1. PowerShell Desired State Configuration
Keep your Service stable and stay on top of your config

2. Ingo Gegenwarth IT Principal MCM Exchange 2010 Office Server and Services MVP Blog:

3. Objectives
Provide you a brief overview of Desired State Configuration(DSC)
Where can DSC help you with Exchange

4. Motivation for using DSC
Project Exchange 2016 upgrade
Consolidate several scripts for different purposes
Remove a few scheduled tasks
Centralize management
Avoid configuration drift
Keep customization in place (CU upgrade)

5. What is Desired State Configuration?
DSC is a management platform based on Windows Powershell (v4 and later)
Text file based configurations
Built-In and many community resources (PowerShell gallery)

6. Main components Local Configuration Manager Resources Configuration
The engine running on a node, which reads and try to ensure the desired state described in a configuration(MOF). Lives in the process WmiPrvSE
Resources
PowerShell Modules, which are able to handle statements in a configuration. Besides the built-in resources you can find many built by the community
Configuration
One or more statement how one/multiple resources should be configured

7. Push- or Pull-Mode Push-Mode: Pull-Mode: Can be any server
You need to deploy any used resource, which is not built-in
No reporting capabilities
Pull-Mode:
SMB or Web based
No need to deploy any used resource, which is not built-in
Certificate needed(best practice)
Reporting capabilities

8. Securing MOFs For some configurations you need to provide credential
By default plaintext passwords are not allowed(PsDscAllowPlainTextPassword must be set to true)
In order to encrypt the credential, the target nodes need to have a valid certificate
Process:
Export the public key of node’s certificate to the machine you create the MOF files
In the configuration block provide path to the exported certificate and its thumbprint
Create the MOF file
Configure the target node’s LCM with the correct thumbprint

9. How can DSC help me with Exchange?

10. Example #1 Client-specific message size limits in Exchange
2 web.config files
5 values
Services
Configuration file
Keys and default values
Size
Client Access
%ExchangeInstallPath%\FrontEnd\ HttpProxy\Sync\web.config
maxAllowedContentLength = “ “ Not present by default
bytes
maxRequestLength = “35840”
kilobytes
Backend
%ExchangeInstallPath%\ClientAccess\ Sync\web.config
maxAllowedContentLength = “ ”
Not present by default
maxRequestLength=“35840”
<add key=“MaxDocumentDataSize” value=“ ”>

11. Example #2
Modern Attachments behind a web proxy

12. Example #2 Modern attachments behind a web proxy
By default Exchange doesn’t support web proxies in this scenario.
You need to edit for each used protocols web.config files the following properties:
usesystemdefault
Proxyaddress
Address

13. Example #2 Modern attachments behind a web proxy
The following files needs to be modified:
%ExchangeInstallPath%\ClientAccess\Owa\web.config
%ExchangeInstallPath%\ClientAccess\mapi\emsmdb\web.config
%ExchangeInstallPath%\ClientAccess\exchweb\ews\web.config

14. Example #2
Modern Attachments behind a web proxy

15. Example #2
Modern Attachments behind a web proxy

16. Are there any limitations?

17. Limitations
Exchange does support WMF5.1 only on Windows Server 2016 (installation of WMF from stand-alone downloads are NOT supported)
New WMF5.1 feature ConfigurationNames is currently not supported by the xExchange DSC module
In a mixed environment (WMF5.1/WMF4) securing of MOF file is not supported across versions (known bug)

18. Is DSC easy to use out-of-the-box?

19. Challenges: ConfigurationID
How do you keep track of the GUIDs for all the nodes?
Solution:
Use ObjectGUID from corresponding AD object

20. Challenges: CertificateID
How do you keep track of all the thumbprints, when you cannot use the same across all nodes?
Solution:
Use remote PowerShell to gather the thumbprint of a valid certificate on the target node.

21. Challenges: Thumbprint/CertificateFile
As you need to configure the target node’s LCM, you also need to add the information to the configuration for each node.

22. Challenges:Thumbprint/CertificateFile
How do you keep track and export all the certificates?
You also need to edit the configuration script each time a node changes, which is error prone.
Solution:
Create those node specific blocks dynamically

23. Challenges:Create different configurations
When you separate Configuration and Environment Data, you can import the Environment Data and inject for each node individual settings
AllNodes is an array of hashtables
Each hashtable reflects an individual node
Procedure:
Create a CSV file, which contains the desired properties
Import this CSV file and convert it to a hashtable
Append the hashtable to the AllNodes array

24. Challenges:Create different configurations

25. Tooling: New-DSCConfigsFromFiles.ps1
3 different files:
Configuration (contains all statements, but no values)
Environment Data (contains values for statements in configuration)
CSV (contains values for individual node block)

26. New-DSCConfigsFromFiles.ps1
CSV
Configuration
Environment Data
New-DSCConfigsFromFiles.ps1
MOF file

27. Tooling: Different configs made easy
Change properties in CSV file
Filter on those properties in Configuration
Re-run script

28. Tooling: Set-DSCLCMforPullServer.ps1
The script configures the LCM of a target node
Reads a CSV file to get target nodes
Retrieves GUID from AD object
If needed retrieves certificate thumbprint from target nodes

29. Tooling: Enforce-DSCConfiguration.ps1
Triggers a consistency check on target nodes
If necessary kills the WmiPrvSE process
If necessary delete cache of File resource
Support multi-threading

30. How does it look like in action?

31. Configure LCM with script

33. Create MOF files with script

35. Enforce configuration with script

37. Q&A

38. Appendix Windows PowerShell Desired State Configuration
Separating Configuration Environment Data
PowerShell Gallery Repository
New-DSCConfigsFromFiles.ps1
Set-DSCLCMforPullServer.ps1
Enforce-DSCConfiguration.ps1