Tip

Desired State Configuration helps admins avoid configuration drift

The new feature Desired State Configuration feature in Windows Server 2012 R2 gives admins yet another reason to learn PowerShell.

Desired State Configuration, a new feature in PowerShell 4.0 and Windows Server 2012 R2, extends PowerShell by making it more functional from a configuration perspective.

The idea behind Desired State Configuration (DSC) is to provide a method for maintaining consistent configuration sets across computers or devices through a set of PowerShell language extensions and providers. With DSC, you can define the exact configuration of your targets, enable continuous deployment and prevent the dreaded configuration drift.

Surely you've deployed multiple servers before, and you found they each have slightly different configurations after several months of operation -- in relation to their original setup and to each other.

Perhaps there was troubleshooting on one box and a colleague toggled a setting. Perhaps one machine was patched and another wasn't. Or maybe an application on one machine modified some default settings to make its configuration different from sister machines.

This is configuration drift, and no matter the reason, it sets you up for a headache and potential failure because your units changed. You no longer have a good known configuration, and you can no longer treat the entire class of machines as one machine for management purposes -- a critical point in public or private cloud scenarios. You need to avoid configuration drift.

Using scripts to battle configuration drift

Scripts are nothing new in systems management and are a solid way to prevent configuration drift. They generally achieve the same consistent result when run across multiple systems. Traditionally, script writers not using some type of platform systems management software, like System Center Configuration Manager, have been relegated to using imperative scripts. These include scripts that require the author to specify each action to perform, in addition to error handling, transaction logging and other details associated with scripting.

For example, a traditional management script would say to install a patch, set up a role, copy some files, run an executable, set the patch up to run as a system service and so forth. By specifying each action that has to happen, these scripts become difficult to improve and not terribly useful to reuse for other purposes, especially since actions on one machine probably wouldn't apply exactly to another machine.

DSC, however, is a declarative scripting technique. This means the system admin or script writer designs expressions about how a system should be configured, and the system figures out what it needs to do to get the configuration to that state.

While declarative scripting is not as powerful from a pure functionality perspective as imperative scripting, it works well for system-configuration scenarios. For example, if I wanted to deploy a farm of Web servers, I could write a DSC-based script that says:

  • I need seven virtual machines.
  • All of them should have IIS installed.
  • All of them should have the Remote Server Administration Tools package installed.
  • All of them should have these particular content files present.

DSC includes, among other components, a configuration agent that receives the script information and translates it into actions that bring the physical system state into alignment with the expressed configuration. This is the agent that makes everything function. If I say IIS should be installed, this agent will look at the current roles on the machine, see if IIS is available or installed and then make any necessary changes to bring that machine into compliance with the desired state.

But how does Desired State Configuration relate to other management technologies? For one, DSC is meant to address the cloud -- i.e., servers and devices that operate on standards, run all the time and tolerate faults. It isn't meant to address on-premises servers, so System Center is better for that. DSC can work in conjunction with System Center Virtual Machine Manager to both provision VMs and services and get them prepared properly. The main takeaway should be that DSC is meant for farms of machines doing related tasks, not individual computers doing many different things.

There will be much more written about DSC and PowerShell 4.0 as it comes in the Windows Server 2012 R2 release later this year. But for now, you have yet another reason to learn PowerShell.

About the author:
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Microsoft Windows Small Business Server 2003 and Learning Windows Server 2003. Jonathan also speaks worldwide on topics ranging from networking and security to Windows administration. He is president of 82 Ventures LLC, based in North Carolina, and is currently an editor for Apress Media LLC, a publishing company that specializes in books for programmers and IT professionals. 

Dig Deeper on