Open mhendric opened 5 years ago
Adding a key piece of information that I forgot.
Here's the directory where this file should be on the problem server (Win 2012 R2 / PS 4).
PS C:\> dir 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer' -Recurse
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s 1/28/2019 1:39 PM en
d---s 1/28/2019 1:39 PM en-US
-a--- 1/28/2019 1:39 PM 303104 Devices.mdb
-a--- 7/1/2013 9:49 AM 141 Global.asax
-a--- 1/28/2019 1:39 PM 57856 Microsoft.Powershell.DesiredStateConfiguration.Service.dll
-a--- 7/1/2013 9:49 AM 2389 PSDSCComplianceServer.config
-a--- 6/21/2013 12:50 AM 268 PSDSCComplianceServer.mof
-a--- 6/18/2013 5:25 AM 335 PSDSCComplianceServer.svc
-a--- 6/18/2013 5:25 AM 390 PSDSCComplianceServer.xml
-a--- 11/21/2014 12:07 AM 3343 PSDSCPullServer.config
-a--- 6/21/2013 12:50 AM 525 PSDSCPullServer.mof
-a--- 6/18/2013 5:25 AM 335 PSDSCPullServer.svc
-a--- 6/18/2013 5:25 AM 502 PSDSCPullServer.xml
-a--- 1/28/2019 1:39 PM 8704 PSDSCServerEvents.dll
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 1/28/2019 1:39 PM 6144 Microsoft.Powershell.DesiredStateConfiguration.Service.resources.dll
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/20/2014 10:54 PM 2 PSDSCComplianceServer.mfl
-a--- 11/20/2014 10:54 PM 2 PSDSCPullServer.mfl
-a--- 1/28/2019 1:39 PM 6656 PSDSCServerEvents.dll.mui
Here's the same directory on the server that works (Win 2016 / PS 5.1):
PS C:\> dir 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer' -Recurse
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 1/29/2019 4:34 PM en
d---s- 1/29/2019 4:34 PM en-US
-a---- 1/29/2019 4:34 PM 1310720 Devices.mdb
-a---- 7/16/2016 6:19 AM 141 Global.asax
-a---- 1/29/2019 4:34 PM 11264 IISSelfSignedCertModule.dll
-a---- 1/29/2019 4:34 PM 133632 Microsoft.Powershell.DesiredStateConfiguration.Service.dll
-a---- 7/16/2016 6:19 AM 2389 PSDSCComplianceServer.config
-a---- 7/16/2016 6:19 AM 268 PSDSCComplianceServer.mof
-a---- 7/16/2016 6:19 AM 335 PSDSCComplianceServer.svc
-a---- 7/16/2016 6:19 AM 390 PSDSCComplianceServer.xml
-a---- 7/16/2016 6:19 AM 3170 PSDSCPullServer.config
-a---- 1/29/2019 4:34 PM 4760 PSDSCPullServer.mof
-a---- 7/16/2016 6:19 AM 335 PSDSCPullServer.svc
-a---- 7/16/2016 6:19 AM 1194 PSDSCPullServer.xml
-a---- 1/29/2019 4:34 PM 14336 PSDSCServerEvents.dll
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/29/2019 4:34 PM 9216 Microsoft.Powershell.DesiredStateConfiguration.Service.resources.dll
Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en-US
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/3/2018 2:29 PM 2 PSDSCComplianceServer.mfl
-a---- 2/3/2018 2:29 PM 2 PSDSCPullServer.mfl
-a---- 1/29/2019 4:34 PM 13824 PSDSCServerEvents.dll.mui
@tmeckel , you're currently working some IISSelfSignedCertModule related Issues. Do you know anything about where this DLL comes from, and if we should expect it on a machine with only PS4?
@mhendric I can only say that you have to install the windows featre DSC-Service
what you obviously did in your DSC Configuration, so it should be definitly present on the computer.
Aside this, I discovered some deficiencies with that IIS module, while I was working on PR #507 and how it's provided (Windows Feature) and how it's activated in IIS using MSFT_xDSCWebService. I'll describe my findings when I'm done with refactoring the code and the Unit Tests for MSFT_xDSCWebService in PR #507
Okay I made a quick check on a VM. Seems to me we do have an issue here because the DLL is not installed by the DSC-Service
feature. I would propose we remove the code here in the xPSDesiredStateConfiguration, because it seems to me that the code has been erroneously copied over from PSDscResources. I've to admit that I didn't check the Git Log though :-D Oh and removing the code would make my PR 507 obsolete LOL
Thanks @tmeckel . Good to know I'm not crazy (or at least not the owner of bad virtual machines). Sounds like this is a bug to me then. I guess we just need to figure out what to do about it. Do we update the module to not check for IISSelfSignedCertModule.dll, and if so, what are the implications of that (there had to have been a good reason that the check was added in the first place)?
And this definitely makes me wonder what else is broken in this module for PowerShell 4...
@mhendric As I already said, while I was working on this module here I discovered not only issues how this particular DLL is handled but I also commented on #468 about that I discovered some bugs how the X.509 certificate for the pull/compliance service is handled. To me this module seems to have multiple issues that has to be sorted.
@mhendric just discovered that this module is only relevant for the compliance server https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L754 interessttingly enough look at this comment multiple lines above this https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L689 and what comes on top you'll find no sign of the compliance server feature in Set-TargetResource https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L175 or Get-TargetResource https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L23
So TBH I don't really know in what condition this module really is!
Oh and in contrast to my statement in https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/511#issuecomment-459969107 that MSFT_xDSCWebService.psm1 has been "erroneously" copied over from PSDscResources I discovered that xPSDesiredStateConfiguration is the only DSC Resource which contains support for setting up a local pull server. This implies that xPSDesiredStateConfiguration wasn't only created for Powershell 4 support. Quite confusing situation here with these two DSC Resources
@tmeckel , thanks for all the research on this! This definitely is a confusing situation. I think this one probably needs to be discussed during the next community call, especially as it relates to #522. @PlagueHO , I think you have a list of items to discuss in the next call. Can you track this one?
@mhendric how do we proceed here? From my point of view we can't leave the code as is because this would create errors on Windows 2012 servers as you already noticed. On the other hand, how likely is it that people deploy a Pull Server on such an old infrastructure? But this is the same discussion we already had about supporting PowerShell 4.
Hey @tmeckel . So... I'm still wondering why this module was made to be a requirement at some point. At one point in the xPSDesiredStateConfiguration lifetime, it was definitely possible to deploy a pull server on Windows 2012 R2 and PS4, which implies IISSelfSignedCertModule wasn't always a requirement. Maybe we can find which PR introduced this and then look at the comments. Perhaps it isn't really necessary for PS4 after all. Or maybe the Compliance server (you referenced above) doesn't support PS4. Also, if we can find the last build that this worked on PS4 in, we could potentially just add a version check for PS4 when this code is invoked, and say that this code is no longer supported on PS4, use ### build instead.
At least according to this article, DSC Pull Server is only supported on PS5 or higher (although there's a reference in the same article to WMF4 databases, so I don't know how true this really is). But if the PowerShell team doesn't support the Pull Server on PS4 any more, I'm not sure why we should continue supporting it in this module.
Adding @mgreenegit in case he knows some history on this.
@mhendric the situation around the Pull Server is unsatisfying in many ways. First we have this issue here where we don't know what's supported on what platform and why code has been introduced. Secondly the PowerShell team decided to stop adding new features to the local Pull Server implementation in favor for Azure Automation DSC. The decision perfectly fits into the strategy of Microsoft and is thus understandable because you've to decide what things to follow with limited resources. Or you look at Microsoft's strategy to compel people to move on premises resources to Azure when you analyze the pricing model behind Azure Automation DSC, where you can add on premises servers but you've to pay at least $5 monthly for every server, where in contrast Azure VMs are at no charge.
My personal biggest issue around this decision is that the PowerShell team (or whoever wrote that section in the documentation) refers to two opensource projects on Github, as a replacement for an on premises installation, which are actually dead:
That leads me to the more or less sarcastic question: why should we put much effort in this DSC Resource anymore? Okay just kidding. But nevertheless we should keep in mind that when we work on xDSCWebService
the technology is in fact deprecated or to say it more clearly: dead.
Interesting observations @tmeckel . I don't think this technology is dead, but it definitely appears to be deprecated. That's stated in the very first paragraph of the document we linked. Which does beg the question, how much effort do we want to spend on something Microsoft plans to cut support for? Perhaps this is another community call discussion. Tagging @PlagueHO and @johlju for thoughts in the meantime.
I do still see value for many of the other resources in this module, especially since this module can accept breaking changes and PSDSCResources can't. But I'm willing to have a hard conversation around the module as a whole.
@mhendric you misunderstood in some way. When I said we must outweigh the efforts we put "... in this DSC Resource ..." I only meant xDSCWebService not the complete DSC module. The DSC module as a whole will and definitely can provide much help for people using DSC! To make it clear: I doubt we should put much effort in the Pull Server thing here on the long run because Microsoft abandoned supporting on premises installation in favor of Azure Automation DSC.
Hey @tmeckel , no problem. A related comment on this is that we should probably test if xDSCWebService works on Windows Server 2019. If it does, then DSC Pull Server is probably not going away anytime soon. We should probably also start testing the Module as a whole on 2019 to see what works and what doesn't.
I'm working on #506, and trying to do some manual integration testing by setting up a DSC pull server. My configuration script works just fine on my Windows 2016 / PS 5.1 server, but fails with the below error on my Windows 2012 R2 / PS 4 server. I cannot find IISSelfSignedCertModule.dll anywhere on the machine. Can someone tell me where this comes from and how I can install it?
Error: Cannot find path 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\IISSelfSignedCertModule.dll' because it does not exist.
OS: Windows 2012 R2 (6.3 Build 9600)
$psversiontable
Name Value
PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.19170
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
IIS Features:
Script
Output: