Configuring Azure VMs using Desired State Configuration

Lately I've been working on a project to automate the provisioning of virtual machines on Azure using Azure Resource Manager. The need to apply configuration on the OS level came up and the proffered way was Desired State Configuration. On this article, we are going to publish a configuration and configure a virtual machine to apply it.

First we are going to log in and select the subscription that we are going to use:

PS C:\>Login-AzureRmAccount

Account          : c******s.p******ou@*******
SubscriptionName : Pay-As-You-Go
SubscriptionId   : e******a-8**c-4**3-9**7-b**********9
TenantId         : 5******f-d**2-4**4-a**e-7**********7
Environment      : AzureCloud

PS C:\>Get-AzureRmSubscription |
           Out-GridView -PassThru -Title "Select the subscription to use" |
               Select-AzureRmSubscription

Name             : [c*****s.p******ou@*******, e*******a-8**c-4**3-9**7-b**********9]
Account          : c******s.p********u@********
SubscriptionName : Pay-As-You-Go
TenantId         : 5*******f-d***2-4**4-a**e-7*********7
Environment      : AzureCloud

PS C:\>

I'm very fond of resource groups so I'll create one to group the DSC resources:

PS C:\> New-AzureRmResourceGroup -Name "Blog-DSC" -Location WestEurope

ResourceGroupName : Blog-DSC
Location          : westeurope
ProvisioningState : Succeeded
Tags              :
ResourceId        : /subscriptions/********/resourceGroups/Blog-DSC

PS C:\>

We are going to need a storage account to host the configuration so let's create one:

PS C:\> New-AzureRmStorageAccount -ResourceGroupName "Blog-DSC" `
                                  -Name "blogdscstorage" `
                                  -Location WestEurope `
                                  -SkuName Standard_LRS `
                                  -Kind BlobStorage `
                                  -AccessTier Cool

ResourceGroupName  : Blog-DSC
StorageAccountName : blogdscstorage
Id                 : /subscriptions/********/..../storageAccounts/blogdscstorage
Location           : westeurope
Sku                : Microsoft.Azure.Management.Storage.Models.Sku
Kind               : BlobStorage
AccessTier         : Cool

PS C:\>

Perfect! Now let's create a DSC configuration file.

We are going to make this simple, the configuration will contain only one directive, to create the folder "C:\Temp".

Configuration TestConfig
{
    Node "localhost"
    {
        File TempDirectory
        {
            Ensure = "Present"
            Type = "Directory"
            DestinationPath =  "C:\Temp"
        }

        Log TempDirectoryLog
        {
            Message = "Finished running the file resource with ID TempDirectory"
            DependsOn = "[File]TempDirectory"
        }
    }
}

To publish the configuration, use the Publish-AzureRmVmDscConfiguration cmdlet:

PS C:\> Publish-AzureRmVMDscConfiguration -ConfigurationPath .\TestConfig.ps1 `
                                          -ResourceGroupName "Blog-DSC" `
                                          -StorageAccountName "blogdscstorage" `
                                          -Force
https://blogdscstorage.blob.core.windows.net/windows-powershell-dsc/TestConfig.ps1.zip

PS C:\>

If everything worked, you should have a container named "windows-powershell-dsc" that contains the archived configuration file as shown below:


Now that the configuration is published, you can update your virtual machines with the DSC extension and have them apply the configuration:

PS C:\> Set-AzureRmVMDscExtension -ResourceGroupName "Blog-DSC-VMs" `
                                  -VMName "DSC-Test-001" `
                                  -ArchiveBlobName "TestConfig.ps1.zip" `
                                  -ArchiveStorageAccountName "blogdscstorage" `
                                  -ArchiveResourceGroupName "Blog-DSC" `
                                  -ConfigurationName "TestConfig" `
                                  -AutoUpdate:$true `
                                  -Version 2.72

PS C:\>

The configuration should have been applied to the virtual machine:

C:\> Get-DscConfiguration

ConfigurationName : TestConfig
DependsOn         :
ResourceId        : [File]TempDirectory

ConfigurationName : TestConfig
DependsOn         : {[File]TempDirectory}
ResourceId        : [Log]TempDirectoryLog

C:\>

This is the simplest approach to follow when you want to apply a configuration to machines. On the next article, we'll see how we can take advantage of the Azure Automation DSC service to apply configurations using an Automation Account and report on the status of the machines.

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your...
Keep reading

Managing Active Directory User Certificates using PowerShell

I first came across user certificates when I was working with email certificates a few years ago and I have to admit that I had trouble updating the certificates on the objects! Most organizations have a Microsoft Active Directory Certification Authority that issues the certificates used internally. When a certificate is issued to a user, the Microsoft Certificate Service saves the public key in Active Directory. The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user. Although we rarely need to pay attention to this attribute, there are cases where we have to update it. To make things easier, I've written PowerShell functions to Get, Remove, Import and Export the certificates on that field. To get the list of certificates for an object, use the Get-ActiveDirectoryObjectCertificate function: PS C:\> Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local DistinguishedName  ...
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB26116...
Keep reading