This post has been republished via RSS; it originally appeared at: SharePointDsc articles.
When I create Desired State Configuration configurations, SharePointDsc usually is just one of the DSC modules I am using in my configuration. There are several other modules that are very useful when deploying or managing SharePoint environments.
Resource |
Description |
ActiveDirectoryDsc |
Resources to manage Active Directory components. For example used to create service accounts or SharePoint administrators domain group. |
CertificateDsc |
Resources to manage Certificates. For example used to import SSL certificates into the local certificate store. |
ComputerManagementDsc |
Resources to manage various Windows components. For example used to manage Scheduled Tasks or trigger reboots. |
OfficeOnlineServerDsc |
Resources to install and manage Office Online Server. Office Online Server is often used alongside SharePoint. Using this module you can install and configure OOS in an automated way. |
SChannelDsc |
Resources to manage Secure Channel components. For example used to configure allowed cipher suites or protocols like disabling SSLv3 and TLS v1.0/v1.1. |
SQLServerDsc |
Resources to install and manage SQL Server. SQL Server is required to run SharePoint, but does require certain settings, like the MaxDOP setting and the database compatibility level. Using this module, you can configure SQL Server in an optimal way for SharePoint. |
WorkflowManagerDsc |
Resources to install and configure Workflow Manager. When using SharePoint 2013 workflows, you need the Workflow Manager to be deployed onto your SharePoint servers. This module is able to deploy Workflow Manager in an automated way. |
xCredSSP |
Resources to manage CredSSP authentication settings. For example used to enable CredSSP, which is required to use SharePointDsc when using PowerShell v4.0 or with specific SharePointDsc resources. |
xWebAdministration |
Resources to manage Internet Information Server (IIS) components. For example used to disable the default web site/application pools or configure logging settings. |
The below configuration is showing an example which is using all of the above resources to configure a server with everything except SharePoint. You can use this as a starting point for your own configuration.
Configuration DeploySharePoint
{
param
(
[Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $InstallAccount,
[Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $WMRunAsCredential,
[Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $CertificatePassword
)
Import-DscResource -ModuleName ActiveDirectoryDsc
Import-DscResource -ModuleName CertificateDsc
Import-DscResource -ModuleName ComputerManagementDsc
Import-DscResource -ModuleName OfficeOnlineServerDsc
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName SChannelDsc
Import-DscResource -ModuleName SharePointDsc
Import-DscResource -ModuleName SQLServerDsc
Import-DscResource -ModuleName xWebAdministration
Import-DscResource -ModuleName xCredSSP
Import-DscResource -ModuleName WorkflowManagerDsc
node SP01
{
# Configure CredSSP settings using xCredSSP
xCredSSP 'Server'
{
Ensure = 'Present'
Role = 'Server'
}
xCredSSP 'Client'
{
Ensure = 'Present'
Role = 'Client'
DelegateComputers = @("SP01","SP01.domain.com")
}
# Configure service account and admin group using ActiveDirectoryDsc
ADUser 'SP_Farm'
{
DomainName = 'DOMAIN'
UserName = 'sp_farm'
UserPrincipalName = 'sp_farm@domain.com'
Password = $InstallAccount
DisplayName = 'SharePoint Farm Service Account'
Description = 'SharePoint Farm Service Account'
Path = 'OU=Service Accounts,OU=SharePoint,DC=domain,DC=com'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
ADGroup 'ExampleGroup'
{
GroupName = 'SPAdmins'
GroupScope = 'Global'
Category = 'Security'
Description = 'SharePoint Administrators'
Ensure = 'Present'
}
# Import SSL certificate using CertificateDsc
PfxImport 'ImportSSLCertificate'
{
Thumbprint = '<thumbprint>'
Path = 'C:\Cert\sslcert.pfx'
Location = 'LocalMachine'
Store = 'My'
Credential = $CertificatePassword
}
# Configure Secure Channel settings using SChannelDsc
Protocol 'DisableSSLv2'
{
Protocol = "SSL 2.0"
IncludeClientSide = $true
State = "Disabled"
}
Protocol 'DisableSSLv3'
{
Protocol = "SSL 3.0"
IncludeClientSide = $true
State = "Disabled"
}
Protocol 'DisableTLSv1'
{
Protocol = "TLS 1.0"
IncludeClientSide = $true
State = "Disabled"
}
Protocol 'DisableTLSv11'
{
