What LEGO has to do with PowerShell DSC Partial Configurations!

Do you like LEGO? do you like IT? Are you obsessive about automating stuff? This is a must read!

This post is part of a series, at the bottom you find links to the other parts. In this part we will take the next step into making your environment configurations even more manageable.

In previous post we created our active directory based upon a single DSC script. What if we want to do more configuration, like say “Allow only secure RDP connections”?
We can just add this little configuration piece to the script, and just push it again. but that’s wrong!

If you don’t have time to do it right, when will you have time to do it over?

Meet “Partial Configurations”. With this technique we can untangle the mess we have in our configuration scripts and make it more… manageable. We split up the scripts into manageable(reusable) chunks (kind of like blueprints of configurations). These chunk we can later ensemble in ways that fit our architecture.

Let use a “LEGO” metaphor to explain!

The “blueprint” chunks we create are the types of LEGO parts, we can have LEGO blocks with 1, 2, 4, 6, 8 knobs one them. We have flat pieces, normal pieces, maybe some rounded ones. You get the drift here.

Then we have a ensemble script, that’s like the manual you get with the LEGO, telling you which part goes where.

Put it into practice

Set up our building environment

In the next part we are going to use a new module called xRemoteDesktopAdmin, we first have to install this using the following command:

Install-Module xActiveDirectory
Install-Module xRemoteDesktopAdmin
The LEGO blueprints

Let’s create a blueprint: AssertDC (copied from previous post)

# A configuration to Create a new Domain Controller for a new forest
configuration AssertDC
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource -ModuleName 'xActiveDirectory'
    Node $AllNodes.Where{$_.Role -eq "Primary DC"}.Nodename
        WindowsFeature ADDSInstall
            Ensure = "Present"
            Name = "AD-Domain-Services"
        WindowsFeature RSATTools
            DependsOn= '[WindowsFeature]ADDSInstall'
            Ensure = 'Present'
            Name = 'RSAT-AD-Tools'
            IncludeAllSubFeature = $true
        xADDomain FirstDS
            DomainName = $Node.DomainName
            DomainAdministratorCredential = $domainCred
            SafemodeAdministratorPassword = $safemodeAdministratorCred
            DependsOn = "[WindowsFeature]RSATTools"
        xWaitForADDomain DscForestWait
            DomainName = $Node.DomainName
            DomainUserCredential = $domainCred
            RetryCount = $Node.RetryCount
            RetryIntervalSec = $Node.RetryIntervalSec
            DependsOn = "[xADDomain]FirstDS"
        xADUser FirstUser
            DomainName = $Node.DomainName
            DomainAdministratorCredential = $domainCred
            UserName = $NewADUser
            Password = $NewADUserCred
            Ensure = "Present"
            DependsOn = "[xWaitForADDomain]DscForestWait"

Let’s create a blueprint: AllowSecureRDP

# A configuration to allow secure RDP connections
Configuration AllowSecureRDP
	Import-DscResource -ModuleName 'PSDesiredStateConfiguration','xRemoteDesktopAdmin'
	xRemoteDesktopAdmin TestRDP
		Ensure = 'Present'
		UserAuthentication = 'Secure'
The LEGO manual

Now let’s ensemble our environment with the blueprint we have created.

Configuration ConfigureTestMachine
	PartialConfiguration AssertDC
		Description = 'Create a Domain Controller'
		RefreshMode = 'Push'

	PartialConfiguration AllowSecureRDP
		Description = 'Enable secure RDP connections'
		RefreshMode = 'Push'
		DependsOn = '[PartialConfiguration]AssertDC'
Compile the stuff into MOF files

We now have created all the script parts we need, it time to compile it all into MOF files.

# Configuration Data for AD
$SafeModePW = 'S@fePassw0rd'
$NewADUser = 'Wouter'
$ConfigData = @{
    AllNodes = @(
            Nodename = "sp2013-dev"
            Role = "Primary DC"
            DomainName = "development.local"
            PSDscAllowPlainTextPassword = $true
            RetryCount = 20
            RetryIntervalSec = 30
# Compile the partial configuration "AssertDC"
AssertDC `
    -configurationData $ConfigData `
    -safemodeAdministratorCred (New-Object System.Management.Automation.PSCredential ('guest', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -domainCred (New-Object System.Management.Automation.PSCredential ('Administrator', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -NewADUserCred (New-Object System.Management.Automation.PSCredential ($NewADUser, (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -NewADUser $NewADUser `
    -outputpath c:\AssertDC

# Compile the partial configuration "AllowSecureRDP" 
AllowSecureRDP -outputpath c:\AllowSecureRDP

# Compile the "ensamble" configuration "ConfigureTestMachine " 
ConfigureTestMachine -outputpath c:\ConfigureTestMachine

For us to use these configuration scripts we first have to publish the partial configurations using the command “Publish-DscConfiguration” (read: LEGO Blueprints). Then we can push our ensemble script (read: LEGO manual) using the command Set-DscLocalConfigurationManager
This can be done by running the following commands:

Set-DscLocalConfigurationManager -Path c:\ConfigureTestMachine -Verbose
Publish-DscConfiguration -path c:\AssertDC -verbose
Publish-DscConfiguration -path c:\AllowSecureRDP -verbose
Start-DscConfiguration -UseExisting -Wait

This post is seperated into multiple parts:

  1. What is DSC?
  2. Setting up the environment for DSC
  3. Configure Active Directory with DSC
  4. What LEGO has to do with PowerShell DSC Partial Configurations! (this post)
  5. Configure IIS with DSC
  6. Install SQL with DSC
  7. Install SharePoint
  8. Configure SharePoint
External references

Validate PowerShell DSC Partial Configurations


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s