0

使用 Azure 自动化拉取 DSC 服务,我有一个生成多个Group资源的配置,以确保帐户是 IIS_IUSRS 组(应用程序池标识)的成员。这些组资源是通过$ConfigurationData在编译时循环提供的内部数据来生成的。这是按网站完成的。举个例子:

$Node.WebSites | foreach {
   $site = $_
   $appPoolId  = $site.AppPoolId
   Group appPoolIISUsers
   {
       GroupName = "IIS_IUSRS"
       Credential = $DomainCreds
       Ensure = "Present"
       MembersToInclude = $appPoolId
   }
}

应用时,LCM 和 WMI 服务会变得不稳定并产生多个错误——特别是 DSC 引擎错误 28 和引擎错误 2147749939。

我可以应用相同的技术,如果在 PUSH 模式下(与 Pull)在本地使用 Start-DSCConfiguration 应用,则配置成功。我能够让 PULL 与 Azure 自动化 DSC 服务一起工作的唯一方法是将所有所需的成员收集到一个列表中并使用 1 个Group资源:

$iis_iusrs = ($appPoolIds | select -Unique)
Group "AppPoolIISUsers"
{
    GroupName = "IIS_IUSRS"
    Credential = $DomainCreds
    Ensure = "Present"
    MembersToInclude = $iis_iusrs
}

这是一个错误吗?Azure DSC 中的报告也很疯狂: 在此处输入图像描述

非常感谢任何想法或帮助。

2016 年 11 月 21 日更新:

这是我在不使用唯一groupname值的情况下在本地生成和应用的配置。机器上本地只有 1 个 IIS_IUSRS 组,我们不想要多个。所以这里是在本地运行时成功应用的配置(真正的配置从 Azure 自动化中提取信用,只是为了简单起见在这里重用):

$cd = @{
    AllNodes = @(
        @{
            NodeName = "*"
            PSDscAllowPlainTextPassword = $True
            PSDscAllowDomainUser = $True

        },
        @{ 
            NodeName="localhost"
            DC = (Get-Credential)
            AppPoolId = (Get-Credential)
            WebSites = @(
                @{
                    Name = "app1"
                    WebsiteName = "app1.contoso.lcl"
                    AppPoolName = "app1.contoso.lcl"
                    DestinationFolder = "D:\Content\app1"
                    IsSecure = $false
                    HostHeaderName = "app1.contoso.lcl"
                    AppPoolIdentity = "App1AppPoolId"
                },
                @{
                    Name = "app2"
                    WebsiteName = "app2.contoso.lcl"
                    AppPoolName = "app2.contoso.lcl"
                    DestinationFolder = "D:\Content\app2"
                    IsSecure = $false
                    HostHeaderName = "app2.contoso.lcl"
                    AppPoolIdentity = "App2AppPoolId"
                },
                @{
                    Name = "app3"
                    WebsiteName = "app3.contoso.lcl"
                    AppPoolName = "app3.contoso.lcl"
                    DestinationFolder = "D:\Content\app3"
                    IsSecure = $false
                    HostHeaderName = "app3.contoso.lcl"
                    AppPoolIdentity = "App3AppPoolId"
                }
            )
        }    
    )
}

Configuration LocalGroupTest
{
    Node $AllNodes.NodeName
    {
        $Node.WebSites | foreach {
            $currentSite = $_

            Group "AppPoolIISUsers_AppPool$($currentSite.Name)"
            {
                GroupName = "IIS_IUSRS"
                Credential = $Node.DC
                Ensure = "Present"
                MembersToInclude = @(($Node.AppPoolId).UserName)
            }
        }
    }
}

Localgrouptest -ConfigurationData $cd -Verbose

Start-DscConfiguration -Path .\localgrouptest -Verbose -Wait -Force

以下是 DSC 引擎的结果:

-a----       11/18/2016   6:26 PM           4496 localhost.mof                                                                                                                                                                       
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer WEB01 with user sid S-1-5-21-3606597670-2021226393-1313626409-500.
VERBOSE: [WEB01]: LCM:  [ Start  Set      ]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] At least one member rmdeployer of the provided MembersToInclude parameter does not have a match in the existing group IIS_IUSRS.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp1]  in 8.1410 seconds.
VERBOSE: [WEB01]: LCM:  [ Start  Set      ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Performing the operation "Set" on target "Group: IIS_IUSRS".
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Group IIS_IUSRS properties updated successfully.
VERBOSE: [WEB01]: LCM:  [ End    Set      ]  [[Group]AppPoolIISUsers_AppPoolapp1]  in 5.9270 seconds.
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] Resolving CONTOSO in the rmdeployer domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp2]  in 6.2480 seconds.
VERBOSE: [WEB01]: LCM:  [ Skip   Set      ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] Resolving CONTOSO in the rmdeployer domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp3]  in 6.2440 seconds.
VERBOSE: [WEB01]: LCM:  [ Skip   Set      ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ End    Set      ]
VERBOSE: [WEB01]: LCM:  [ End    Set      ]    in  26.6100 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 26.923 seconds
4

1 回答 1

0

无论 Azure 自动化 DSC 是什么,这似乎都不是有效的 DSC 配置。如果您在 中拥有多个网站对象$Node.WebSites,您最终会得到多个Group资源名称和键 ( GroupName) 相同但值不同的资源。这在 DSC 中是不允许的。

运行这个:

$Node = @{
    WebSites = @(@{AppPoolId="somePoolID1"}, @{AppPoolId="somePoolID2"})
}

Configuration abc {
    $Node.WebSites | foreach {
       $site = $_
       $appPoolId  = $site.AppPoolId
       Group appPoolIISUsers
       {
           GroupName = "IIS_IUSRS"
           Credential = $DomainCreds
           Ensure = "Present"
           MembersToInclude = $appPoolId
       }
    }
}

abc

产生这些错误:

PsDesiredStateConfiguration\Group : A duplicate resource identifier '[Group]appPoolIISUsers' was found while processing the 
specification for node ''. Change the name of this resource so that it is unique within the node specification.
At line:9 char:8
+        Group appPoolIISUsers
+        ~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : DuplicateResourceIdInNodeStatement,PsDesiredStateConfiguration\Group

Test-ConflictingResources : A conflict was detected between resources '[Group]appPoolIISUsers (::9::8::Group)' and 
'[Group]appPoolIISUsers (::9::8::Group)' in node 'localhost'. Resources have identical key properties but there are differences 
in the following non-key properties: 'MembersToInclude'. Values 'somePoolID1' don't match values 'somePoolID2'. Please update 
these property values so that they are identical in both cases.
At line:246 char:9
+         Test-ConflictingResources $keywordName $canonicalizedValue $k ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : ConflictingDuplicateResource,Test-ConflictingResources

Errors occurred while processing configuration 'abc'.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3588 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (abc:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

你可以试试这个,看看它是否有效?它使每个 Group 资源的名称和键都是唯一的:

    $Node.WebSites | foreach {
       $site = $_
       $appPoolId  = $site.AppPoolId
       Group ("appPoolIISUsers" + $appPoolId)
       {
           GroupName = ("IIS_IUSRS" + $appPoolId)
           Credential = $DomainCreds
           Ensure = "Present"
           MembersToInclude = $appPoolId
       }
    }

根据更新的问题进行更新:

您在不使用唯一组名值的情况下在本地生成和应用的配置起作用的唯一原因是,即使您在资源实例之间重用相同的资源键 (GroupName=IIS_IUSRS),您声明每个组应该处于的所需状态是完全相同——所有 3 个资源都将同一组设置为完全相同的状态。您的配置与执行此操作相同:

Configuration LocalGroupTest
{
    Node $AllNodes.NodeName
    {
        Group "AppPoolIISUsers_AppPoolapp1"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }

        Group "AppPoolIISUsers_AppPoolapp2"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }

        Group "AppPoolIISUsers_AppPoolapp3"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }
    }
}

如您所见,根本不需要AppPoolIISUsers_AppPoolapp2orAppPoolIISUsers_AppPoolapp3资源实例,因为它们设置的状态AppPoolIISUsers_AppPoolapp1与同一组上的完全相同 -- IIS_IUSRS

您确定此示例正在声明您要声明的最终状态吗?我仍然认为您遇到问题的原因是您试图在配置中重用相同的资源实例名称和/或资源实例键(GroupName),但其他资源实例字段的值不同(例如例如,成员包括)。这是 DSC 不允许的设计,因为同一个资源实例(在本例中为 Group)不能处于多个状态,它只能处于一种状态。

于 2016-11-19T19:05:01.513 回答