file transfer, remote script authoring and remote debugging. We are working on a set of new Web-based management tools to replace local inbox management tools.

You had me at PowerShell… As for DSC, well that’s just gravy! When Jeffrey Snover tells you to invest in something, don’t second guess, just do it!!!

So that’s why we needed to get on the DSC bandwagon! If you’re a Infrastructure guy, you can’t afford not to invest time and effort in learning PowerShell & DSC!

Here’s the official announcement: Microsoft Announces Nano Server for Modern Apps and Cloud

Need a jumpstart learning DSC? Hop on over to MVA: Getting Started with PowerShell Desired State Configuration (DSC) and learn from the mastermind himself!!!

There’s no shortage of DSC Resources. Have a look at the latest wave: DSC wave 10. When I first got introduced to DSC, wave 7 was just out. That’s how fast DSC is evolving…

It’s a new era for IT…

Ttyl,

Urv

SMA & DSC a winning team!

SMA (Service Management Automation) & DSC (Desired State Configuration) are part of Microsoft’s arsenal for deploying and configuring Microsoft Cloud Infrastructure.

Both are based on PowerShell so that’s a great thing. I have a general idea what DSC is all about (thanks to the PowerShell Summit). I wasn’t familiar with SMA (then again I do know something about Orchestrator, I’ll explain later) until TechEd 2014 @Barcelona. I like where SMA is heading. Both are exciting and new. But when, and more importantly, where do you use them?

So when do you use SMA and when do you use DSC?
Good question. The way the PowerShell team explained it is this: “Everything that needs to be configured inside a VM think DSC. When scripting at a VM think SMA”

DSC
DSC deals with configurations declaratively. Traditional scripts are imperative by design. Think SQL syntax and you get an idea what declarative is. DSC’s strength is preventing configuration drift. Seriously, The DSC Book does a way better job at explaining DSC.

While I understand what the benefits are of DSC, creating and maintaining a DSC Resource is quite the challenge! And at the speed Microsoft is bringing DSC Resources to the masses, the Wave is starting to feel more like a Tsunami…

The latest wave, has a 53% increase! I’ll say that again, 53%… I’ve been chipping away diligently at DSC and I’ve been working on a DSC Resource for ADGroup. It took some time, because I wanted to understand what DSC is up to under the hood. I worked through the DSC Resource book and lots of blogs. The book “Windows PowerShell Desired State Configuration Revealed” also helped a great deal. The best way to learn DSC is by doing. But be prepared for the challenges ahead… I’ll be sure to blog about my adventures creating my very first DSC Resource.

Seeing the speed the Waves are coming you might ask yourself, is it worth creating your own DSC Resource? Learning how and when to use DSC is challenging enough already! The transition to DSC isn’t going to be overnight, but at the same time you can’t really afford not to look into it. So yes, by all means look into it. Don’t be too overwhelmed by the amount of DSC Resources available. My first time opening a DSC Resource module that wasn’t my forte, I kinda felt like a deer caught in the headlights. Sure with a little (ok, a lot 😉 ) effort I could figure out what’s going on. But creating , even using this DSC Resource? Yeah… Imma gonna pass…

Look into DSC Resources within your chosen technology. Having PowerShell skills won’t make you an expert in all of the DSC Resources available, you still need a basic understanding of what that specific DSC Resource will resolve.

SMA
SMA is the runner-up for Orchestrator (formerly known as Opalis). I recently did a project that relied heavily on Orchestrator for workflow automation and I remembered thinking “why aren’t we using PowerShell workflow?” Well with SMA we most certainly are! SMA’s automation engine is based on PowerShell workflows. Nice! In hindsight, SMA would have been a better fit for the project I did, seeing that the project members had PowerShell skill and no Orchestrator skills. For those that are worried that their Runbooks will be obsolete soon, don’t worry, that isn’t going to happen any time soon. Microsoft’s advice is “if you’re new to Automation and thinking about using Orchestrator and you have PowerShell skills, start with SMA. If you’re heavily invested in Orchestrator we got you covered, keep on using it. In time, there will be conversion tools…”

The challenge with SMA isn’t PowerShell per se, but the process that needs to be automated. There is no right or wrong way, just prefered way. The process has to be reproducible, ideally without human intervention. A sure way to stagnate your automation endeavor, is to try automate while reinventing or at times, inventing the process as you go along. If your process sucks, automation won’t change that, it’ll still suck, only faster. I haven’t looked into SMA yet, but I’ve heard great things from a colleague of mine who has.

Well that’s it for now. Is there an order to start learning SMA or DSC? I haven’t looked into SMA yet. DSC is readily available. Try using the Built In DSC Resources. Download the latest DSC Resource Wave. Open the DSC Resource modules that fall within your chosen technology. Get ready to be awed by the scripting talent of the PowerShell team! Oh and… don’t forget to have fun along the way… 🙂

Ain’t PowerShell grand! 🙂

Ttyl,

Urv

DSC vs GPO, can they play nicely together?

I have no doubt in my mind that DSC is going to be a private/public cloud infrastructure designer’s best friend.

What makes DSC a necessity? Haven’t we been doing well so far? Steven Murawski does a far better job of explaining this (just gonna paraphrase here for a minute…)

“The reason DSC is important is because the more steps involving human interaction, allows for more potential failure points.”

So minimizing human interaction is essential to minimizing failure points. That’s always a good thing. The lesser the failure points the better the process. Makes sense.

Now Group Policy has been around for quite some time. When it comes to troubleshooting and editing, gpmc.msc is your go-to tool. With Group Policies its all about managing Domains. If you’re not part of a domain, well then you’re out of luck… that is until DSC.

Ok, I’m new to blogging game so I need to be careful posting information from other sources. The DSC Resource book at powershell.org explains the DSC vs GPO quite well. Have at it 🙂

My first thought on DSC in an environment using GPO’s is… Will they get in each others way? and if so who has the last say in the matter? Troubleshooting just got a whole lot complicated! All of a sudden, I’m starting to think about refresh intervals of both GPO & DSC and how or if I should think about manipulating them… What happens if my GPO settings resets my DSC settings? Or vice versa? This is madness!!! Ok Urv, take a deep breath… Whooozaaa…

I guess DSC isn’t going to replace GPO any time soon. I found a link from Darren Mar-Elia on the subject. He made some very valid points concerning the strength and weakness of both products. DSC is excellent as a configuration management platform for Windows Servers. DSC will also work for Workstation, but Servers are the obvious target here.

So let’s not abandon the old for the shiny just yet shall we? Remember “use the right tool for the right job”

I will say this in DSC’s defense, it got me thinking about the life cycle of resources. It’s one thing to have a resource in a desired state, disposing of them also needs to be handled properly.

I guess time will tell if DSC will be the ultimate configuration tool… Learning DSC will be a good investment, Microsoft is betting everything on it…

Ttyl,

Urv

DSC, the right tool for…

So I just got back from the very first European PowerShell Summit, Just one word to describe it… AWESOME!!!

We had a DSC (Desired State Configuration) hackathon Monday evening of the  Summit. It was just really cool interacting with Lee Holmes ,Steve Murawski, Don Jones & Richard Siddaway.

The main take away from the Summit is that DSC is going to change how we design, deploy and administer Infrastructures, in the cloud or private. DSC was THE recurring theme every day of the Summit.

Now as a PowerShell enthusiast you could easily get carried away with DSC. While I do understand and appreciate the added value DSC will give us, it’s not a wildcard for every problem/issue in your Infrastructure… Yet! :-).

“if all you have is a hammer, everything looks like a nail”

So I asked Richard Siddaway what his take on DSC is. Richard’s advice is simple: “Make sure you understand and use the right tool for the right job”. I couldn’t agree more!

DSC is the next step in the evolution of IT Administration. DSC is also going to thin out the IT admin crowd considerably. The “click generation” admins is coming to an end.

When you think DSC, think of Infrastructure components that need to stay the same indefinitely. Routers & Switches? Definitely!!! Web Server / Citrix / Hyper-V farms ? Oh yeah!!!
Now I’m all excited, what’s next (I got my hammer ready!!!)?

Basically anything you can or want to configure on a system/component/node, you can do so with DSC, but should you?

Let’s consider something as trivial as getting an IP address. With DSC you could deploy NIC configurations right? No more dynamic IP Addresses, it’s static all the way!!! Sure you could do that, but would you want to? Of course not. Having said that, DSC is really interesting when it comes to DHCP Server Options, Scopes & Reservations. How often do you redesign your network? Not very often I hope… Here’s where DSC will shine.

When it comes to configuring anything ask yourself: “will this state stay so indefinitely?” If the answer is yes then you should be thinking of DSC.

It’s good to embrace new technology as DSC, just don’t throw the old out yet. Every new version of PowerShell is an improvement on the former and one day it will be the only tool you’ll ever need. But until that time “Make sure use the right tool for the right job…”

HTH

Ttyl,

Urv

PS. Be sure to get a copy of the DSC Resource Book at powershell.org. It’ll give you a better understanding about DSC and how to get started… It’s something you need to learn!