Using other DSC modules with SharePointDsc
Published Apr 07 2020 02:20 AM 8,566 Views
Microsoft

When I create Desired State Configuration configurations, SharePointDsc usually is just one of the DSC modules I am using in my configuration. There are several other modules that are very useful when deploying or managing SharePoint environments.

 

Resource Description
ActiveDirectoryDsc Resources to manage Active Directory components. For example used to create service accounts or SharePoint administrators domain group.
CertificateDsc Resources to manage Certificates. For example used to import SSL certificates into the local certificate store.
ComputerManagementDsc Resources to manage various Windows components. For example used to manage Scheduled Tasks or trigger reboots.
OfficeOnlineServerDsc Resources to install and manage Office Online Server. Office Online Server is often used alongside SharePoint. Using this module you can install and configure OOS in an automated way.
SChannelDsc Resources to manage Secure Channel components. For example used to configure allowed cipher suites or protocols like disabling SSLv3 and TLS v1.0/v1.1.
SQLServerDsc Resources to install and manage SQL Server. SQL Server is required to run SharePoint, but does require certain settings, like the MaxDOP setting and the database compatibility level. Using this module, you can configure SQL Server in an optimal way for SharePoint.
WorkflowManagerDsc Resources to install and configure Workflow Manager. When using SharePoint 2013 workflows, you need the Workflow Manager to be deployed onto your SharePoint servers. This module is able to deploy Workflow Manager in an automated way.
xCredSSP Resources to manage CredSSP authentication settings. For example used to enable CredSSP, which is required to use SharePointDsc when using PowerShell v4.0 or with specific SharePointDsc resources.
xWebAdministration Resources to manage Internet Information Server (IIS) components. For example used to disable the default web site/application pools or configure logging settings.

 

The below configuration is showing an example which is using all of the above resources to configure a server with everything except SharePoint. You can use this as a starting point for your own configuration.

 

Configuration DeploySharePoint
{  
    param
    (
        [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $InstallAccount,
        [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $WMRunAsCredential,
        [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $CertificatePassword
    )
    
    Import-DscResource -ModuleName ActiveDirectoryDsc
    Import-DscResource -ModuleName CertificateDsc
    Import-DscResource -ModuleName ComputerManagementDsc
    Import-DscResource -ModuleName OfficeOnlineServerDsc
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName SChannelDsc
    Import-DscResource -ModuleName SharePointDsc
    Import-DscResource -ModuleName SQLServerDsc
    Import-DscResource -ModuleName xWebAdministration
    Import-DscResource -ModuleName xCredSSP
    Import-DscResource -ModuleName WorkflowManagerDsc

    node SP01
    {
        # Configure CredSSP settings using xCredSSP
        xCredSSP 'Server'
        {
            Ensure = 'Present'
            Role   = 'Server'
        }
        
        xCredSSP 'Client'
        {
            Ensure = 'Present'
            Role   = 'Client'
            DelegateComputers = @("SP01","SP01.domain.com")
        }

        # Configure service account and admin group using ActiveDirectoryDsc
        ADUser 'SP_Farm'
        {
            DomainName           = 'DOMAIN'
            UserName             = 'sp_farm'
            UserPrincipalName    = 'sp_farm@domain.com'
            Password             = $InstallAccount
            DisplayName          = 'SharePoint Farm Service Account'
            Description          = 'SharePoint Farm Service Account'
            Path                 = 'OU=Service Accounts,OU=SharePoint,DC=domain,DC=com'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        ADGroup 'ExampleGroup'
        {
            GroupName   = 'SPAdmins'
            GroupScope  = 'Global'
            Category    = 'Security'
            Description = 'SharePoint Administrators'
            Ensure      = 'Present'
        }

        # Import SSL certificate using CertificateDsc
        PfxImport 'ImportSSLCertificate'
        {
            Thumbprint = '<thumbprint>'
            Path       = 'C:\Cert\sslcert.pfx'
            Location   = 'LocalMachine'
            Store      = 'My'
            Credential = $CertificatePassword
        }

        # Configure Secure Channel settings using SChannelDsc
        Protocol 'DisableSSLv2'
        {
            Protocol          = "SSL 2.0"
            IncludeClientSide = $true
            State             = "Disabled"
        }

