Using other DSC modules with SharePointDsc

This post has been republished via RSS; it originally appeared at: SharePointDsc articles.

When I create Desired State Configuration configurations, SharePointDsc usually is just one of the DSC modules I am using in my configuration. There are several other modules that are very useful when deploying or managing SharePoint environments.

 

Resource Description
ActiveDirectoryDsc Resources to manage Active Directory components. For example used to create service accounts or SharePoint administrators domain group.
CertificateDsc Resources to manage Certificates. For example used to import SSL certificates into the local certificate store.
ComputerManagementDsc Resources to manage various Windows components. For example used to manage Scheduled Tasks or trigger reboots.
OfficeOnlineServerDsc Resources to install and manage Office Online Server. Office Online Server is often used alongside SharePoint. Using this module you can install and configure OOS in an automated way.
SChannelDsc Resources to manage Secure Channel components. For example used to configure allowed cipher suites or protocols like disabling SSLv3 and TLS v1.0/v1.1.
SQLServerDsc Resources to install and manage SQL Server. SQL Server is required to run SharePoint, but does require certain settings, like the MaxDOP setting and the database compatibility level. Using this module, you can configure SQL Server in an optimal way for SharePoint.
WorkflowManagerDsc Resources to install and configure Workflow Manager. When using SharePoint 2013 workflows, you need the Workflow Manager to be deployed onto your SharePoint servers. This module is able to deploy Workflow Manager in an automated way.
xCredSSP Resources to manage CredSSP authentication settings. For example used to enable CredSSP, which is required to use SharePointDsc when using PowerShell v4.0 or with specific SharePointDsc resources.
xWebAdministration Resources to manage Internet Information Server (IIS) components. For example used to disable the default web site/application pools or configure logging settings.

 

The below configuration is showing an example which is using all of the above resources to configure a server with everything except SharePoint. You can use this as a starting point for your own configuration.

 

Configuration DeploySharePoint { param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $InstallAccount, [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $WMRunAsCredential, [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $CertificatePassword ) Import-DscResource -ModuleName ActiveDirectoryDsc Import-DscResource -ModuleName CertificateDsc Import-DscResource -ModuleName ComputerManagementDsc Import-DscResource -ModuleName OfficeOnlineServerDsc Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName SChannelDsc Import-DscResource -ModuleName SharePointDsc Import-DscResource -ModuleName SQLServerDsc Import-DscResource -ModuleName xWebAdministration Import-DscResource -ModuleName xCredSSP Import-DscResource -ModuleName WorkflowManagerDsc node SP01 { # Configure CredSSP settings using xCredSSP xCredSSP 'Server' { Ensure = 'Present' Role = 'Server' } xCredSSP 'Client' { Ensure = 'Present' Role = 'Client' DelegateComputers = @("SP01","SP01.domain.com") } # Configure service account and admin group using ActiveDirectoryDsc ADUser 'SP_Farm' { DomainName = 'DOMAIN' UserName = 'sp_farm' UserPrincipalName = 'sp_farm@domain.com' Password = $InstallAccount DisplayName = 'SharePoint Farm Service Account' Description = 'SharePoint Farm Service Account' Path = 'OU=Service Accounts,OU=SharePoint,DC=domain,DC=com' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } ADGroup 'ExampleGroup' { GroupName = 'SPAdmins' GroupScope = 'Global' Category = 'Security' Description = 'SharePoint Administrators' Ensure = 'Present' } # Import SSL certificate using CertificateDsc PfxImport 'ImportSSLCertificate' { Thumbprint = '<thumbprint>' Path = 'C:\Cert\sslcert.pfx' Location = 'LocalMachine' Store = 'My' Credential = $CertificatePassword } # Configure Secure Channel settings using SChannelDsc Protocol 'DisableSSLv2' { Protocol = "SSL 2.0" IncludeClientSide = $true State = "Disabled" } Protocol 'DisableSSLv3' { Protocol = "SSL 3.0" IncludeClientSide = $true State = "Disabled" } Protocol 'DisableTLSv1' { Protocol = "TLS 1.0" IncludeClientSide = $true State = "Disabled" } Protocol 'DisableTLSv11' { Protocol = "TLS 1.1" IncludeClientSide = $true State = "Disabled" } Protocol 'EnableTLSv12' { Protocol = "TLS 1.2" IncludeClientSide = $true State = "Enabled" } SChannelSettings 'ConfigureSChannel' { IsSingleInstance = 'Yes' TLS12State = 'Enabled' EnableFIPSAlgorithmPolicy = $false } CipherSuites ConfigureCipherSuites { IsSingleInstance = 'Yes' CipherSuitesOrder = @('TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256''TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256') Ensure = "Present" } # Configure SSL on IIS website using xWebAdministration xWebsite "Website" { Name = 'SharePoint Central Administration v4' ApplicationPool = 'SharePoint Central Administration v4' BindingInfo = @( MSFT_xWebBindingInformation { Protocol = 'HTTPS' Port = '443' CertificateThumbprint = '<thumbprint>' CertificateStoreName = 'My' IPAddress = '*' Hostname = 'centraladmin.domain.com' } ) } # Configure SQL to grant SPAdmins AD group access to databases using SQLServerDsc SqlServerLogin 'AddSPAdminsGroupLoginToInstance_Infra' { ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'DOMAIN\SPAdmins' LoginType = 'WindowsGroup' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } SqlDatabaseUser 'Config_AddSPAdminGroup' { ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' DatabaseName = 'SharePoint_Config' Name = 'DOMAIN\SPAdmins' UserType = 'Login' LoginName = 'DOMAIN\SPAdmins' PsDscRunAsCredential = $InstallAccount } SqlDatabaseRole 'Config_ConfigureInstallAccountDBOwner' { ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Database = 'SharePoint_Config' Name = 'db_owner' MembersToInclude = 'DOMAIN\SPAdmins' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } SqlDatabaseUser 'AdminContent_AddSPAdminGroup' { ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' DatabaseName = 'SharePoint_AdminContent' Name = 'DOMAIN\SPAdmins' UserType = 'Login' LoginName = 'DOMAIN\SPAdmins' PsDscRunAsCredential = $InstallAccount } SqlDatabaseRole 'AdminContent_ConfigureInstallAccountDBOwner' { ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Database = 'SharePoint_AdminContent' Name = 'db_owner' MembersToInclude = 'DOMAIN\SPAdmins' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } # Install and configure Workflow Manager using WorkflowManagerDsc WorkflowManagerInstall 'WFInstall' { Ensure = "Present" WebPIPath = 'C:\Install\Workflow\bin\WebpiCmd.exe' XMLFeedPath = 'C:\Install\Workflow\feeds\latest\webproductlist.xml' ComponentsToInstall = "All" PsDscRunAsCredential = $InstallAccount } WorkflowManagerFarm 'WFFarmConfig' { Ensure = "Present" DatabaseServer = 'SQL01' CertAutoGenerationKey = $WMRunAsCredential RunAsAccount = $WMRunAsCredential ServiceBusFarmDB = "SB_Management" ServiceBusGatewayDB = "SB_Gateway" ServiceBusMessageContainerDB = "SB_MessageContainer" WorkflowManagerFarmDB = "WF_Management" WorkflowManagerInstanceDB = "WF_Instance" WorkflowManagerResourceDB = "WF_Resource" EnableFirewallRules = $true PsDscRunAsCredential = $WMRunAsCredential } # Configure database compatibility level for WM databases using SQLServerDsc (minimal v13.4) SqlDatabase 'DatabaseCompatLevel_SBManagement' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = $instanceInfra Name = 'SB_Management' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } SqlDatabase 'DatabaseCompatLevel_SBGateway' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'SB_Gateway' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } SqlDatabase 'DatabaseCompatLevel_SBMessageContainer' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'SB_MessageContainer' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } SqlDatabase 'DatabaseCompatLevel_WFManagement' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'WF_Management' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } SqlDatabase 'DatabaseCompatLevel_WFInstance' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'WF_Instance' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } SqlDatabase 'DatabaseCompatLevel_WFResource' { Ensure = 'Present' ServerName = 'SQL01' InstanceName = 'MSSQLSERVER' Name = 'WF_Resource' CompatibilityLevel = 'Version120' PsDscRunAsCredential = $InstallAccount } # Disable Schedule Task using ComputerManagementDsc ScheduledTask 'DisableWFSchedTask' { TaskName = 'Workflow Manager 1.0 CEIP Uploader Task' TaskPath = '\Microsoft\Windows\PowerShell\ScheduledJobs' Enable = $false PsDscRunAsCredential = $InstallAccount } # Configure IIS using xWebAdministration xWebAppPool 'DisableDotNet2Pool' { Name = '.NET v2.0'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet2ClassicPool' { Name = '.NET v2.0 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet45Pool' { Name = '.NET v4.5'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableClassicDotNetPool' { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDefaultAppPool' { Name = 'DefaultAppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebSite 'DisableDefaultWebSite' { Name = 'Default Web Site'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xIisLogging 'ConfigureIISLogging' { LogPath = 'D:\Logs\IIS' Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken') LoglocalTimeRollover = $true LogPeriod = 'Daily' LogFormat = 'W3C' } } node 'OOS1' { # Import SSL certificate using CertificateDsc PfxImport 'ImportSSLCertificate' { Thumbprint = '<thumbprint>' Path = 'C:\Cert\sslcert.pfx' Location = 'LocalMachine' Store = 'My' Credential = $CertificatePassword } # These features are required for OOS on Windows Server 2016 $requiredFeatures = @( 'Web-Server', 'Web-Mgmt-Tools', 'Web-Mgmt-Console', 'Web-WebServer', 'Web-Common-Http', 'Web-Default-Doc', 'Web-Static-Content', 'Web-Performance', 'Web-Stat-Compression', 'Web-Dyn-Compression', 'Web-Security', 'Web-Filtering', 'Web-Windows-Auth', 'Web-App-Dev', 'Web-Net-Ext45', 'Web-Asp-Net45', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Includes', 'NET-Framework-Features', 'NET-Framework-45-Features', 'NET-Framework-Core', 'NET-Framework-45-Core', 'NET-HTTP-Activation', 'NET-Non-HTTP-Activ', 'NET-WCF-HTTP-Activation45', 'Windows-Identity-Foundation', 'Server-Media-Foundation' ) foreach ($feature in $requiredFeatures) { WindowsFeature "WindowsFeature_$feature" { Name = $feature Ensure = 'Present' } } $prereqDependencies = $RequiredFeatures | ForEach-Object -Process { return "[WindowsFeature]WindowsFeature_$_" } # Install Office Online Server prerequisites using PSDesiredStateConfiguration Package 'Install_VC2013ReDistx64' { Name = 'Microsoft Visual C++ 2013 Redistributable (x64)' Path = 'C:\Install\Prereqs\vcredist_x64.exe' Arguments = '/quiet /norestart' ProductId = '042d26ef-3dbe-4c25-95d3-4c1b11b235a7' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } Package 'Install_VC2017ReDistx64' { Name = 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127' Path = 'C:\Install\Prereqs\vc_redist.x64.exe' Arguments = '/quiet /norestart' ProductId = '282975d8-55fe-4991-bbbb-06a72581ce58' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } Package 'Install_MicrosoftIdentityExtensions' { Name = 'Microsoft Identity Extensions' Path = 'C:\Install\Prereqs\MicrosoftIdentityExtensions-64.msi' Arguments = '/quiet' ProductId = 'f99f24bf-0b90-463e-9658-3fd2efc3c992' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } # Install and configure OOS using OfficeOnlineServerDsc OfficeOnlineServerInstall 'Install_OOS_Binaries' { Path = 'C:\Install\OOS\setup.exe' Ensure = 'Present' PsDscRunAsCredential = $InstallAccount } OfficeOnlineServerInstallLanguagePack 'Install_OOS_NL_LanguagePack' { Ensure = 'Present' BinaryDir = 'C:\Install\OOS\LanguagePackNL' Language = 'nl-nl' PsDscRunAsCredential = $InstallAccount } OfficeOnlineServerProductUpdate 'Update_OOS_Installation' { Ensure = 'Present' SetupFile = 'C:\Install\OOS\CU\oos_cu.exe' Servers = "OOS1" PsDscRunAsCredential = $InstallAccount } OfficeOnlineServerFarm 'Create_OOS_Farm' { InternalURL = 'https://oos.domain.com' EditingEnabled = $true CertificateName = 'SSLCertificate' AllowCEIP = $false LogLocation = 'D:\Logs\OOS' LogRetentionInDays = 30 CacheLocation = 'C:\OOS\Cache' CacheSizeInGB = 1 PsDscRunAsCredential = $InstallAccount } # Configure IIS using xWebAdministration xWebAppPool 'DisableDotNet2Pool' { Name = '.NET v2.0'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet2ClassicPool' { Name = '.NET v2.0 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet45Pool' { Name = '.NET v4.5'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableClassicDotNetPool' { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebAppPool 'DisableDefaultAppPool' { Name = 'DefaultAppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xWebSite 'DisableDefaultWebSite' { Name = 'Default Web Site'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' } xIisLogging 'ConfigureIISLogging' { LogPath = 'D:\Logs\IIS' Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken') LoglocalTimeRollover = $true LogPeriod = 'Daily' LogFormat = 'W3C' } } }

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.