DSC Configuration Sharing

This post was originally published on this site

The community around DSC Resources has been inspiring. The PowerShell Gallery now includes more than 2000 modules/scripts. 181 of those are modules focused on DSC, that collectively include 766 DSC Resources.

With this many building blocks available, it has become easier and faster to get a DSC project through the proof of concept phase to production-ready Windows Servers built using Configuration As Code.

When the author is new to DSC, their first configuration is a complex learning experience. The modules containing DSC Resources often have an /Examples folder with Configuration scripts showing how to use Resources, but they tend to be very specific and demonstrate only the functionality that the Resource was intended to solve. It can be hard to envision an end-to-end scenario-based Configuration. That typically comes later in the maturity model of learning DSC.

So how can we simplify and go faster? We’ve already seen that the community is very good at empowering people to be successful. Sharing examples helps people to look at existing work and identify patterns that can be repeated.

A community repo for DSC Configurations

Last week at the Automation Management Summit 2017, I previewed a new set of project repositories on GitHub. The goal of this work is to document a process for sharing end-to-end scenario-based Configurations.

Here is where to get started:

This project includes three individual repos:

  • DSC Configurations
    • DSC Configuration Template
    • DSC Configuration Tests

The goal of these is to provide guidance and tools to reduce the mean time to minimum viable product by iterating quickly. This was a key point of feedback at least year’s DSC Camp. The Template repo provides an example of how to layout a Configuration project. The Tests repo provides an automated solution to validate a Configuration script using Azure Automation and Azure Virtual Machines.

You will find the documentation in the submodules is still light to non-existant. I will be contributing to these as much as possible. In the mean time the community is welcome to submit Issues and PR’s to get things moving along more quickly. See the DSC Contribution Guidelines for more information.

Process change in the publishing model

I’d like to finish by pointing out an important change in process. With the DSC Resource Kit, today we follow a model where modules are authored and then handed off to the PowerShell team to be hosted in a central repository, and then published to the PowerShell Gallery. We are finding that in this model, we can actually become the bottleneck to release because it can be impossible to match pace with the throughput of so many people doing great authoring work in the community.

So with that in mind, the process for Configuration sharing will be that that the author should continue to host their code in a repo they own. Just like for Resources, they will continue to be the project maintainer. This is only a change to where the code is located on GitHub. Also just like Resources, the author can submit a request to the community for feedback and discuss their work in the monthly DSC Community Call. The end result of their work will still be to publish in the PowerShell Gallery. Additional details such as how to package Configurations and what tags to use will be documented in the DSCConfigurations project repo.

Thank you! I look forward to working together with everyone in the DSC community on DSC Configuration sharing.

Michael Greene

DSC Resource Kit Release April 2017

This post was originally published on this site

We just released the DSC Resource Kit!

This release includes updates to 5 DSC resource modules, including 3 new DSC resources. In these past 6 weeks, 57 pull requests have been merged and 46 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • PSDscResources
  • xCertificate
  • xDatabase
  • xPSDesiredStateConfiguration
  • xSQLServer

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our last community call for the DSC Resource Kit was last week on April 12. A recording of our updates as well as summarizing notes are available. Join us next time on May 24 to ask questions and give feedback about your experience with the DSC Resource Kit. Keep an eye on the community agenda for the link to the call.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

All resources with the ‘x’ prefix in their names are still experimental – this means that those resources are provided AS IS and are not supported through any Microsoft support program or service. If you find a problem with a resource, please file an issue on GitHub.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or Changelog.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
  • Archive:
    • Fixed a minor bug in the unit tests where sometimes the incorrect DateTime format was used.
  • Added MsiPackage
  • Fixed issue where xCertReq does not process requested certificate when credentials parameter set and PSDscRunAsCredential not passed. See issue
  • Moved internal functions to a common helper module
  • xMsiPackage:
    • Created high quality MSI package manager resource
  • xArchive:
    • Fixed a minor bug in the unit tests where sometimes the incorrect DateTime format was used.
  • xWindowsFeatureSet:
    • Had the wrong parameter name in one test case.
  • Examples
    • xSQLServerDatabaseRole
      • 1-AddDatabaseRole.ps1
      • 2-RemoveDatabaseRole.ps1
    • xSQLServerRole
      • 3-AddMembersToServerRole.ps1
      • 4-MembersToIncludeInServerRole.ps1
      • 5-MembersToExcludeInServerRole.ps1
    • xSQLServerSetup
      • 1-InstallDefaultInstanceSingleServer.ps1
      • 2-InstallNamedInstanceSingleServer.ps1
      • 3-InstallNamedInstanceSingleServerFromUncPathUsingSourceCredential.ps1
      • 4-InstallNamedInstanceInFailoverClusterFirstNode.ps1
      • 5-InstallNamedInstanceInFailoverClusterSecondNode.ps1
    • xSQLServerReplication
      • 1-ConfigureInstanceAsDistributor.ps1
      • 2-ConfigureInstanceAsPublisher.ps1
    • xSQLServerNetwork
      • 1-EnableTcpIpOnCustomStaticPort.ps1
    • xSQLServerAvailabilityGroupListener
      • 1-AddAvailabilityGroupListenerWithSameNameAsVCO.ps1
      • 2-AddAvailabilityGroupListenerWithDifferentNameAsVCO.ps1
      • 3-RemoveAvailabilityGroupListenerWithSameNameAsVCO.ps1
      • 4-RemoveAvailabilityGroupListenerWithDifferentNameAsVCO.ps1
      • 5-AddAvailabilityGroupListenerUsingDHCPWithDefaultServerSubnet.ps1
      • 6-AddAvailabilityGroupListenerUsingDHCPWithSpecificSubnet.ps1
    • xSQLServerEndpointPermission
      • 1-AddConnectPermission.ps1
      • 2-RemoveConnectPermission.ps1
      • 3-AddConnectPermissionToAlwaysOnPrimaryAndSecondaryReplicaEachWithDifferentSqlServiceAccounts.ps1
      • 4-RemoveConnectPermissionToAlwaysOnPrimaryAndSecondaryReplicaEachWithDifferentSqlServiceAccounts.ps1
    • xSQLServerPermission
      • 1-AddServerPermissionForLogin.ps1
      • 2-RemoveServerPermissionForLogin.ps1
    • xSQLServerEndpointState
      • 1-MakeSureEndpointIsStarted.ps1
      • 2-MakeSureEndpointIsStopped.ps1
    • xSQLServerConfiguration
      • 1-ConfigureTwoInstancesOnTheSameServerToEnableClr.ps1
      • 2-ConfigureInstanceToEnablePriorityBoost.ps1
    • xSQLServerEndpoint
      • 1-CreateEndpointWithDefaultValues.ps1
      • 2-CreateEndpointWithSpecificPortAndIPAddress.ps1
      • 3-RemoveEndpoint.ps1
  • Changes to xSQLServerDatabaseRole
    • Fixed code style, added updated parameter descriptions to schema.mof and README.md.
  • Changes to xSQLServer
    • Raised the CodeCov target to 70% which is the minimum and required target for HQRM resource.
  • Changes to xSQLServerRole
    • BREAKING CHANGE: The resource has been reworked in it”s entirely.* Below is what has changed.
    • The mandatory parameters now also include ServerRoleName.
    • The ServerRole parameter wasbefore an array of server roles, now this parameter is renamed to ServerRoleName and can only be set to one server role.
      • ServerRoleName are no longer limited to built-in server roles. To add members to a built-in server role, set ServerRoleName to the name of the built-in server role.
      • The ServerRoleName will be created when Ensure is set to “Present” (if it does not already exist), or removed if Ensure is set to “Absent”.
    • Three new parameters are added; Members, MembersToInclude and MembersToExclude.
      • Members can be set to one or more logins, and those will replace all the memberships in the server role.
      • MembersToInclude and MembersToExcludecan be set to one or more logins that will add or remove memberships, respectively, in the server role. MembersToInclude and MembersToExclude can not be used at the same time as parameter Members. But both MembersToInclude and MembersToExclude can be used together at the same time.
  • Changes to xSQLServerSetup
    • Added a note to the README.md saying that it is not possible to add or remove features from a SQL Server failover cluster (issue 433).
    • Changed so that it reports false if the desired state is not correct (issue 432).
      • Added a test to make sure we always return false if a SQL Server failover cluster is missing features.
    • Helperfunction Connect-SQLAnalysis
      • Now has correct error handling, and throw does not used the unknown named parameter “-Message” (issue 436)
      • Added tests for Connect-SQLAnalysis
      • Changed to localized error messages.
      • Minor changes to error handling.
    • This adds better support for Addnode (issue 369).
    • Now it skips cluster validation för add node (issue 442).
    • Now it ignores parameters that are not allowed for action Addnode (issue 441).
    • Added support for vNext CTP 1.4 (issue 472).
  • Added newresource
    • xSQLServerAlwaysOnAvailabilityGroupReplica
  • Changes to xSQLServerDatabaseRecoveryModel
    • Fixed code style, removed SQLServerDatabaseRecoveryModel functions from xSQLServerHelper.
  • Changes to xSQLServerAlwaysOnAvailabilityGroup
    • Fixed the permissions check loop so that it exits the loop after the function determines the required permissions are in place.
  • Changes to xSQLServerAvailabilityGroupListener
    • Removed the dependency of SQLPS provider (issue 460).
    • Cleaned up code.
    • Added test for more coverage.
    • Fixed PSSA rule warnings (issue 255).
    • Parameter Ensure now defaults to “Present” (issue 450).
  • Changes to xSQLServerFirewall
    • Now it will correctly create rules when the resource is used for two or more instances on the same server (issue 461).
  • Changes to xSQLServerEndpointPermission
    • Added description to the README.md
    • Cleaned up code (issue 257 and issue 231)
    • Now the default value for Ensure is “Present”.
    • Removed dependency of SQLPS provider (issue 483).
    • Refactored tests so they use less code.
  • Changes to README.md
    • Adding deprecated tag to xSQLServerFailoverClusterSetup, xSQLAOGroupEnsure and xSQLAOGroupJoin in README.md so it it more clear that these resources has been replaced by xSQLServerSetup, xSQLServerAlwaysOnAvailabilityGroup and xSQLServerAlwaysOnAvailabilityGroupReplica respectively.
  • Changes to xSQLServerEndpoint
    • BREAKING CHANGE: Now SQLInstanceName is mandatory, and is a key, so SQLInstanceName has no longer a default value (issue 279).
    • BREAKING CHANGE: Parameter AuthorizedUser has been removed (issue 466, issue 275 and issue 80). Connect permissions can be set using the resource xSQLServerEndpointPermission.
    • Optional parameter IpAddress has been added. Default is to listen on any valid IP-address. (issue 232)
    • Parameter Port now has a default value of 5022.
    • Parameter Ensure now defaults to “Present”.
    • Resource now supports changing IP address and changing port.
    • Added unit tests (issue 289)
    • Added examples.
  • Changes to xSQLServerEndpointState
    • Cleaned up code, removed SupportsShouldProcess and fixed PSSA rules warnings (issue 258 and issue 230).
    • Now the default value for the parameter State is “Started”.
    • Updated README.md with a description for the resources and revised the parameter descriptions.
    • Removed dependency of SQLPS provider (issue 481).
    • The parameter NodeName is no longer mandatory and has now the default value of $env:COMPUTERNAME.
    • The parameter Name is now a key so it is now possible to change the state on more than one endpoint on the same instance. Note: The resource still only supports Database Mirror endpoints at this time.
  • Changes to xSQLServerHelper module
    • Removing helper function Get-SQLAlwaysOnEndpoint because there is no resource using it any longer.
    • BREAKING CHANGE: Changed helper function Import-SQLPSModule to support SqlServer module (issue 91). The SqlServer module is the preferred module so if it is found it will be used, and if not found an attempt will be done to load SQLPS module instead.
  • Changes to xSQLServerScript
    • Updated tests for this resource, because they failed when Import-SQLPSModule was updated.

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available in WMF 5.0) to find modules with DSC Resources:

# To list all modules that are part of the DSC Resource Kit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:


After installing modules, you can discover all DSC resources available to your local system with this command:


How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the xCertificate module, go to:

All DSC modules are also listed as submodules of the DscResources repository in the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Katie Keim
Software Engineer
PowerShell Team
@katiedsc (Twitter)
@kwirkykat (GitHub)

Hypervisor Compatiblity with OS Override HW compatibility with OS

This post was originally published on this site

Hi All,


We are in a situation where we need to run RHEL 6.5 on Intel E5-2640 v4 CPU (HP BL 460G9). The hypervisor will be ESXi 6.0. The version of RHEL is compatible with the hypervisor, however, RHEL 6.5 is not certified to be run on E5-2640 v4. (Minimum RHEL version required is 6.7).


My question is, if we run RHEL on top of a VM, is the compatibility between RHEL and ESXi enough or the particular RHEL version needs to be compatible with the actual HW itself?





Problem with Vcenter Server 5.5

This post was originally published on this site

Hi, I have some VMs hosted on shared ISCSI storage (not local datastore). I have configured both Management and ISCSI network on the same nic (vmnic0).

If I try to add a portgroup created on vmnic1 to the VM, the ESX host completely hangs and have to reboot the Host itself.



Is it like we should not have both Management and ISCSI network configured on the same NIC ?





A Comparison of Shell and Scripting Language Security

This post was originally published on this site

PowerShell Security is a topic on everybody’s mind. Most of all – ours.

As PowerShell has become more popular with Administrators, it has also become more popular for unauthorized administrators – also known as “Attackers”. In any operating system or platform, the power and efficiency you provide to authorized administrators is also available to unauthorized administrators. For example, Unix, Linux, and Mac all have dozens of powerful built in compilers, scripting languages, and debuggers. It’s a power user’s dream, but also a liability.

The PowerShell team has recognized this double-edged sword since the introduction of PowerShell in 2006. In the last 10 years, we’ve invested greatly in both securing and hardening PowerShell. In PowerShell version 5, we really cranked up the dials on making PowerShell security transparent – the results of which we describe in our post, “PowerShell ♥ the Blue Team“.

As part of this effort, we’ve also done a deep comparative analysis on security between available shells and scripting languages. Where are we weak? What security features do other shells or scripting languages offer that PowerShell could perhaps learn from?

We broke this evaluation into seven major categories:

  • Event Logging – The engine logs audit events of important operational events.
  • Transcription – The engine logs application inputs and outputs.
  • Dynamic Evaluation Logging – The engine logs the content of all content evaluation, including those generated or composed at runtime.
  • Code Integrity Policies – The engine allows enforcement of code integrity / application whitelisting policies, including user-authored documents / scripts.
  • Antimalware Integration – The engine actively integrates with antimalware software to evaluate the safety of code generated at runtime.
  • Local Sandboxing – The engine allows sandboxing of behavior for local and interactive use.
  • Remote Sandboxing – The engine allows sandboxing of behavior when accessed remotely.

This is the result of our analysis. We would love any feedback you have – especially if you are aware of a feature or protection we missed. Misrepresenting any of this data does nobody any good.

Lee Holmes [MSFT]
Azure Management Security

Don’t Login on Untrusted Computers

This post was originally published on this site

A password is only as secure as the computer or network it is used on. As such, never log in to a sensitive account from a public computer, such as computers in a cyber cafe, hotel lobby or conference hall. Bad guys target public computers such as these and infect them on purpose. The moment you type your password on an infected computer, these cyber criminals can harvest your passwords. If you have no choice but to use a public computer, change your password at the next available opportunity you have access to a trusted computer.

ESX 6 The filesystem where disk disk.vmdk resides is full

This post was originally published on this site

A recently converted virtual machine from Redhat virtualization was moved to ESX 6 host.

the command to convert the RAW RHEV virtual machine was:

qemu-img convert rhevvmdisk -O vmdk disk-id0.vmdk


The same command was used for 8 other machines. The other 8 are just fine.


then I just created a VM (they all are windows 2008 R2 64 bit, 8GB ram with thick disks) and attached the converted disk. The VM booted fine, I even had the chance to install the vm tools and booted about 10 times over a 24 hour period before the error appeared.

Someone recommended to run vmkfstools -i DiskImage.vmdk -d thin /MyServer/DiskImage.vmdk but since the machine booted just fine, I did not do it to this or any of the others.


The datastore is an NFS mount located in a synology 416 (4x3TB sata3 hdd, dual gbit nic in bond). This is just to run 8 simple VMs that generated very low network usage. async is disabled on the NFS server.

VAAI primitives are loaded for the synology units.


An error appeared that I have no clue how to troubleshoot, please see the attached image. I have also attached the corresponding VM vmware.log file.


Virtual Machine Message
The operation on the file "/vmfs/devices/deltadisks/19fd63f4-worryfree-disk0-s001.vmdk" failed (14(Bad address)). 
The file system where disk "/vmfs/devices/deltadisks/19fd63f4-WORRYFREE-disk0-s001.vmdk" resides is full. 
Select button.retry to attempt the operation again. Select button.abort to end the session.


The datastore in question has 5.12TB free so hard disk space is not a real issue here. And the other 8 VMs are humming just fine. Strange entries begin at around line 9725 in the vmware.log file

2017-04-05T16:59:35.843Z| vmx| I120: ide0:0: Command WRITE(10) took 1.234 seconds (ok)

2017-04-05T16:59:48.343Z| vmx| I120: ide0:0: Command WRITE(10) took 1.311 seconds (ok)

2017-04-05T17:00:42.091Z| vmx| I120: ide0:0: Command WRITE(10) took 1.108 seconds (ok)

2017-04-05T17:01:56.185Z| vmx| I120: DISKLIB-LIB   : numIOs = 1300000 numMergedIOs = 0 numSplitIOs = 0

2017-04-05T17:08:40.021Z| Worker#1| I120: FileIOErrno2Result: Unexpected errno=14, Bad address

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: Retry on write “/vmfs/devices/deltadisks/19fd63f4-WORRYFREE-disk0-s001.vmdk” : Bad address.

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: system : err=e0002 errCode=14 freeSpace=0

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: “/vmfs/devices/deltadisks/19fd63f4-WORRYFREE-disk0-s001.vmdk” : write s=7766048768 n=131072 ne=1, fai=0

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR:             v[0]=6800202E000:131072

2017-04-05T17:08:40.022Z| Worker#0| I120: FileIOErrno2Result: Unexpected errno=14, Bad address

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: Retry on write “/vmfs/devices/deltadisks/19fd63f4-WORRYFREE-disk0-s001.vmdk” : Bad address.

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: system : err=e0002 errCode=14 freeSpace=0

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR: “/vmfs/devices/deltadisks/19fd63f4-WORRYFREE-disk0-s001.vmdk” : write s=7766048768 n=131072 ne=1, fai=0

2017-04-05T17:08:40.022Z| vmx| I120: VMXAIOMGR:             v[0]=6800202E000:131072

2017-04-05T17:08:40.022Z| Worker#1| I120: FileIOErrno2Result: Unexpected errno=14, Bad address



Please advice on places to look for clues.