        Protocol 'DisableSSLv3'
        {
            Protocol          = "SSL 3.0"
            IncludeClientSide = $true
            State             = "Disabled"
        }
            
        Protocol 'DisableTLSv1'
        {
            Protocol          = "TLS 1.0"
            IncludeClientSide = $true
            State             = "Disabled"
        }

        Protocol 'DisableTLSv11'
        {
            Protocol          = "TLS 1.1"
            IncludeClientSide = $true
            State             = "Disabled"
        }

        Protocol 'EnableTLSv12'
        {
            Protocol          = "TLS 1.2"
            IncludeClientSide = $true
            State             = "Enabled"
        }

        SChannelSettings 'ConfigureSChannel'
        {
            IsSingleInstance              = 'Yes'
            TLS12State                    = 'Enabled'
            EnableFIPSAlgorithmPolicy     = $false
        }

        CipherSuites ConfigureCipherSuites
        {
            IsSingleInstance  = 'Yes'
            CipherSuitesOrder = @('TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256''TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_DHE_RSA_WITH_AES_256_GCM_SHA384','TLS_DHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA','TLS_DHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA256','TLS_RSA_WITH_AES_128_CBC_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_3DES_EDE_CBC_SHA','TLS_DHE_DSS_WITH_AES_256_CBC_SHA256','TLS_DHE_DSS_WITH_AES_128_CBC_SHA256','TLS_DHE_DSS_WITH_AES_256_CBC_SHA','TLS_DHE_DSS_WITH_AES_128_CBC_SHA','TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA','TLS_PSK_WITH_AES_256_GCM_SHA384','TLS_PSK_WITH_AES_128_GCM_SHA256','TLS_PSK_WITH_AES_256_CBC_SHA384','TLS_PSK_WITH_AES_128_CBC_SHA256')
            Ensure            = "Present"
        }

        # Configure SSL on IIS website using xWebAdministration
        xWebsite "Website"
        {
            Name            = 'SharePoint Central Administration v4'
            ApplicationPool = 'SharePoint Central Administration v4'
            BindingInfo     = @(
                MSFT_xWebBindingInformation 
                {
                    Protocol              = 'HTTPS' 
                    Port                  = '443' 
                    CertificateThumbprint = '<thumbprint>'
                    CertificateStoreName  = 'My'
                    IPAddress             = '*'
                    Hostname              = 'centraladmin.domain.com'
                }
            )
        }

        # Configure SQL to grant SPAdmins AD group access to databases using SQLServerDsc
        SqlServerLogin 'AddSPAdminsGroupLoginToInstance_Infra'
        {
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'DOMAIN\SPAdmins'
            LoginType            = 'WindowsGroup'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabaseUser 'Config_AddSPAdminGroup'
        {
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            DatabaseName         = 'SharePoint_Config'
            Name                 = 'DOMAIN\SPAdmins'
            UserType             = 'Login'
            LoginName            = 'DOMAIN\SPAdmins'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabaseRole 'Config_ConfigureInstallAccountDBOwner'
        {
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Database             = 'SharePoint_Config'
            Name                 = 'db_owner'
            MembersToInclude     = 'DOMAIN\SPAdmins'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabaseUser 'AdminContent_AddSPAdminGroup'
        {
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            DatabaseName         = 'SharePoint_AdminContent'
            Name                 = 'DOMAIN\SPAdmins'
            UserType             = 'Login'
            LoginName            = 'DOMAIN\SPAdmins'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabaseRole 'AdminContent_ConfigureInstallAccountDBOwner'
        {
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Database             = 'SharePoint_AdminContent'
            Name                 = 'db_owner'
            MembersToInclude     = 'DOMAIN\SPAdmins'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        # Install and configure Workflow Manager using WorkflowManagerDsc
        WorkflowManagerInstall 'WFInstall'
        {  
            Ensure               = "Present"
            WebPIPath            = 'C:\Install\Workflow\bin\WebpiCmd.exe'
            XMLFeedPath          = 'C:\Install\Workflow\feeds\latest\webproductlist.xml'
            ComponentsToInstall  = "All"
            PsDscRunAsCredential = $InstallAccount
        }

        WorkflowManagerFarm 'WFFarmConfig'
        {
            Ensure                       = "Present"
            DatabaseServer               = 'SQL01'
            CertAutoGenerationKey        = $WMRunAsCredential
            RunAsAccount                 = $WMRunAsCredential
            ServiceBusFarmDB             = "SB_Management"
            ServiceBusGatewayDB          = "SB_Gateway"
            ServiceBusMessageContainerDB = "SB_MessageContainer"
            WorkflowManagerFarmDB        = "WF_Management"
            WorkflowManagerInstanceDB    = "WF_Instance"
            WorkflowManagerResourceDB    = "WF_Resource"
            EnableFirewallRules          = $true
            PsDscRunAsCredential         = $WMRunAsCredential
        }

        # Configure database compatibility level for WM databases using SQLServerDsc (minimal v13.4)
        SqlDatabase 'DatabaseCompatLevel_SBManagement'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = $instanceInfra
            Name                 = 'SB_Management'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabase 'DatabaseCompatLevel_SBGateway'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'SB_Gateway'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabase 'DatabaseCompatLevel_SBMessageContainer'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'SB_MessageContainer'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabase 'DatabaseCompatLevel_WFManagement'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'WF_Management'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabase 'DatabaseCompatLevel_WFInstance'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'WF_Instance'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        SqlDatabase 'DatabaseCompatLevel_WFResource'
        {
            Ensure               = 'Present'
            ServerName           = 'SQL01'
            InstanceName         = 'MSSQLSERVER'
            Name                 = 'WF_Resource'
            CompatibilityLevel   = 'Version120'
            PsDscRunAsCredential = $InstallAccount
        }

        # Disable Schedule Task using ComputerManagementDsc
        ScheduledTask 'DisableWFSchedTask'
        {
            TaskName             = 'Workflow Manager 1.0 CEIP Uploader Task'
            TaskPath             = '\Microsoft\Windows\PowerShell\ScheduledJobs'
            Enable               = $false
            PsDscRunAsCredential = $InstallAccount
        }

        # Configure IIS using xWebAdministration
        xWebAppPool 'DisableDotNet2Pool'         { Name = '.NET v2.0';            State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet2ClassicPool'  { Name = '.NET v2.0 Classic';    State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet45Pool'        { Name = '.NET v4.5';            State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic';    State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableClassicDotNetPool'   { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDefaultAppPool'      { Name = 'DefaultAppPool';       State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebSite    'DisableDefaultWebSite'      { Name = 'Default Web Site';     State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }

        xIisLogging 'ConfigureIISLogging'
        {
            LogPath = 'D:\Logs\IIS'
            Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken')
            LoglocalTimeRollover = $true
            LogPeriod = 'Daily'
            LogFormat = 'W3C'
        }
    }

    node 'OOS1'
    {
        # Import SSL certificate using CertificateDsc
        PfxImport 'ImportSSLCertificate'
        {
            Thumbprint = '<thumbprint>'
            Path       = 'C:\Cert\sslcert.pfx'
            Location   = 'LocalMachine'
            Store      = 'My'
            Credential = $CertificatePassword
        }

        # These features are required for OOS on Windows Server 2016
        $requiredFeatures = @(
            'Web-Server',
            'Web-Mgmt-Tools',
            'Web-Mgmt-Console',
            'Web-WebServer',
            'Web-Common-Http',
            'Web-Default-Doc',
            'Web-Static-Content',
            'Web-Performance',
            'Web-Stat-Compression',
            'Web-Dyn-Compression',
            'Web-Security',
            'Web-Filtering',
            'Web-Windows-Auth',
            'Web-App-Dev',
            'Web-Net-Ext45',
            'Web-Asp-Net45',
            'Web-ISAPI-Ext',
            'Web-ISAPI-Filter',
            'Web-Includes',
            'NET-Framework-Features',
            'NET-Framework-45-Features',
            'NET-Framework-Core',
            'NET-Framework-45-Core',
            'NET-HTTP-Activation',
            'NET-Non-HTTP-Activ',
            'NET-WCF-HTTP-Activation45',
            'Windows-Identity-Foundation',
            'Server-Media-Foundation'
        )

        foreach ($feature in $requiredFeatures)
        {
            WindowsFeature "WindowsFeature_$feature"
            {
                Name      = $feature
                Ensure    = 'Present'
            }
        }

        $prereqDependencies = $RequiredFeatures | ForEach-Object -Process {
            return "[WindowsFeature]WindowsFeature_$_"
        }
    
        # Install Office Online Server prerequisites using PSDesiredStateConfiguration
        Package 'Install_VC2013ReDistx64'
        {
            Name                 = 'Microsoft Visual C++ 2013 Redistributable (x64)'
            Path                 = 'C:\Install\Prereqs\vcredist_x64.exe'
            Arguments            = '/quiet /norestart'
            ProductId            = '042d26ef-3dbe-4c25-95d3-4c1b11b235a7'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        Package 'Install_VC2017ReDistx64'
        {
            Name                 = 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127'
            Path                 = 'C:\Install\Prereqs\vc_redist.x64.exe'
            Arguments            = '/quiet /norestart'
            ProductId            = '282975d8-55fe-4991-bbbb-06a72581ce58'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        Package 'Install_MicrosoftIdentityExtensions'
        {
            Name                 = 'Microsoft Identity Extensions'
            Path                 = 'C:\Install\Prereqs\MicrosoftIdentityExtensions-64.msi'
            Arguments            = '/quiet'
            ProductId            = 'f99f24bf-0b90-463e-9658-3fd2efc3c992'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        # Install and configure OOS using OfficeOnlineServerDsc
        OfficeOnlineServerInstall 'Install_OOS_Binaries'
        {
            Path                 = 'C:\Install\OOS\setup.exe'
            Ensure               = 'Present'
            PsDscRunAsCredential = $InstallAccount
        }

        OfficeOnlineServerInstallLanguagePack 'Install_OOS_NL_LanguagePack'
        {
            Ensure               = 'Present'
            BinaryDir            = 'C:\Install\OOS\LanguagePackNL'
            Language             = 'nl-nl'
            PsDscRunAsCredential = $InstallAccount
        }

        OfficeOnlineServerProductUpdate 'Update_OOS_Installation'
        {
            Ensure               = 'Present'
            SetupFile            = 'C:\Install\OOS\CU\oos_cu.exe'
            Servers              = "OOS1"
            PsDscRunAsCredential = $InstallAccount
        }

        OfficeOnlineServerFarm 'Create_OOS_Farm'
        {
            InternalURL          = 'https://oos.domain.com'
            EditingEnabled       = $true
            CertificateName      = 'SSLCertificate'
            AllowCEIP            = $false
            LogLocation          = 'D:\Logs\OOS'
            LogRetentionInDays   = 30
            CacheLocation        = 'C:\OOS\Cache'
            CacheSizeInGB        = 1
            PsDscRunAsCredential = $InstallAccount
        }

        # Configure IIS using xWebAdministration
        xWebAppPool 'DisableDotNet2Pool'         { Name = '.NET v2.0';            State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet2ClassicPool'  { Name = '.NET v2.0 Classic';    State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet45Pool'        { Name = '.NET v4.5';            State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDotNet45ClassicPool' { Name = '.NET v4.5 Classic';    State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableClassicDotNetPool'   { Name = 'Classic .NET AppPool'; State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebAppPool 'DisableDefaultAppPool'      { Name = 'DefaultAppPool';       State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }
        xWebSite    'DisableDefaultWebSite'      { Name = 'Default Web Site';     State = 'Stopped'; DependsOn = '[SPInstallPrereqs]Install_SP_Prereqs' }

        xIisLogging 'ConfigureIISLogging'
        {
            LogPath = 'D:\Logs\IIS'
            Logflags = @('Date','Time','ServerIP','Method','UriStem','UriQuery','ServerPort','UserName','ClientIP','UserAgent','Referer','HttpStatus','HttpSubStatus','Win32Status','TimeTaken')
            LoglocalTimeRollover = $true
            LogPeriod = 'Daily'
            LogFormat = 'W3C'
        }
    }
}

 

Version history
Last update:
‎Apr 07 2020 02:20 AM
Updated by: