Configuring Virtual Machines Using Desired State Configuration - Part 2 - Local Configuration Manager

In the previous post of the series (available here) we went through an introduction of Powershell DSC and how it can help with configuring virtual machines. This post is going to be about the Local Configuration Manager, also known as LCM, the engine that is the heart of DSC.

When a configuration file is pushed to a node, the LCM is the component that is responsible for performing all the operations in order to bring the system to the desired state. Apart from that, LCM can also monitor the system for configuration drift and take actions in order to remedy it.

LCM works with files in the C:\Windows\System32\Configuration directory and there are three of them in particular that you should be aware of:

Current.mof. This is the file that contains the current configuration.

Previous.mof. This file contains the previous configuration that was applied to the system. Usefull for reverting to a previous state.

The following screenshot shows the above files:

Pending.mof. When a configuration is in progress and has not yet been fully applied, it is saved with this name, as shown below:

There are times that LCM may face issues when trying to apply a configuration, like for example when getting a file from a file server that is not accessible. If you try to apply a different configuration you most probably get a message similar to the below:

The way to get around it is to remove the pending configuration file and then give the configuration another try.

To configure the LCM we need to apply a special kind of DSC configuration to the node:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
[DSCLocalConfigurationManager()]
configuration LCMConfig
{
    Node localhost
    {
        Settings
        {
            RefreshMode = 'Push'
            ConfigurationMode = 'ApplyAndMonitor'
            RebootNodeIfNeeded = $true
            RefreshFrequencyMins = 30
            ConfigurationModeFrequencyMins = 15
        }
    }
}

The attribute at line 1 is a special attribute that is used in order to mark this configuration as LCM related.

Out of the many properties that LCM configurations contain, I've picked five of them that I believe are the most important:

RefreshMode: The way that a configuration is assigned to a node. There are three options regarding the refresh mode:

  • Push: The configuration is pushed to the node using the Start-DscConfiguration cmdlet.
  • Pull: The node pulls configurations from a DSC pull service.
  • Disabled: LCM does not process any configuration. 
The push mode is mainly used for testing configurations and managing a small number of nodes. In larger environments that require nodes to pickup their configuration without any interaction a DSC Pull service is used to provide the configurations to the nodes. We'll deploy a pull service later on, in a following article.

ConfigurationMode: There are three configuration modes available:

  • ApplyOnly: LCM applies the configuration and does nothing else.
  • ApplyAndMonitor: LCM applies the configuration and when configuration drift is detected it reports it.
  • ApplyAndAutoCorrect: LCM applies the configuration and when configuration drift is detected it re-applies the configuration. 

RebootNodeIfNeeded: Control whether LCM will reboot the node if requested by a resource.

RefreshFrequencyMins: The interval at which LCM checks for new configurations published on the DSC pull service - only applies when the LCM refresh mode is set to pull. 

ConfigurationModeFrequencyMins: The interval between two configuration checks - ignored if configuration mode is set to "ApplyOnly".

To apply the LCM configuration you have to load and compile it as any other configuration file but in order to apply it you have to use the Set-DscLocalConfigurationManager cmdlet like below:

The Get-DscLocalConfigurationManager cmdlet displays the configuration of LCM:


Applying the LCM configuration updates the MetaConfig.mof and MetaConfig.backup.mof files that contain the LCM configuration and work in a way similar to the plain MOF files previously described.

To reset the LCM configuration, we just have to push a new configuration with the default values usully something like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
[DSCLocalConfigurationManager()]
configuration LCMClear
{
    Node localhost
    {
        Settings
        {
            RefreshMode = 'Push'
            ConfigurationMode = 'ApplyOnly'
            RebootNodeIfNeeded = $false
            RefreshFrequencyMins = 30
            ConfigurationModeFrequencyMins = 15
        }
    }
}

Keep in mind that there are some differences when using Powershell versions older that version 5. One of the changes regarding LCM is that instead of "Settings" we have "LocalConfigurationManager".

More information on the properties of LCM is available in Microsoft Docs.

LCM writes log entries to the Applications and Services Logs\Microsoft\Windows\Desired State Configuration\Operational log that can be really helpfull when troubleshooting.

The next post will be about configurations, their building blocks and statements. The configurations used in this article are available in my Github repository here.

Related Articles
    Part 1 - Intruduction
    Part 2 - Local Configuration Manager
    Part 3 - Authoring Configurations
    Part 4 - Applying Configurations
    Part 5 - Creating a Pull Service
    Part 6 - Azure Automation

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your...
Keep reading

Managing Active Directory User Certificates using PowerShell

I first came across user certificates when I was working with email certificates a few years ago and I have to admit that I had trouble updating the certificates on the objects! Most organizations have a Microsoft Active Directory Certification Authority that issues the certificates used internally. When a certificate is issued to a user, the Microsoft Certificate Service saves the public key in Active Directory. The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user. Although we rarely need to pay attention to this attribute, there are cases where we have to update it. To make things easier, I've written PowerShell functions to Get, Remove, Import and Export the certificates on that field. To get the list of certificates for an object, use the Get-ActiveDirectoryObjectCertificate function: PS C:\> Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local DistinguishedName  ...
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB26116...
Keep reading