Powershell DSC 5.0-parameters, certificate encryption account, and installation order

Source: Internet
Author: User
Tags powershell dsc

This section is about simply over 3 basic functions of DSC, how to parameterize a profile, encrypt an account, and how to set up the order of installation for multiple services.


The configuration file is essentially a function, the function can call another function, you can parameterize many values for reuse, and the configuration file is the same.


The configuration file itself has 3 parameters by default:


OutputPath, the output path of the MOF file

Configurationdata, this is the parameter configuration file, the structure is a hash table

InstanceName, instance name, general default


We can also define by Param keywords, such as

[Dsclocalconfigurationmanager ()] configuration lcm_httppull {    param          (            [parameter (Mandatory= $true)]             [string[]] $ComputerName,             [parameter (mandatory= $true)]             [string] $guid          )       Node  $ComputerName {settings{allowmoduleoverwrite = $ true            configurationmode =  ' Applyandautocorrect ' refreshmode =  ' pull ' configurationid =  $guid              }        configurationrepositoryweb pullserver {             Name =  ' Pullserver '              serverurl =  ' Http://dc.company.pri:8080/PSDSCPullServer.svc '              AllowUnsecureConnection =  $true          }}}# Computer list  $ComputerName = ' s1 ',  ' s2 ' # create guid  For the computers$guid=[guid]::newguid () # create the computer.meta.mof in  folderlcm_httppull -computername  $ComputerName  -Guid  $guid  -outputpath c:\dsc\ http# explorer c:\dsc\http# send to computers  lcmset-dsclocalconfigurationmanager -computername  $computername  -path c:\dsc\http – Verbose



In the previous section, the bean creates a new user, configures a password for the user, because the certificate is not used, and it is not safe to force permission to send in plaintext.


For example unsafe practices:

configuration dirtest {    param  (         [parameter (mandatory= $true)]             [string[] "$ComputerName,         [pscredential] $credential      )     Node  $computerName  {         File DirTest1 {             destinationpath =  ' C:\DirTest '              Type =  ' Directory '              ensure =  ' Present '             credential  =  $Credential         }    }}dirtest  -computername sydittest -Credential  (get-credential)  -CONFIGURATIONDATA C:\SCRIPTS\DSC1\MOD6\2A.CONFIG_DATA.PSD1  -outputpath c:\dscsecure# send to computers lcmstart-dscconfiguration - Computername sydittest -path c:\dscsecure –verbose
@{allnodes = @ (@{nodename= ' sydittest ' psdscallowplaintextpassword= $True})}


You can see it's clear, it's not safe.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/EA/wKiom1YKDoWSQX1fAAHH0krViR0965.jpg "style=" float: none; "title=" 1.PNG "alt=" Wkiom1ykdowsqx1faahh0krvir0965.jpg "/>



Here's the safe way

First generate a certificate, beans have been installed PKI, so open from the MMC is easy to create a new client certificate, and then exported to


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/EA/wKiom1YKDoexO8qFAAEiw8GAiOQ932.jpg "style=" float: none; "title=" 3.PNG "alt=" Wkiom1ykdoexo8qfaaeiw8gaioq932.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/E7/wKioL1YKDpHRpNcLAAEbAv0RJT4908.jpg "style=" float: none; "title=" 4.PNG "alt=" Wkiol1ykdphrpnclaaebav0rjt4908.jpg "/>


Configuration file, note that this hash table is different from the front.

configuration dirtest {    param  (         [parameter (mandatory= $true)]             [string[] "$ComputerName,         [pscredential] $credential      )     Node  $computername  {         File DirTest1 {             destinationpath =  ' C:\DirTest '              Type =  ' Directory '              ensure =  ' Present '             credential  =  $Credential         }    }}dirtest  -computername sydittest -Credential  (get-credential)  -CONFIGURATIONDATA C:\SCRIPTS\DSC1\MOD6\2B.CONFIG_DATA.PSD1  -outputpath c:\dscsecure# send to computers lcmstart-dscconfiguration - Computername sydittest -path c:\dscsecure –verbose
@{allnodes = @ (@{nodename= ' sydittest ' certificatefile = ' c:\temp\sydittest.cer ' }    )}

You can see that the password is encrypted.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E7/wKioL1YKDpDBIxp-AAF9QvfEMKU458.jpg "title=" 2.PNG " Style= "Float:none;" alt= "wkiol1ykdpdbixp-aaf9qvfemku458.jpg"/>



Finally, simply look at the Dependon keyword. When we install multiple services, there are sometimes dependencies. For example, I want to install a cluster, but before I install it, I want to make sure that the domain service is installed. This dependency can be defined by Dependon. Note that the default rule for DSC is to install randomly because he does not want to have excessive dependencies so that once the environment changes, the entire configuration may fail.


For example, I need to install IIS and then install the IIS Admin interface and configure a folder

configuration installiis {        node sydittest { windowsfeature iis {ensure =  ' Present ' name   =  ' web-server '}         WindowsFeature IISMgmt {Ensure =  ' Present ' Name    =  ' Web-mgmt-service '              DependsOn =  "[Windowsfeature]iis"}         windowsfeature iisconsole {ensure =  ' Present ' name   =  ' Web-mgmt-console '}                 File DefaultWebSite {             ensure =  "Present"              type  =  "Directory"  # default is  "File"             force = $ true            recurse =  $True              SourcePath =  "C:\sites\inetpub\ Wwwroot\ "            DestinationPath = " C:\inetpub\wwwroot\ "             dependson  =  "[Windowsfeature]iis"           }}}installiis  -outputpath c:\dsc\mod6start-dscconfiguration -computername sydittest -path c:\ Dsc\mod6 -wait -verbose -force

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/E7/wKioL1YKELGxhwt1AAZ2FxdnV1E544.jpg "title=" 5.PNG " alt= "Wkiol1ykelgxhwt1aaz2fxdnv1e544.jpg"/>

This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1699083

Powershell DSC 5.0-parameters, certificate encryption account, and installation order

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.