Protocol = "TLS 1.1"
IncludeClientSide = $true
State = "Disabled"
}
Protocol 'EnableTLSv12'
{
Protocol = "TLS 1.2"
IncludeClientSide = $true
State = "Enabled"
}
SChannelSettings 'ConfigureSChannel'
{
IsSingleInstance = 'Yes'
TLS12State = 'Enabled'
EnableFIPSAlgorithmPolicy = $false
}
CipherSuites ConfigureCipherSuites
{
IsSingleInstance = 'Yes'
CipherSuitesOrder = @('TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256''TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256')
Ensure = "Present"
}
# Configure SSL on IIS website using xWebAdministration
xWebsite "Website"
{
Name = 'SharePoint Central Administration v4'
ApplicationPool = 'SharePoint Central Administration v4'
BindingInfo = @(
MSFT_xWebBindingInformation
{
Protocol = 'HTTPS'
Port = '443'
CertificateThumbprint = '<thumbprint>'
CertificateStoreName = 'My'
IPAddress = '*'
Hostname = 'centraladmin.domain.com'
}
)
}
# Configure SQL to grant SPAdmins AD group access to databases using SQLServerDsc
SqlServerLogin 'AddSPAdminsGroupLoginToInstance_Infra'
{
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'DOMAIN\SPAdmins'
LoginType = 'WindowsGroup'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabaseUser 'Config_AddSPAdminGroup'
{
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
DatabaseName = 'SharePoint_Config'
Name = 'DOMAIN\SPAdmins'
UserType = 'Login'
LoginName = 'DOMAIN\SPAdmins'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabaseRole 'Config_ConfigureInstallAccountDBOwner'
{
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Database = 'SharePoint_Config'
Name = 'db_owner'
MembersToInclude = 'DOMAIN\SPAdmins'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabaseUser 'AdminContent_AddSPAdminGroup'
{
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
DatabaseName = 'SharePoint_AdminContent'
Name = 'DOMAIN\SPAdmins'
UserType = 'Login'
LoginName = 'DOMAIN\SPAdmins'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabaseRole 'AdminContent_ConfigureInstallAccountDBOwner'
{
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Database = 'SharePoint_AdminContent'
Name = 'db_owner'
MembersToInclude = 'DOMAIN\SPAdmins'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
# Install and configure Workflow Manager using WorkflowManagerDsc
WorkflowManagerInstall 'WFInstall'
{
Ensure = "Present"
WebPIPath = 'C:\Install\Workflow\bin\WebpiCmd.exe'
XMLFeedPath = 'C:\Install\Workflow\feeds\latest\webproductlist.xml'
ComponentsToInstall = "All"
PsDscRunAsCredential = $InstallAccount
}
WorkflowManagerFarm 'WFFarmConfig'
{
Ensure = "Present"
DatabaseServer = 'SQL01'
CertAutoGenerationKey = $WMRunAsCredential
RunAsAccount = $WMRunAsCredential
ServiceBusFarmDB = "SB_Management"
ServiceBusGatewayDB = "SB_Gateway"
ServiceBusMessageContainerDB = "SB_MessageContainer"
WorkflowManagerFarmDB = "WF_Management"
WorkflowManagerInstanceDB = "WF_Instance"
WorkflowManagerResourceDB = "WF_Resource"
EnableFirewallRules = $true
PsDscRunAsCredential = $WMRunAsCredential
}
# Configure database compatibility level for WM databases using SQLServerDsc (minimal v13.4)
SqlDatabase 'DatabaseCompatLevel_SBManagement'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = $instanceInfra
Name = 'SB_Management'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabase 'DatabaseCompatLevel_SBGateway'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'SB_Gateway'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabase 'DatabaseCompatLevel_SBMessageContainer'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'SB_MessageContainer'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabase 'DatabaseCompatLevel_WFManagement'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'WF_Management'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabase 'DatabaseCompatLevel_WFInstance'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'WF_Instance'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
SqlDatabase 'DatabaseCompatLevel_WFResource'
{
Ensure = 'Present'
ServerName = 'SQL01'
InstanceName = 'MSSQLSERVER'
Name = 'WF_Resource'
CompatibilityLevel = 'Version120'
PsDscRunAsCredential = $InstallAccount
}
# Disable Schedule Task using ComputerManagementDsc
ScheduledTask 'DisableWFSchedTask'
{
TaskName = 'Workflow Manager 1.0 CEIP Uploader Task'
TaskPath = '\Microsoft\Windows\PowerShell\ScheduledJobs'
Enable = $false
PsDscRunAsCredential = $InstallAccount
}
# Configure IIS using xWebAdministration
xWebAppPool 'DisableDotNet2Pool' { Name = '.NET v2.0'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet2ClassicPool' { Name = '.NET v2.0 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet45Pool' { Name = '.NET v4.5'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableClassicDotNetPool' { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDefaultAppPool' { Name = 'DefaultAppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebSite 'DisableDefaultWebSite' { Name = 'Default Web Site'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xIisLogging 'ConfigureIISLogging'
{
LogPath = 'D:\Logs\IIS'
Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken')
LoglocalTimeRollover = $true
LogPeriod = 'Daily'
LogFormat = 'W3C'
}
}
node 'OOS1'
{
# Import SSL certificate using CertificateDsc
PfxImport 'ImportSSLCertificate'
{
Thumbprint = '<thumbprint>'
Path = 'C:\Cert\sslcert.pfx'
Location = 'LocalMachine'
Store = 'My'
Credential = $CertificatePassword
}
# These features are required for OOS on Windows Server 2016
$requiredFeatures = @(
'Web-Server',
'Web-Mgmt-Tools',
'Web-Mgmt-Console',
'Web-WebServer',
'Web-Common-Http',
'Web-Default-Doc',
'Web-Static-Content',
'Web-Performance',
'Web-Stat-Compression',
'Web-Dyn-Compression',
'Web-Security',
'Web-Filtering',
'Web-Windows-Auth',
'Web-App-Dev',
'Web-Net-Ext45',
'Web-Asp-Net45',
'Web-ISAPI-Ext',
'Web-ISAPI-Filter',
'Web-Includes',
'NET-Framework-Features',
'NET-Framework-45-Features',
'NET-Framework-Core',
'NET-Framework-45-Core',
'NET-HTTP-Activation',
'NET-Non-HTTP-Activ',
'NET-WCF-HTTP-Activation45',
'Windows-Identity-Foundation',
'Server-Media-Foundation'
)
foreach ($feature in $requiredFeatures)
{
WindowsFeature "WindowsFeature_$feature"
{
Name = $feature
Ensure = 'Present'
}
}
$prereqDependencies = $RequiredFeatures | ForEach-Object -Process {
return "[WindowsFeature]WindowsFeature_$_"
}
# Install Office Online Server prerequisites using PSDesiredStateConfiguration
Package 'Install_VC2013ReDistx64'
{
Name = 'Microsoft Visual C++ 2013 Redistributable (x64)'
Path = 'C:\Install\Prereqs\vcredist_x64.exe'
Arguments = '/quiet /norestart'
ProductId = '042d26ef-3dbe-4c25-95d3-4c1b11b235a7'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
Package 'Install_VC2017ReDistx64'
{
Name = 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127'
Path = 'C:\Install\Prereqs\vc_redist.x64.exe'
Arguments = '/quiet /norestart'
ProductId = '282975d8-55fe-4991-bbbb-06a72581ce58'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
Package 'Install_MicrosoftIdentityExtensions'
{
Name = 'Microsoft Identity Extensions'
Path = 'C:\Install\Prereqs\MicrosoftIdentityExtensions-64.msi'
Arguments = '/quiet'
ProductId = 'f99f24bf-0b90-463e-9658-3fd2efc3c992'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
# Install and configure OOS using OfficeOnlineServerDsc
OfficeOnlineServerInstall 'Install_OOS_Binaries'
{
Path = 'C:\Install\OOS\setup.exe'
Ensure = 'Present'
PsDscRunAsCredential = $InstallAccount
}
OfficeOnlineServerInstallLanguagePack 'Install_OOS_NL_LanguagePack'
{
Ensure = 'Present'
BinaryDir = 'C:\Install\OOS\LanguagePackNL'
Language = 'nl-nl'
PsDscRunAsCredential = $InstallAccount
}
OfficeOnlineServerProductUpdate 'Update_OOS_Installation'
{
Ensure = 'Present'
SetupFile = 'C:\Install\OOS\CU\oos_cu.exe'
Servers = "OOS1"
PsDscRunAsCredential = $InstallAccount
}
OfficeOnlineServerFarm 'Create_OOS_Farm'
{
InternalURL = 'https://oos.domain.com'
EditingEnabled = $true
CertificateName = 'SSLCertificate'
AllowCEIP = $false
LogLocation = 'D:\Logs\OOS'
LogRetentionInDays = 30
CacheLocation = 'C:\OOS\Cache'
CacheSizeInGB = 1
PsDscRunAsCredential = $InstallAccount
}
# Configure IIS using xWebAdministration
xWebAppPool 'DisableDotNet2Pool' { Name = '.NET v2.0'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet2ClassicPool' { Name = '.NET v2.0 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet45Pool' { Name = '.NET v4.5'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableClassicDotNetPool' { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebAppPool 'DisableDefaultAppPool' { Name = 'DefaultAppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xWebSite 'DisableDefaultWebSite' { Name = 'Default Web Site'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
xIisLogging 'ConfigureIISLogging'
{
LogPath = 'D:\Logs\IIS'
Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken')
LoglocalTimeRollover = $true
LogPeriod = 'Daily'
LogFormat = 'W3C'
}
}
}