SNikalaichyk
commented
6 years ago Hi, I could not reproduce this error on my laptop running Windows 10 version 1709. Can you please provide more details?
Closed Jackbennett closed 6 years ago
SNikalaichyk
commented
6 years ago Hi, I could not reproduce this error on my laptop running Windows 10 version 1709. Can you please provide more details?
Jackbennett
commented
6 years ago Sure
The full error client error:
Update-DscConfiguration Computer -Wait -Verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = PerformRequiredConfigurationChecks,'className' =
MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer AdminPC with user sid S-1-5-21-4022285462-1334532727-2475043168-12314.
VERBOSE: [Computer]: [] Executing Get-Action with configuration 's checksum returned result status: GetConfiguration.
VERBOSE: [Computer]: [] Checksum is different. LCM will execute GetConfiguration to pull configuration .
VERBOSE: [Computer]: [] Executing GetConfiguration failed. Configuration InstallOSquery is not pulled.
The PS module C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance is either missing or its associated MOF
schema C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance\cNtfsPermissionsInheritance.schema.mof is
missing or invalid.
+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : InvalidModuleOrSchema
+ PSComputerName : Computer
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 1.5 secondsls \\server\modules
Directory: \\server\modules
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 31/01/2018 12:31 76576 cNtfsAccessControl_1.3.1.zip
-a---- 31/01/2018 12:31 64 cNtfsAccessControl_1.3.1.zip.checksumconfiguration CreatePullServer
{
param
(
[string[]]$ComputerName = 'localhost'
, # Installed certificate to use for HTTPS
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]
$CertificateThumbPrint
, # GUID Used to authenticate the client node with the pull server
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]
$RegistrationKey
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName xPSDesiredStateConfiguration
Node $ComputerName
{
WindowsFeature DSCServiceFeature
{
Ensure = "Present"
Name = "DSC-Service"
}
xDscWebService PSDSCPullServer
{
Ensure = "Present"
EndpointName = "PSDSCPullServer"
Port = 8080
PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
CertificateThumbPrint = $CertificateThumbPrint
ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
State = "Started"
DependsOn = "[WindowsFeature]DSCServiceFeature"
UseSecurityBestPractices = $true
}
File RegistrationKeyFile
{
Ensure = "Present"
Type = "File"
DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
Contents = $RegistrationKey
}
}
}
[DSCLocalConfigurationManager()]
Configuration LCM_Pull {
param
(
[string[]]$ComputerName = 'localhost'
)
Node $ComputerName {
Settings {
ConfigurationMode = 'ApplyAndAutoCorrect'
RefreshMode = 'Pull'
}
ResourceRepositoryWeb PullServerModules {
ServerURL = 'https://server:8080/PsDscPullserver.svc'
AllowUnsecureConnection = $false
RegistrationKey = 'a13aa872-fab1-423a-85b9-9481f959cb11'
}
ConfigurationRepositoryWeb PullServer {
ServerURL = 'https://server:8080/PsDscPullserver.svc'
AllowUnsecureConnection = $false
RegistrationKey = 'a13aa872-fab1-423a-85b9-9481f959cb11'
ConfigurationNames = @('InstallOSquery')
}
PartialConfiguration InstallOSquery{
description = "InstallOSquery"
ConfigurationSource = @("[ConfigurationRepositoryWeb]PullServer")
}
}
}But the client powershell dsc modules folder ends up with the folder target \\Computer\c$\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl but it's empty. I checked the zip does indeed have files in it.
Any thoughts?
SNikalaichyk
commented
6 years ago Please try to delete the module and then reinstall it from the PS Gallery, then check if the machine can enact its configuration.
There also may be a problem with the ZIP archive containing the module. Try the following script to recreate it:
Get-InstalledModule -Name cNtfsAccessControl |
ForEach-Object -Begin {
Add-Type -AssemblyName System.IO.Compression.FileSystem
$TargetDirPath = 'C:\Temp\DscPullModules'
if (-not (Test-Path -Path $TargetDirPath -PathType Container))
{
New-Item -Path $TargetDirPath -ItemType Directory -Force -Verbose | Out-Null
}
} -Process {
Get-Module -Name $_.Name -ListAvailable |
ForEach-Object -Process {
$ModuleBase = $_.ModuleBase
$ZipFileName = '{0}_{1}.zip' -f $_.Name, $_.Version
$ZipFilePath = Join-Path -Path $TargetDirPath -ChildPath $ZipFileName
if (Test-Path -Path $ZipFilePath -PathType Leaf)
{
Remove-Item -Path $ZipFilePath -Force -Verbose
}
Write-Verbose -Message $ZipFilePath -Verbose
[System.IO.Compression.ZipFile]::CreateFromDirectory($ModuleBase, $ZipFilePath)
if (Test-Path -Path $ZipFilePath -PathType Leaf)
{
New-DscChecksum -Path $ZipFilePath -Force -Verbose
}
}
}[pullserver]: PS C:\Program Files\WindowsPowerShell\DscService\Modules> ls
Directory: C:\Program Files\WindowsPowerShell\DscService\Modules
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01/02/2018 12:20 PM 25257 cNtfsAccessControl_1.3.1.zip
-a---- 01/02/2018 12:20 PM 64 cNtfsAccessControl_1.3.1.zip.checksumI have those files, inside that zip
Clients still error with The PS module C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance is either missing or its associated MOF schema C:\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl\1.3.1\DscResources\cNtfsPermissionsInheritance\cNtfsPermissionsInheritance.schema.mof is missing or invalid.
The module is an empty folder, \\client\c$\Program Files\WindowsPowerShell\Modules\cNtfsAccessControl
This is the first module i've tried to include in a resource, so it could still be my server. But I can't see the problem.
This works on my office PC where I've installed the module from the packagemanager. If I do that directly on other machines I get errors from it not being signed. I don't know if that's related.
jpogran
commented
6 years ago @SNikalaichyk I noticed in your example above and in your deployment script in appveyor, you use [System.IO.Compression.ZipFile classes. IIRC the .NET compression classes don't set the byte header that DSC expects in WMF v4. They fixed it in v5, but if your users are using v4 DSC Pull Servers they won't be able to read your zip files. I noticed you pull in https://github.com/PowerShell/DscResource.Tests, you'll see there in line https://github.com/PowerShell/DscResource.Tests/blob/dev/AppVeyor.psm1#L605-L606 they use Compress-Archive instead.
@Jackbennett are you using a v4 DSC Pull Server?
Jackbennett
commented
6 years ago The DSC configs are all made on w10 1709, the server config was targeted at a server 2016 install, that might be wmf5 not 5.1 as it's not a fresh image from MS. I'll have to check build numbers tomorrow.
For the server config I referenced this v5 guide but I didn't use the lab provided.
Jackbennett
commented
6 years ago It must be something I'm doing with this zip.
Compress-Archive 'C:\Program Files\WindowsPowerShell\Modules\xPSDesiredStateConfiguration\8.0.0.0\**' -DestinationPath .\xPSDesiredStateConfiguration_8.0.0.0.zip copied to the server makes an emptyxPSDesiredStateConfiguration folder on the client.
zip contents;
/
/DSCResources/
etc*edit: And I just made the above with 7zip and it still makes an empty client folder.
Compress-Archive 'C:\Program Files\WindowsPowerShell\Modules\xPSDesiredStateConfiguration\8.0.0.0\**' -DestinationPath .\xPSDesiredStateConfiguration_8.0.0.0.zip note the asterix. Makes files/foldes under xPSDesiredStateConfiguration\8.0.0.0\8.0.0.0\DSCResources... which of course powershell doesn't understand the path to load from the double version.
Module file xPSDesiredStateConfiguration did not contain a module with required version 8.0.0.0.
zip contents;
/
/8.0.0.0/
/8.0.0.0/DSCResources/
etcwat.
Jackbennett
commented
6 years ago I'd still love further help resolving this (I've pointed IRC to it) but it's clearly not an issue with cNTFSAccessControl so I'll close it for your project.
Jackbennett
commented
6 years ago I used xDscDiagnostics to find the log messages. DSC seems to check the module signatures between downloading the zip and placing the extracted files in the folder. I signed the files myself then found applocker blocking script execution even though my cert is a trusted publisher. Added my cert to applocker and it all seems ok now.
This may not be your module;
I've not gotten into writing DSC resources yet but does the something need updating to be used with windows 10 1709?
I've checked the client PC is downloading the module but it's making an empty folder on the client of the correct name in the correct place. I just checked that it's nothing to do with executionpolicy.