Last active
August 29, 2015 14:18
-
-
Save mgreenegit/821cc1b2215e090c8067 to your computer and use it in GitHub Desktop.
Advanced DSC Pull Server Configuration Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is an advanced Configuration example for Pull Server production deployments on Windows Server 2012 R2. | |
# Many of the features demonstrated are optional and provided to demonstrate how to adapt the Configuration for multiple scenarios | |
# Select the needed resources based on the requirements for each environment. | |
# Optional scenarios include: | |
# * Reduce footprint to Server Core | |
# * Rename server and join domain | |
# * Switch from SSL to TLS for HTTPS | |
# * Automatically load certificate from Certificate Authority | |
# * Locate Modules and Configuration data on remote SMB share | |
# * Manage state of default websites in IIS | |
param ( | |
[Parameter(Mandatory=$true)] | |
[ValidateNotNullorEmpty()] | |
[System.String] $ServerName, | |
[System.String] $DomainName, | |
[System.String] $CARootName, | |
[System.String] $CAServerFQDN, | |
[System.String] $CertSubject, | |
[System.String] $SMBShare, | |
[Parameter(Mandatory=$true)] | |
[ValidateNotNullorEmpty()] | |
[PsCredential] $Credential | |
) | |
Configuration PullServer { | |
Import-DscResource -ModuleName xPSDesiredStateConfiguration, xWebAdministration, xCertificate, xComputerManagement | |
Node localhost | |
{ | |
# Configure the server to automatically corret configuration drift including reboots if needed. | |
LocalConfigurationManager | |
{ | |
ConfigurationMode = 'ApplyAndAutoCorrect' | |
RebootNodeifNeeded = $node.RebootNodeifNeeded | |
CertificateId = $node.Thumbprint | |
} | |
# Remove all GUI interfaces so the server has minimum running footprint. | |
WindowsFeature ServerCore | |
{ | |
Ensure = 'Absent' | |
Name = 'User-Interfaces-Infra' | |
} | |
# Set the server name and if needed, join a domain. If not joining a domain, remove the DomainName parameter. | |
xComputer DomainJoin | |
{ | |
Name = $Node.ServerName | |
DomainName = $Node.DomainName | |
Credential = $Node.Credential | |
} | |
# The next series of settings disable IIS and enable TLS, for environments where that is required by policy. | |
Registry TLS1_2ServerEnabled | |
{ | |
Ensure = 'Present' | |
Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' | |
ValueName = 'Enabled' | |
ValueData = 1 | |
ValueType = 'Dword' | |
} | |
Registry TLS1_2ServerDisabledByDefault | |
{ | |
Ensure = 'Present' | |
Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' | |
ValueName = 'DisabledByDefault' | |
ValueData = 0 | |
ValueType = 'Dword' | |
} | |
Registry TLS1_2ClientEnabled | |
{ | |
Ensure = 'Present' | |
Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' | |
ValueName = 'Enabled' | |
ValueData = 1 | |
ValueType = 'Dword' | |
} | |
Registry TLS1_2ClientDisabledByDefault | |
{ | |
Ensure = 'Present' | |
Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' | |
ValueName = 'DisabledByDefault' | |
ValueData = 0 | |
ValueType = 'Dword' | |
} | |
Registry SSL2ServerDisabled | |
{ | |
Ensure = 'Present' | |
Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' | |
ValueName = 'Enabled' | |
ValueData = 0 | |
ValueType = 'Dword' | |
} | |
# Load the Windows Server DSC Service feature | |
WindowsFeature DSCServiceFeature | |
{ | |
Ensure = 'Present' | |
Name = 'DSC-Service' | |
} | |
# If using a certificate from a local Active Directory Enterprise Root Certificate Authority, complete a request and install the certificate | |
xCertReq SSLCert | |
{ | |
CARootName = $Node.CARootName | |
CAServerFQDN = $Node.CAServerFQDN | |
Subject = $Node.CertSubject | |
AutoRenew = $Node.AutoRenew | |
Credential = $Node.Credential | |
} | |
# Use the DSC Resource to simplify deployment of the web service. You might also consider modifying the default port, possibly leveraging port 443 in environments where that is enforced as a standard. | |
xDSCWebService PSDSCPullServer | |
{ | |
Ensure = 'Present' | |
EndpointName = 'PSDSCPullServer' | |
Port = 8080 | |
PhysicalPath = "$env:SYSTEMDRIVE\inetpub\wwwroot\PSDSCPullServer" | |
CertificateThumbPrint = 'CertificateSubject' | |
CertificateSubject = $Node.CertSubject | |
ModulePath = "$($Node.SMBShare)\DscService\Modules" | |
ConfigurationPath = "$($Node.SMBShare)\DscService\Configuration" | |
State = 'Started' | |
DependsOn = '[WindowsFeature]DSCServiceFeature' | |
} | |
# Validate web config file contains current db settings | |
xWebConfigKeyValue CorrectDBProvider | |
{ | |
ConfigSection = 'AppSettings' | |
Key = 'dbprovider' | |
Value = 'System.Data.OleDb' | |
WebsitePath = 'IIS:\sites\PSDSCPullServer' | |
DependsOn = '[xDSCWebService]PSDSCPullServer' | |
} | |
xWebConfigKeyValue CorrectDBConnectionStr | |
{ | |
ConfigSection = 'AppSettings' | |
Key = 'dbconnectionstr' | |
Value = 'Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Program Files\WindowsPowerShell\DscService\Devices.mdb;' | |
WebsitePath = 'IIS:\sites\PSDSCPullServer' | |
DependsOn = '[xDSCWebService]PSDSCPullServer' | |
} | |
# Stop the default website | |
xWebsite StopDefaultSite | |
{ | |
Ensure = 'Present' | |
Name = 'Default Web Site' | |
State = 'Stopped' | |
PhysicalPath = 'C:\inetpub\wwwroot' | |
DependsOn = '[WindowsFeature]DSCServiceFeature' | |
} | |
} | |
} | |
$configData = @{ | |
AllNodes = @( | |
@{ | |
NodeName = 'localhost' | |
ServerName = $ServerName | |
DomainName = $DomainName | |
CARootName = $CARootName | |
CAServerFQDN = $CAServerFQDN | |
CertSubject = $CertSubject | |
AutoRenew = $true | |
SMBShare = $SMBShare | |
Credential = $Credential | |
RebootNodeifNeeded = $true | |
CertificateFile = 'c:\PullServerConfig\Cert.cer' | |
Thumbprint = '3F04281D1083CD21572A9F7036749DA567C8D9E5' | |
} | |
) | |
} | |
PullServer -ConfigurationData $configData -OutputPath 'C:\PullServerConfig\' | |
Set-DscLocalConfigurationManager -ComputerName localhost -Path 'C:\PullServerConfig\' | |
Start-DscConfiguration -Wait -Force -Verbose -Path 'C:\PullServerConfig\' | |
# .\Script.ps1 -ServerName web1 -domainname 'test.pha' -carootname 'test-dc01-ca' -caserverfqdn 'dc01.test.pha' -certsubject 'CN=service.test.pha' -smbshare '\\sofs1.test.pha\share' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment