Automating the world one-liner at a time…
DSC is a PowerShell extension that is part of Windows Server 2012 R2 and Windows 8.1. DSC enables deploying and managing configuration data for software services and managing the environment in which these services run.
A DSC Pull Server is a web-based endpoint, with an OData interface. This server allows nodes to “Pull” Configuration such as providers on a periodic basis. This functionality is useful in environments where there are a large number of target nodes to configure, and where the target nodes need the right configuration as they come online, and to check periodically for configuration updates. The “Pull” mechanism is a highly scalable mechanism to deploy specific environments on machines.
This blog is about the process of setting up a Pull Server using a DSC configuration.
DSC Configuration and Resource:
The following configuration enables to setup a Pull/Compliance Server at a specified IIS endpoint (Port/Web-Site Name). There is capability to setup HTTP/HTTPS based endpoints.
MOF for the DSC Resource:
Module that implements the DSC *-TargetResource cmdlets:
Module for setting up a Management OData (PSWS) IIS Endpoint – Required for Pull Server:
Here is a walkthrough of setting up a Pull Server on a Windows Server machine.
1) Unzip DSCPullServerConfiguration.zip to $env:systemdrive
2) Deploy DSC Resources (module that implements DSC *-TargetResource cmdlets, MOF etc) to Program Files
3) Run the configuration to setup Pull and Compliance Server OData-IIS endpoints (Note: This sample generates a self-signed cert –using makecert.exe for the HTTPS endpoint)
4) Navigate to the Pull Server OData IIS endpoint
That’s it! Your Pull Server is ready for use.
Updated on 12/27/2013: Removing the older version of resource. For most recent version, go here
Thanks, Raghu Shantha [MSFT]
Very nice example of how to create a DSC Pull and Compliance server. I have a question about the compliance server. Via an OData request I wanted to create a new entry to test its functionality but I got a "method or operation not implemented". Does this mean that this functionality is not operational ?
HI Raghu. Thanks for this article! it s great! jut a quick question, please. Is it possible to run DSC Pull Server on Windows 2008 R2?
if you can install the WMF 4.0 stuff on 2008 R2 I think the answer is yes. I know when I trialed this out I used a windows 2012 vanilla server and an 8.1 client. I had to install the WMF 4.0 update on my server in order to get the new DSC stuffs.
I have posted a new guide on the Petri KB (Petri.co.il), Due to the changes published on the 27/12/2013 to update the steps which are no longer accurate
Import-DSCResource -ModuleName xPSDesiredStateConfiguration
Ensure = "Present"
Name = "DSC-Service"
Ensure = "Present"
EndPointName = "PSDSCPullServer"
CertificateThumbprint = $certificateThumbprint
PhysicalPath = "C:\inetpub\wwwroot\PSDSCPullServer"
ConfigurationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
ModulePath = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
Port = 80
IsComplianceServer = $false
State = "Started"
DependsOn = "[WindowsFeature]DSCServiceFeature"
EndPointName = "PSDSCComplianceServer"
CertificateThumbprint = "AllowUnencryptedTraffic"
PhysicalPath = "C:\inetpub\wwwroot\PSDSCComplianceServer"
Port = 81
IsComplianceServer = $true
The example at gallery.technet.microsoft.com/xPSDesiredStateConfiguratio-417dc71d also has the new namings.
Is it possible to install the DSC pull server on a NLB set of servers?
Be sure to note the use of a self signed certificate and how that affects a remote client. Since that remote client won't be able to use HTTPS without a common root certificate authority.
This affects different scenarios differently - such as domain joined, vs. non domain joined vs. non-trusted domains as the big ones (the Pull Server and the clients).
Excellent I can now get a better understanding of DSC. Question currently im using v3 and i have WMF 4.0 installed. Can you tell me how i can use v4 cmdlets by default?
See this link if you run into the ESENT Interop error when browsing the service page: