Project 9: Desired State Configuration (DSC) for a Web Server

Build a DSC configuration that ensures IIS and a website are installed and stay in the desired state.

Quick Reference

Attribute	Value
Difficulty	Expert (Level 5)
Time Estimate	2-3 weeks
Main Programming Language	Windows PowerShell 5.1
Alternative Programming Languages	None practical for DSC
Coolness Level	Level 4: Enterprise-grade configuration as code
Business Potential	Level 4: Infrastructure automation
Prerequisites	PowerShell scripting, IIS basics, idempotency mindset
Key Topics	DSC fundamentals, LCM, convergence, configuration data

1. Learning Objectives

By completing this project, you will:

Write a DSC configuration and compile it to MOF.
Apply configurations using the Local Configuration Manager (LCM).
Understand convergence and configuration drift.
Separate configuration data for different environments.
Validate DSC runs with deterministic outputs.

2. All Theory Needed (Per-Concept Breakdown)

2.1 DSC Fundamentals: Configurations, Resources, and MOF

Fundamentals

DSC (Desired State Configuration) is PowerShell’s declarative configuration system. You describe the desired state of a system using a Configuration block and DSC resources (e.g., WindowsFeature, File). When you compile a configuration, PowerShell generates a MOF file that the Local Configuration Manager (LCM) applies. DSC ensures a machine converges to the desired state and can detect drift.

Deep Dive into the Concept

A DSC configuration is a specialized PowerShell function. Inside it, you declare resources with desired properties. For example, WindowsFeature IIS declares that the IIS role should be present. When the configuration is compiled, PowerShell produces a Managed Object Format (MOF) file for each node. This MOF file is the declarative representation of your desired state and is the input consumed by the LCM.

Resources are the building blocks. Each resource implements Get, Test, and Set methods. Test checks whether the system is already in the desired state, and Set performs changes if not. This is what makes DSC idempotent: resources only make changes when necessary. You can use built-in resources or install community resources (e.g., xWebAdministration or WebAdministrationDsc). The choice of resources affects compatibility and features.

The MOF file is not just a serialization; it is the contract between your configuration and the LCM. It specifies the resource instances and their desired properties. You can inspect MOF files to debug configuration issues, but you typically treat them as generated artifacts. Your source of truth is the configuration script.

DSC is declarative, which means you describe what you want, not how to achieve it. This is different from a provisioning script like Project 6. The LCM handles the sequencing and state evaluation. This is powerful but also requires a shift in mindset: you must express state in terms of resources and their properties rather than imperative steps.

Finally, understand the scope of DSC. It is Windows-centric in this project, though PowerShell 7 has emerging cross-platform DSC tools. In enterprise environments, DSC is often used with pull servers or automation systems. For this project, a push configuration is sufficient but you should be aware of the broader ecosystem.

How this Fits on Projects

This project builds directly on the idempotency and provisioning concepts of Project 6 but shifts to a declarative model.

Definitions & Key Terms

DSC -> Desired State Configuration.
Configuration -> PowerShell block that declares desired state.
Resource -> Component that implements Get/Test/Set.
MOF -> Generated file representing desired state.
LCM -> Local Configuration Manager that applies MOF.

Mental Model Diagram (ASCII)

Configuration Script -> Compile -> MOF -> LCM -> System State

How It Works (Step-by-Step)

Write a Configuration block.
Compile configuration to MOF.
LCM reads MOF and evaluates resources.
Resources apply changes if needed.
LCM reports convergence status.

Minimal Concrete Example

Configuration WebServer {
  Node 'localhost' {
    WindowsFeature IIS { Name='Web-Server'; Ensure='Present' }
  }
}
WebServer

Common Misconceptions

“DSC runs once.” -> It can continuously enforce state.
“MOF is the source of truth.” -> The configuration script is.
“DSC is just scripting.” -> It is declarative state enforcement.

Check-Your-Understanding Questions

What is the role of a DSC resource?
Why is DSC idempotent?
What does the LCM do?

Check-Your-Understanding Answers

It defines how to test and set a specific part of system state.
Resources check current state before making changes.
It applies MOF files and enforces configuration.

Real-World Applications

Server baseline enforcement.
Compliance configuration in regulated environments.

Where You’ll Apply It

In this project: see Section 3.2 Functional Requirements and Section 5.10 Implementation Phases.
Also used in: Project 6: IIS Website Provisioner.

References

Microsoft Learn: DSC Overview
Microsoft Learn: Configuration keyword

Key Insights

DSC is the shift from “run this script” to “keep this state.”

Summary

DSC uses declarative configurations and resources to keep systems in a desired state.

Homework/Exercises to Practice the Concept

Create a configuration that ensures a directory exists.
Compile the configuration and inspect the MOF.
Apply the configuration to localhost.

Solutions to the Homework/Exercises

Use File resource with Ensure='Present'.
Open the .mof file in the output directory.
Start-DscConfiguration -Wait -Verbose.

2.2 Local Configuration Manager (LCM) and Convergence

Fundamentals

The LCM is the engine that applies DSC configurations. It reads MOF files, runs resource Test methods, and applies Set when needed. Convergence is the process of bringing a system into the desired state. Understanding LCM modes (push vs pull) and its reporting behavior is critical for reliable configuration management.

Deep Dive into the Concept

LCM is a built-in service on Windows systems that orchestrates DSC. It has its own configuration, called the LCM configuration (meta-configuration). This determines how often it checks for drift, whether it automatically applies changes, and where it gets configurations from. In push mode, you explicitly run Start-DscConfiguration to apply a configuration. In pull mode, the LCM periodically downloads configurations from a pull server. For this project, push mode is simpler and enough to demonstrate core concepts.

Convergence is the key property: DSC does not just run once; it evaluates and re-applies as needed. When the LCM runs, it calls Test on each resource. If Test returns false, it calls Set to bring the state into compliance. This is why DSC is reliable for long-term compliance. If someone manually changes a setting (configuration drift), DSC can detect and correct it.

LCM also produces status information. You can query it using Get-DscConfigurationStatus to see whether a run succeeded and what changes were made. For troubleshooting, verbose output is invaluable, as it shows each resource start and end. Your project should include a deterministic “golden run” that shows the expected verbose output so learners can compare their results.

The LCM can run in different modes: ApplyOnly (one-time), ApplyAndMonitor (detect drift), and ApplyAndAutoCorrect (auto-fix drift). Choosing the correct mode depends on your environment. For a learning project, ApplyAndMonitor is a safe default: it doesn’t automatically fix drift but reports it.

Finally, keep in mind that LCM runs under the system account, so resource operations have high privileges. This is powerful but risky. Always test configurations in a lab or VM before applying to production.

How this Fits on Projects

Understanding the LCM is essential for running and verifying the DSC configuration in this project. It also reinforces idempotency concepts from Project 6.

Definitions & Key Terms

LCM -> Local Configuration Manager.
Push mode -> Apply configuration by running a command.
Pull mode -> LCM pulls configuration from server.
Convergence -> System reaches desired state.
Configuration drift -> State deviates from desired.

Mental Model Diagram (ASCII)

MOF -> LCM -> Test -> Set -> Converged
           |      |
           |      +-- Changes if drift
           +-- Status report

How It Works (Step-by-Step)

Configure LCM mode.
Apply MOF with Start-DscConfiguration.
LCM tests each resource.
LCM applies changes when needed.
Status is recorded and retrievable.

Minimal Concrete Example

Start-DscConfiguration -Path .\WebServer -Wait -Verbose
Get-DscConfigurationStatus

Common Misconceptions

“DSC changes everything every run.” -> It changes only when drift is detected.
“LCM is optional.” -> It is required to apply configurations.
“Pull mode is required.” -> Push mode is fine for labs.

Check-Your-Understanding Questions

What is configuration drift?
How do you see if a DSC run succeeded?
What does ApplyAndAutoCorrect do?

Check-Your-Understanding Answers

When the system no longer matches the desired state.
Get-DscConfigurationStatus.
It automatically fixes drift on schedule.

Real-World Applications

Compliance enforcement for servers.
Baseline configuration in enterprise environments.

Where You’ll Apply It

In this project: see Section 3.7 Real World Outcome and Section 6.2 Critical Test Cases.
Also used in: Project 6: IIS Website Provisioner.

References

Microsoft Learn: LCM settings

Key Insights

LCM is the enforcement engine; your configuration is only as good as the LCM settings.

Summary

Understand LCM modes and convergence to predict DSC behavior and validate outcomes.

Homework/Exercises to Practice the Concept

Set LCM to ApplyAndMonitor and observe status.
Make a manual change and see DSC report drift.
Switch to ApplyAndAutoCorrect and verify auto-repair.

Solutions to the Homework/Exercises

Use a LocalConfigurationManager block.
Edit a file resource manually and run Get-DscConfigurationStatus.
Reapply LCM meta-config and wait for consistency check.

2.3 Configuration Data and Environment Separation

Fundamentals

DSC supports configuration data, which allows you to separate environment-specific values (like node names and paths) from the configuration logic. This makes configurations reusable across dev, staging, and production. You pass configuration data as a hashtable or .psd1 file when compiling the configuration.

Deep Dive into the Concept

Configuration data is one of DSC’s strongest features. It allows you to write a generic configuration that is applied to different nodes with different parameters. The data structure typically contains an AllNodes array, where each node entry includes properties like NodeName, Role, SitePath, or Port. The configuration script references these values with $Node.<Property>.

This separation supports environment-specific customization without changing the configuration code. For example, dev might use C:\Sites\DevSite and port 8080, while prod uses D:\Sites\ProdSite and port 80. With configuration data, you can compile two different MOF files from the same configuration script. This is a core DevOps practice: code remains stable while data changes per environment.

Configuration data also improves security. You can avoid hard-coding secrets or sensitive values in your configuration script. Instead, you can reference encrypted credentials or pull them from a secure vault. While this project does not require full credential encryption, you should understand that DSC supports PSDscAllowPlainTextPassword and certificate-based encryption for credentials.

Another advantage is testing. You can create a “test node” configuration data file that points to local paths and a small dataset. This enables deterministic, safe test runs. It also makes documentation clearer because you can show a sample data file that readers can use directly.

Finally, configuration data encourages modular thinking. A configuration script should be general and reusable, and all variability should live in data. This is a pattern you will use in larger infrastructure automation projects.

How this Fits on Projects

This project uses configuration data to define site paths and bindings. The same pattern applies to module configuration in Project 5 and to UI defaults in Project 10.

Definitions & Key Terms

Configuration data -> External data that drives DSC compilation.
AllNodes -> Array of node definitions.
NodeName -> Target node identifier.
PSDscAllowPlainTextPassword -> Flag for credential handling.
Environment separation -> Different configs for dev/test/prod.

Mental Model Diagram (ASCII)

Config Script + Config Data -> Compile -> MOF (per node)

How It Works (Step-by-Step)

Create a configuration data file (.psd1).
Define AllNodes entries with properties.
Reference $Node properties in configuration.
Compile configuration with -ConfigurationData.
Apply MOF to target nodes.

Minimal Concrete Example

$ConfigData = @{ AllNodes = @(@{ NodeName='localhost'; SitePath='C:\Sites\Demo' }) }
WebServer -ConfigurationData $ConfigData

Common Misconceptions

“Configuration data is optional.” -> It is essential for reuse.
“You must hard-code node names.” -> Use AllNodes.
“Secrets must be plain text.” -> DSC supports encryption.

Check-Your-Understanding Questions

What is AllNodes used for?
Why separate configuration data from code?
How do you pass configuration data to a configuration?

Check-Your-Understanding Answers

It defines per-node settings for DSC.
To reuse code across environments and avoid hard-coding.
Use -ConfigurationData when compiling.

Real-World Applications

Multi-environment server configurations.
Standardized infra with environment-specific details.

Where You’ll Apply It

In this project: see Section 3.2 Functional Requirements and Section 5.10 Implementation Phases.
Also used in: Project 5: Custom PowerShell Module.

References

Microsoft Learn: ConfigurationData in DSC

Key Insights

Configuration data is how you scale DSC from one machine to many environments.

Summary

Use configuration data to keep your DSC scripts reusable and environment-agnostic.

Homework/Exercises to Practice the Concept

Create a configuration data file with two nodes.
Compile two MOFs from one configuration.
Add a custom property like SitePort and use it.

Solutions to the Homework/Exercises

Define @{ AllNodes=@(@{NodeName='localhost'},@{NodeName='srv1'}) }.
Compile with the same config script, different data.
Reference $Node.SitePort in the configuration.

3. Project Specification

3.1 What You Will Build

A DSC configuration named WebServer.ps1 that:

Ensures IIS is installed.
Ensures a site folder and default file exist.
Ensures an IIS site is configured.
Uses configuration data for paths and ports.

3.2 Functional Requirements

Configuration: Configuration WebServer with Node block.
Resources: WindowsFeature for IIS, File for site content, and IIS site resource.
Compilation: outputs MOF files to an output folder.
Apply: uses Start-DscConfiguration -Wait -Verbose.
Exit codes: 0 success, 2 failed convergence, 3 invalid input.

3.3 Non-Functional Requirements

Reliability: configuration is idempotent.
Usability: verbose output explains each resource step.
Maintainability: configuration data separates environment values.

3.4 Example Usage / Output

PS> .\WebServer.ps1
PS> Start-DscConfiguration -Path .\WebServer -Wait -Verbose

3.5 Data Formats / Schemas / Protocols

Configuration data example:

@{
  AllNodes = @(
    @{ NodeName='localhost'; SitePath='C:\Sites\Demo'; SiteName='DemoSite'; SitePort=8080 }
  )
}

3.6 Edge Cases

Missing resource module -> fail with clear error.
Configuration drift -> report and re-apply based on LCM mode.
Incorrect path permissions -> file resource fails.

3.7 Real World Outcome

3.7.1 How to Run (Copy/Paste)

powershell .\WebServer.ps1
powershell -Command "Start-DscConfiguration -Path .\WebServer -Wait -Verbose"

3.7.2 Golden Path Demo (Deterministic)

Use a fixed configuration data file and a fresh VM snapshot.

3.7.3 CLI Terminal Transcript (Success)

$ powershell -Command "Start-DscConfiguration -Path .\WebServer -Wait -Verbose"
VERBOSE: [localhost]: LCM:  [ Start  Resource ]  [WindowsFeature]IIS
VERBOSE: [localhost]: LCM:  [ End    Resource ]  [WindowsFeature]IIS
VERBOSE: [localhost]: LCM:  [ Start  Resource ]  [File]WebRoot
VERBOSE: [localhost]: LCM:  [ End    Resource ]  [File]WebRoot
ExitCode: 0

3.7.4 CLI Terminal Transcript (Failure)

$ powershell -Command "Start-DscConfiguration -Path .\WebServer -Wait -Verbose"
ERROR: Resource 'xWebsite' not found
ExitCode: 2

4. Solution Architecture

4.1 High-Level Design

[Config Script] + [Config Data] -> Compile -> MOF -> LCM -> Desired State

4.2 Key Components

4.3 Data Structures (No Full Code)

Configuration WebServer {
  Node $AllNodes.NodeName {
    WindowsFeature IIS { Name='Web-Server'; Ensure='Present' }
  }
}

4.4 Algorithm Overview

Key Algorithm: DSC Convergence

Compile configuration with data.
LCM tests resource state.
LCM applies changes if drift detected.
Status reported.

Complexity Analysis

Time: O(r) resources.
Space: O(r) MOF size.

5. Implementation Guide

5.1 Development Environment Setup

# Ensure DSC resources are available
Get-DscResource

5.2 Project Structure

project-root/
+-- WebServer.ps1
+-- WebServerConfigData.psd1
+-- WebServer/

5.3 The Core Question You’re Answering

“How do I declare and enforce system configuration rather than scripting it?”

5.4 Concepts You Must Understand First

DSC configurations and resources.
LCM behavior and convergence.
Configuration data separation.

5.5 Questions to Guide Your Design

Which resources represent your desired state?
How will you separate dev vs prod settings?
Which LCM mode is appropriate?

5.6 Thinking Exercise

Write a configuration that ensures a file exists with specific content.

5.7 The Interview Questions They’ll Ask

What is configuration drift?
What does the LCM do?
How does DSC differ from a script?

5.8 Hints in Layers

Hint 1: Start with WindowsFeature only. Hint 2: Add a File resource for site content. Hint 3: Add a site resource for IIS site configuration.

5.9 Books That Will Help

5.10 Implementation Phases

Phase 1: Basic IIS Feature (3-4 hours)

Ensure IIS role is installed. Checkpoint: IIS feature present.

Phase 2: Site Content (3-4 hours)

Ensure folder and index file exist. Checkpoint: file content matches desired state.

Phase 3: Site Configuration (3-4 hours)

Ensure IIS site with bindings. Checkpoint: site appears in IIS Manager.

5.11 Key Implementation Decisions

6. Testing Strategy

6.1 Test Categories

6.2 Critical Test Cases

Configuration compiles without errors.
LCM reports success after apply.
Drift is detected when file is edited.

6.3 Test Data

ConfigData: NodeName=localhost, SiteName=DemoSite, Port=8080

7. Common Pitfalls & Debugging

7.1 Frequent Mistakes

7.2 Debugging Strategies

Use -Verbose and inspect Get-DscConfigurationStatus.
Review MOF files for property mismatches.

7.3 Performance Traps

Applying DSC too frequently on large systems.

8. Extensions & Challenges

8.1 Beginner Extensions

Add a second file resource for a health page.
Add logging configuration.

8.2 Intermediate Extensions

Add HTTPS bindings with certificate resource.
Add multiple nodes in config data.

8.3 Advanced Extensions

Configure a pull server.
Integrate DSC with CI/CD pipelines.

9. Real-World Connections

9.1 Industry Applications

Baseline server hardening.
Compliance enforcement with auditing.

DSC Resources community modules.

9.3 Interview Relevance

Explain DSC, LCM, and idempotency concepts.

10. Resources

10.1 Essential Reading

Pro PowerShell Desired State Configuration – DSC fundamentals.
PowerShell in Action – configuration automation.

10.2 Video Resources

“Introduction to DSC” – Microsoft Learn.

10.3 Tools & Documentation

DSC resource documentation (Microsoft Learn).

11. Self-Assessment Checklist

11.1 Understanding

I can explain DSC resources and MOF files.
I can describe LCM modes.
I can separate config data from code.

11.2 Implementation

IIS is installed and configured via DSC.
Configuration converges without errors.
Drift detection works.

11.3 Growth

I can extend this to multiple nodes.
I can explain DSC in an interview.

12. Submission / Completion Criteria

Minimum Viable Completion

Configuration compiles and applies to localhost.
IIS feature and site file are enforced.

Full Completion

Config data supports environment separation.
LCM status shows convergence.

Excellence (Going Above & Beyond)

Pull server setup or CI integration.

13. Deep-Dive Addendum: DSC as Declarative Infrastructure

13.1 LCM Modes and Compliance Strategy

The Local Configuration Manager (LCM) can run in different modes: ApplyOnly, ApplyAndMonitor, or ApplyAndAutoCorrect. Choose the mode based on your environment. For a learning project, ApplyAndMonitor is a great way to see drift without automatically changing systems. In production, ApplyAndAutoCorrect can enforce compliance but must be used carefully. Document your choice and include it in your configuration so behavior is explicit.

13.2 Configuration Data and Environment Separation

Do not hardcode values directly into the configuration when you can use configuration data. Use a .psd1 data file to define environment-specific values like site paths, ports, or content. This allows the same configuration to be applied to dev, staging, and production with minimal changes. It also teaches you the right mental model: the configuration defines the desired state, while the data defines the environment.

13.3 Resource Ordering and Dependencies

DSC resources run in the order dictated by DependsOn. If you are creating a web file, you must ensure the IIS feature is installed first. Always define explicit dependencies so the configuration is deterministic. This avoids subtle failures that only occur on clean systems or first runs.

13.4 Drift Detection and Reporting

DSC is valuable because it detects drift. Use Test-DscConfiguration to validate compliance and log the results. Include a drift report in your tooling output so operators can see what would change. Drift reporting is the first step to configuration compliance audits.

13.5 Modern DSC and Future-Proofing

PowerShell DSC v2 and cross-platform DSC implementations are evolving. While this project uses classic Windows DSC, keep the concepts portable: declarative state, idempotent resources, and testable convergence. This mindset prepares you to use tools like Desired State Configuration v3 or other configuration management systems later.