Day 8: Using Active Directory to Target Endpoints in PowerShell DSC

Welcome to Day 8 of the “100 Days of DevOps with Powershell”! For background on our goals in this series, see Announcing the “100 Days of DevOps with Powershell” Series here at SCC.

Up to this point, my primary experience with PowerShell Desired State Configuration (DSC) has been in push mode. We typically use DSC to quickly push new configurations, install utilities and even configure Microsoft System Center 2012 in our lab and training environments.

As discussed by Pete and many others, DSC can also be setup in “pull mode” whereby the client endpoints Local Configuration Manager will pull configuration via either SMB or HTTP/HTTPS.

To get started, I followed Pete Zerger’s Day 1: Intro to PowerShell DSC and Configuring Your First Pull Server post to prepare my environment to show how we can use an organizational unit in Active Directory to pull a list of servers to configure in pull mode for DSC.

To quickly recap, I downloaded the xPSDesiredConfiguration module from the Microsoft TechNet gallery and unzipped the files to the %ProgramFiles%\WindowsPowerShell\modules folder.

Next, I ran the following script from Pete’s Day 1 post…

I am creating a DSC pull server on a domain controller DC01, something you should only do in the lab.

Next we need to identify the organizational until with a list of endpoints we want to configure. Since I build most of my labs using PowerShell Deployment Toolkit, this OU should look familar to others that also use PDT. The location we will use is OU=Servers,OU=HQ,DC=contoso,DC=com. We will create a function that will pull all systems, including ObjectGUID into a hash table for all our scripting operations. By using a hash table, we do not have to worry about maintaining csv files as you see in other examples. We will also be pulling the systems ObjectGUID directly from AD, so we will not have to create a new configuration GUID that has to be tracked, we are using one that is already assigned to the system, neat!

The GetComputers function is querying the Servers OU, then we are pulling the System name and ObjectGUID into the hash table $ConfigData. We will use this hash table later and pass it as a parameter to our DSC scripts.

Once we have a hash table of all computer systems and their object GUIDs, we can create our DSC configuration we want to enforce on these endpoints.

AllNodes is a special keyword when building DSC Configuration scripts. You will notice, we defined the Allnodes parameter in our hash table, when we pass it to a DSC script using the –ConfigurationData parameter, all the values in the hash table are available to us without using parameters! Node $Allnodes.NodeGUID will create a configuration MOF file for each system pulled back by our GetComputers function. Since we have to specify a GUID to correctly target the Local Configuration Managers of each endpoint, we will use the NodeGUID, which is the ObjectGUID from AD instead of the Nodes name.

Next, we need to build the configuration MOF files and create checksums so that each Local Configuration Manager will know when a configuration changes. Once the checksums have been created, we will copy all the files to the DSC pull servers Configuration directory so that they can be served out to the endpoints. You will notice, we are passing the hash table of system values we created with the GetComputer function to our TestConfig configuration using the –ConfigurationData parameter. Hash tables, whether dynamically created, or created by hand are an excellent way to maintain different configurations, such as having hash tables for Dev, Test and Production environments.

The last step is to configure the Local Configuration Manager of each endpoint so that they will start pulling their configurations from the DSC pull server.

You can download the completed script from my Github repository HERE.


Previous Installments

To see the previous installments in this series, visit “100 Days of DevOps with PowerShell”.

2 thoughts on “Day 8: Using Active Directory to Target Endpoints in PowerShell DSC

  1. Pingback: Approaches to GUID Management in #PSDSC Pull Mode

  2. Pingback: Securely allocating GUIDs in PowerShell Desired State Configuration Pull Mode - Windows PowerShell Blog - Site Home - MSDN Blogs

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.