Add Network Load Balancing to the list of resources.

The xIPAddress resource when used to set a static IPv6 address will misreport that the interface on the adapter is configured with DHCP when it is not. This causes Test-TargetResource to return $False, triggering the IP Address to be updated every time the config is applied.

The problem appears to be in the Get-NetIPInterface cmdlet at line 234 of MSFT_xIPAddress.psm1. I am referring to the current Dev version of this resource. This cmdlet always returns that DHCP is enabled even when it is not:

Note, the IPv4 address in the above screenshot is also statically assigned. Yet, the Get-NetIPInterface cmdlet returns that DHCP is enabled on the IPv6 interface but disabled on the IPv4.

Is this a problem in the cmdlet itself or does the cmdlet behave differently with IPv6? I know that IPv6 is a little more complex than IPv4 with things like Link-Local addresses and Site-Local/Unique-Local being assigned to the same interface, so perhaps this is a normal behavior?

The problem code is this:

if (-not (Get-NetIPInterface `
        -InterfaceAlias $InterfaceAlias `
        -AddressFamily $AddressFamily).Dhcp.ToString().Equals('Disabled'))

To fix this, it needs to be changed to something that reliably detects the DHCP state of an IPv6 interface. Possibly the using the suffixOrigin or PrefixOrigin properties returned on objects from the Get-NetIPAddress cmdlet - if they equal 'manual' then DHCP is disabled. But this feels a bit risky to me.

Any ideas?

Running the integration tests while on a domain authenticated machine I get the following error. We'll want to look at modifying the tests to cover this scenario.

Describing MSFT_xNetConnectionProfile_Integration
xNetworking\xNetConnectionProfile : At least one of the values 'DomainAuthenticated' is not supported or valid for property 'NetworkCategory' on class 'xNetConnectionProfile'. Please specify only supported values: Public, Private.
At C:\GitHub\tysonjhayes\xNetworking\Tests\Integration\MSFT_xNetConnectionProfile.config.ps1:6 char:9
+         xNetConnectionProfile Integration_Test {
+         ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,xNetworking\xNetConnectionProfile

Write-NodeMOFFile : Invalid MOF definition for node 'localhost': Exception calling "ValidateInstanceText" with "1" argument(s): "Syntax error:
 At line:17, char:38
 Buffer:
ry = DomainAuthenticated^;
};
"
At C:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:1465 char:17
+                 Write-NodeMOFFile $name $mofNode $Script:NodeInstanceAliases[$mo ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile
 [-] Should compile without throwing 9.35s
   Expected: the expression not to throw an exception. Message was {Errors occurred while processing configuration 'MSFT_xNetConnectionProfile_Config'.}
       from C:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2223 char:5
       +     throw $errorRecord
       +     ~~~~~~~~~~~~~~~~~~
   at line: 34 in C:\GitHub\tysonjhayes\xNetworking\Tests\Integration\MSFT_xNetConnectionProfile.Integration.Tests.ps1
   34:             } | Should not throw

I'm actively working on this issue now so I thought I'd set it as an issue so it can be tracked.

I'm attempting to create a cmdlet/function that will create a named Loopback adapter configured with TCP/IP.

I've made some progress with this, but at the moment it requires a file called Devcon.exe that is part of the WDK (Windows Driver Kit) to create the Loopback adapter device. The WDK is a 800MB download (too large to download and install as part of CI) with a 2.5GB install. So I might need to locate alternate download locations for this file (it's only a 40kb).

I'll ensure everything else works and then tackle the problem of obtaining Devcon.exe.

I think xIPAddress is trying to cover the gambit on what is really two distinct things. One use case would be trying to assign a NIC a static IP address. The other would be to assign the NIC to a DHCP server.

As the NIC can not have a static IP and be assigned to a DHCP server I prepose we break up the resources to handle those two different tasks. This way we could have StaticIPAddress and DHCPAddress resources that just handle those use cases.

Thoughts?

Right now there is a limitation in the code where xFirewall doesn't support setting both Group and DisplayGroup, the code pretty much doesn't let us set Group. This should be changed to allow both.

Add a template of how we want Integration tests to be done in this project. Once we have a few of them we should add the template to other projects in the PowerShell group.

Template should outline how we expect the tests to act and where to copy things for maximum compatibility.

Hey guys,

Even though my dsc configuration seems to ba applied I receive some errors related to the xFirewall resource when I run Start-DscConfiguration.

My configuration contains this section...

        foreach($Rule in $Node.CustomFWRules)
        {
            $tmpName = $Rule.Name -replace ' ','-'
            $Message = 'Configuring {0} with {1}' -f $tmpName,($Rule | Out-String)

            Write-Verbose $Message

            xFirewall $tmpName
            {
                Name         = $Rule.Name
                DisplayName  = $Rule.Name
                Group        = $Rule.Group
                Ensure       = 'Present'
                Enabled      = 'True'
                Profile      = ('Domain','Private')
                Direction    = 'Inbound'
                LocalPort    = $Rule.LocalPort
                Protocol     = $Rule.Protocol
                Description  = $Rule.Description
            }

        }

... that reads a few firewall rules from my data file. Here's an example

 @{
    NodeName      = '*'
    CustomFWRules = @(
        @{Group = 'Domino'; Name = 'Domino POP3'; Description = 'Ticket #53347'; Protocol = 'TCP'; LocalPort = @(110,995) }
    )
}

Output from Start-DscConfiguration:

VERBOSE: [SRVADM012]: LCM: [ StartenRessource] [[xFirewall]Domino-POP3]
VERBOSE: [SRVADM012]: LCM: [ StartenTesten ] [[xFirewall]Domino-POP3]
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-TargetResource: Checking settings for firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-TargetResource: Find firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-TargetResource: Check each defined parameter against the existing firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-RuleProperties: Profile property value 'Domain, Private' does not match desired state 'Domain,Private'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-RuleProperties: Test Firewall rule with Name 'Domino POP3' returning False.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-TargetResource: Check Firewall rule with Name 'Domino POP3' returning False.
VERBOSE: [SRVADM012]: LCM: [ BeendenTesten ] [[xFirewall]Domino-POP3] in 0.5620 Sekunden.
VERBOSE: [SRVADM012]: LCM: [ StartenFestlegen] [[xFirewall]Domino-POP3]
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: Applying settings for firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: Find firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: We want the firewall rule with Name 'Domino POP3' to exist since Ensure is set to Present.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: We want the firewall rule with Name 'Domino POP3' to exist and it does. Check for valid properties.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: Check each defined parameter against the existing firewall rule with Name 'Domino POP3'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-RuleProperties: Profile property value 'Domain, Private' does not match desired state 'Domain,Private'.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Test-RuleProperties: Test Firewall rule with Name 'Domino POP3' returning False.
VERBOSE: [SRVADM012]: [[xFirewall]Domino-POP3] Set-TargetResource: Updating existing firewall rule with Name 'Domino POP3'.
Der Parametersatz kann mit den angegebenen benannten Parametern nicht aufgelöst werden.
+ CategoryInfo : InvalidArgument: (:) [], CimException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Set-NetFirewallRule
+ PSComputerName : srvadm012

VERBOSE: [SRVADM012]: LCM: [ BeendenFestlegen] [[xFirewall]Domino-POP3] in 0.5000 Sekunden.
Die PowerShell DSC-Ressource "[xFirewall]Domino-POP3" mit SourceInfo "\homedrive\home$\megamorf\gitlab\DSC-BLNMAIL\MailServerConfig.ps1::64::13::xFirewall" hat beim Ausführen der Funktion "Set-TargetResource" mindestens
einen Fehler ohne Abbruch ausgegeben. Diese Fehler werden im ETW-Kanal namens "Microsoft-Windows-DSC/Operational" protokolliert. Weitere Informationen finden Sie in diesem Kanal.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : srvadm012

My setup is:

• Windows Server 2012 R2 Datacenter (German)
• WMF5 RTM (the one from February '16)
• xNetworking Resource from Dev branch downloaded yesterday

Unfortunately I don't have the time to troubleshoot this myself at the moment :( Have you encountered this error before?

Configuration foo
{
import-dscresource -modulename xNetworking

xIPAddress setStaticIPAddress
{
    IPAddress      = "192.168.100.32"
    InterfaceAlias = "Ethernet"   
    SubnetMask     = 24
    AddressFamily  = "IPv4"
}

xDNSServerAddress setDNS
{
    Address        = "192.168.100.7"
    InterfaceAlias = "Ethernet"
    AddressFamily  = "IPv4"
}

}
foo
Start-DscConfiguration -path .\foo -Verbose -Force -wait

PS C:\Users\Administrator> C:\Users\Administrator\Desktop\Untitled1.ps1

Directory: C:\Users\Administrator\foo

Mode LastWriteTime Length Name

-a---- 10/22/2015 11:19 AM 2846 localhost.mof
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendCon
figurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft
/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SAFEHARBORVM with user sid S-1-5-21-1980052667
-157661992-314775697-500.
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Set ]
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Resource ] [[xIPAddress]setStaticIPAddress]
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Test ] [[xIPAddress]setStaticIPAddress]
VERBOSE: [SAFEHARBORVM]: [[xIPAddress]setStaticIPAddress] Test-Target
Resource: Checking the IP Address.
VERBOSE: [SAFEHARBORVM]: [[xIPAddress]setStaticIPAddress] Test-Target
Resource: IP Address does NOT match desired state. Expected 192.168.100.32, actual 169.254.233.1
73.
VERBOSE: [SAFEHARBORVM]: [[xIPAddress]setStaticIPAddress] Test-Target
Resource: DHCP is NOT disabled.
VERBOSE: [SAFEHARBORVM]: LCM: [ End Test ] [[xIPAddress]setStaticIPAddress] in 43.1620
seconds.
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Set ] [[xIPAddress]setStaticIPAddress]
VERBOSE: [SAFEHARBORVM]: [[xIPAddress]setStaticIPAddress] Set-TargetR
esource: Applying the IP Address.
VERBOSE: [SAFEHARBORVM]: [[xIPAddress]setStaticIPAddress] Set-TargetR
esource: IP Interface was set to the desired state.
VERBOSE: [SAFEHARBORVM]: LCM: [ End Set ] [[xIPAddress]setStaticIPAddress] in 5.3770
seconds.
VERBOSE: [SAFEHARBORVM]: LCM: [ End Resource ] [[xIPAddress]setStaticIPAddress]
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Resource ] [[xDNSServerAddress]setDNS]
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Test ] [[xDNSServerAddress]setDNS]
VERBOSE: [SAFEHARBORVM]: [[xDNSServerAddress]setDNS] Test-TargetResou
rce: Checking the DNS Server Addresses.
VERBOSE: [SAFEHARBORVM]: [[xDNSServerAddress]setDNS] Test-TargetResou
rce: DNS Servers are not correct. Expected "System.String[]", actual "System.String[]".
VERBOSE: [SAFEHARBORVM]: LCM: [ End Test ] [[xDNSServerAddress]setDNS] in 15.0760 seco
nds.
VERBOSE: [SAFEHARBORVM]: LCM: [ Start Set ] [[xDNSServerAddress]setDNS]
VERBOSE: [SAFEHARBORVM]: [[xDNSServerAddress]setDNS] Set-TargetResour
ce: Applying the DNS Server Addresses.
VERBOSE: [SAFEHARBORVM]: [[xDNSServerAddress]setDNS] Set-TargetResour
ce: DNS Servers are already set correctly.
VERBOSE: [SAFEHARBORVM]: LCM: [ End Set ] [[xDNSServerAddress]setDNS] in 0.8130 secon
ds.
VERBOSE: [SAFEHARBORVM]: LCM: [ End Resource ] [[xDNSServerAddress]setDNS]
VERBOSE: [SAFEHARBORVM]: LCM: [ End Set ]
VERBOSE: [SAFEHARBORVM]: LCM: [ End Set ] in 123.7840 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 167.319 seconds

PS C:\Users\Administrator> get-dscresource xDNSServerAddress

ImplementedAs Name ModuleName Version Properties

PowerShell xDNSServerAddress xNetworking 2.3.0.0 {Address...

Expected: DSC should change the preferred dns address to ‘192.168.100.7’.

Actual: DnsAddress of the adapter remains empty

Currently DNS isn't covered at all that needs to be corrected. Firewall just has some basic tests hitting it. We should get this trued up.

xDnsServerAddress uses the NIC alias as the key. You shouldn't have to query ahead of time the nic alias or guess

If I run Get-DscConfiguration I receive the following error...

Get-DscConfiguration : The PowerShell DSC resource returned results that are not valid from Get-TargetResource. The DnsSuffix key is not a valid property in the corresponding
DSC resource schema file. The results from Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as the properties in the corresponding DSC
resource schema file.
At line:1 char:1

• Get-DscConfiguration

• - CategoryInfo          : InvalidResult: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get-DscConfiguration], CimException
  - FullyQualifiedErrorId : GetOperationResultInvalidResultFormat,Get-DscConfiguration
  

Add QoS Policy to the list of resources.

It would be good to be able to configure a connection suffix on a NIC. There are times when this is required (like in a multi-homed networking environment). I think this should probably be a new, descrete resource. Thoughts?

The xIPAddress resource is currently forcing the network connection profile of the interface being configured to Private in the internal ValidateProperties function.

# Make the connection profile private
Get-NetConnectionProfile -InterfaceAlias $InterfaceAlias | Set-NetConnectionProfile -NetworkCategory Private -ErrorAction SilentlyContinue

Invoking Set-NetConnectionProfile for domain joined machines throws an exception which is being suppressed by the ErrorAction parameter. The resource does not test for the network connection profile. Changes to the network connection profile are not being detected by the resource. I think a clear violation of DSC design best practices.

I would like to remove above two lines to allow for the scenario of an external facing server (public IP) without workarounds.

What are your thoughts?

P.S.: I have started to code a simple DSC resource to set the network connection profile if required as part of a larger configuration script.

Thanks
Daniel

A recent change was made to the Tests.Template in the DSCResouce repository to allow unit and integration tests to be run from any folder under the tests folder.

Original Issue: PowerShell/DscResource.Tests#24
PR to resolve: PowerShell/DscResources#85

The templates and unit/integration tests in this repo need to be updated to match.

Also, the integration config template should also be updated with as per this Issue: PowerShell/DscResources#83

PR to remove quotes:
PowerShell/DscResources#84

Add Nic Teaming (NetLBFO) to the list of resources.

I'm thinking we should create a NetConnecitonProfile resource. This would allow the management of the NetworkCategories of Private/Public/Domain etc on the interface level. This would also mean pulling it it out of xIPAddress which would solve #3 by doing this.

Before doing this work I wanted to ask the community their thoughts on the design.

Thanks!

The templates are now available in the (DSCResources repo)[https://github.com/PowerShell/DscResources/tree/master/Tests.Template] along with usage documentation etc.

I think the templates should be removed from this folder and replaced with a readme.md that directs a user to the templates in the DSCResources repo.

Any thoughts?

Hello,
I have the following configuration:

          xFirewall RdpFirewallRules {
                Name = 'RemoteDesktop-UserMode-In-TCP'
                Ensure = 'Present'
                Action = 'Allow'
                Enabled = 'True'
                Profile = ('Domain', 'Private', 'Public')
            }

It seems to enable it appropriately but it fails the consistency check. I tried running the Test-TargetResource function and this is what I get:

Test-TargetResource -Name 'RemoteDesktop-UserMode-In-TCP' -Ensure Present -Action Allow -Enabled True -Profile ('Domain', 'Private', 'Public') -Verbose
VERBOSE: Test-TargetResource: Checking settings for firewall rule with Name 'RemoteDesktop-UserMode-In-TCP'.
VERBOSE: Test-TargetResource: Find firewall rule with Name 'RemoteDesktop-UserMode-In-TCP'.
VERBOSE: Test-TargetResource: Check each defined parameter against the existing firewall rule with Name 'RemoteDesktop-UserMode-In-TCP'.
VERBOSE: Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: Test-RuleProperties: Profile property value 'Domain, Private, Public' does not match desired state 'Domain,Private,Public'.
VERBOSE: Test-RuleProperties: Test Firewall rule with Name 'RemoteDesktop-UserMode-In-TCP' returning False.
VERBOSE: Test-TargetResource: Check Firewall rule with Name 'RemoteDesktop-UserMode-In-TCP' returning False.
False

Is my configuration incorrect?

Hi,

It seems the Test-Resource of MSFT_xIPAddress delivers a wrong result, if the desired IP address (as string) is a part of the current one.

Example:
Current IP: 192.168.178.15
Desired IP: 192.168.178.1

The if-clause "if (-not $currentIPs.IPAddress.Contains($IPAddress))" delivers false - so DSC thinks the current IP address is equal to the desired one...

Hello,
Using xNetworking 2.4, I am having issues running Get-DscConfiguration.

My configuration block looks as follows:

xFirewall RdpFirewallRules {
    Name = 'RemoteDesktop-UserMode-In-TCP'
    Ensure = 'Present'
    Action = 'Allow'
    Enabled = 'True'
    Profile = ('Domain', 'Private', 'Public')
}

I get the following error in Event Viewer when running Get-DscConfiguration:

This event indicates that failure happens when LCM is processing the configuration. Error Id is 0xD. Error Detail is The SendConfigurationApply function did not succeed.. Resource Id is [xFirewall]RdpFirewallRules and Source Info is C:\Configuration\Firewall.ps1::118::17::xFirewall. Error Message is The PowerShell DSC resource  returned results that are not valid from Get-TargetResource. The Group key is not a valid property in the corresponding DSC resource schema file. The results from Get-TargetResource must be in a Hashtable format. The keys in the Hashtable must be the same as the properties in the corresponding DSC resource schema file..

It seems that the Group property isn't defined in the schema. I ended up adding it as a read-only property and it seems to work but the information isn't particularly useful as shown below:

Group                : @FirewallAPI.dll,-28752

It seems that the appropriate solution is to have "Group" not be returned in the Get-TargetResource function. This is implemented in #42

Thank you for your help.

If the DNS on the target computer is empty (not set) the xDNSServerAddress 'Set' states that the configuration is already correct and therefore the DNS does not get set...
Problem seems to be in the check in the "Set-TargetResource" where the Compare-Object returns nothing if $currentAddress is empty - a fix could be to use the same logic as in the "Test-TargetResource"...

In the following example, the set-target resource will not make any changes if the DNS Value of the server is not filled in.

This can be resolved by comparing the other way around:

PS C:\Windows\system32> Compare-Object -ReferenceObject $currentAddress -DifferenceObject $Address -SyncWindow 0
InputObject  SideIndicator
-----------  -------------
192.168.10.1 =>          
PS C:\Windows\system32> (Compare-Object -ReferenceObject $currentAddress -DifferenceObject $Address -SyncWindow 0).length 

PS C:\Windows\system32> Compare-Object -ReferenceObject $Address -DifferenceObject $addressCompare -SyncWindow 0
 InputObject SideIndicator
 ----------- -------------
       False =>           
192.168.10.1 <=           
PS C:\Windows\system32> (Compare-Object -ReferenceObject $Address -DifferenceObject $addressCompare -SyncWindow 0).length
2

The following DSC config fails:

Configuration MyNetworking {

Import-DscResource -ModuleName xNetworking
Node Computer01 {
xDnsServerAddress IPv4D2 {
Address = '192.168.128.10'
InterfaceAlias = 'Ethernet 2'
AddressFamily = 'IPv4'
}
xDnsServerAddress IPv6D2 {
Address = 'fd53:ccc5:895a:bc00::a'
InterfaceAlias = 'Ethernet 2'
AddressFamily = 'IPv6'
}
}
}

With the error:
Test-ConflictingResourcs : A conflict was detected between resources '[xDNSServerAddress]IPv4D2
(C:\VM\BMDLAB.COM\BMDLAB.COM SA_DC1\LabBuilder Files\DSCNetworking.ps1::10::2::xDnsServerAddress)' and
'[xDNSServerAddress]IPv6D2 (C:\VM\BMDLAB.COM\BMDLAB.COM SA_DC1\LabBuilder
Files\DSCNetworking.ps1::22::2::xDnsServerAddress)' in node 'localhost'. Resources have identical key properties but
there are differences in the following non-key properties: 'AddressFamily;Address'. Values 'IPv4;192.168.128.10' don't
match values 'IPv6;fd53:ccc5:895a:bc00::a'. Please update these property values so that they are identical in both
cases.
At line:246 char:9

•     Test-ConflictingResources $keywordName $canonicalizedValue $k ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
  • FullyQualifiedErrorId : ConflictingDuplicateResource,Test-ConflictingResources
    Errors occurred while processing configuration 'Networking'.
    At
    C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3588
    char:5

• throw $ErrorRecord
  

• ~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (Networking:String) [], InvalidOperationException
  • FullyQualifiedErrorId : FailToProcessConfiguration

This should be a supported configuration as assigning both IPv4 and IPv6 DNS addresses is a common scenario.

We have tag 2.7.0.0, but when you download code with this tag, you end up with record in xNetworking.psd1 : ModuleVersion = '2.6.0.0'. As a result, when you put code to the directory XNetworkking\2.7.0.0... you can't load it.

The following resources are missing integration tests. This leads to PRs like #71. We should add integration tests for these resources.

• MSFT_xDNSServerAddress
• MSFT_xDefaultGatewayAddress
• MSFT_xDnsConnectionSuffix
• MSFT_xIPAddress

There are multiple calls to networking cmdlets like Get-NetIPAddress, Get-NetRoute and Get-NetIPInterface, specifically in the Test-TargetResource function. These cmdlets are unavailable on Windows Server 2008 R2, making it impossible to use this

When using the xDNSServerAddress resource on a computer that has no DNS addresses filled in, it does not always set them properly.

Test-Target resource shows it is in an incorrect state, however Set-Target resource thinks it is correct.
This is due to line 96 of MSFT_xDNSServerAddress.psm1:

#Check if the Server addresses are the same as the desired addresses.
    [Boolean] $addressDifferent = (@(Compare-Object `
            -ReferenceObject $currentAddress `
            -DifferenceObject $Address `
            -SyncWindow 0).Length -gt 0)

Tested on Server 2016 TP4 (RTM) and Server 2012R2 with WMF5 Production Preview.

This would mainly be used to set the "Primary DNS Suffix of this computer":

The cmdlets get-dnsclientglobalsetting and set-dnsclientglobalsetting could be used to set this value.

The resource would be quite similar to the xNetBIOS resource I would think.

Errors from both xFirewall and xIPAddress tests
Describing Schema Validation for MSFT_xFirewall
[-] Error occurred in Describe block 50ms
Access to the path 'MSFT_xADRecycleBin' is denied.
At H:\GitHub\xNetworking\Tests\MSFT_xFirewall.Tests.ps1:10 char:5

Import-Module : The specified module 'xDSCResourceDesigner' was not loaded because no valid module file was found in any
module directory.
At H:\GitHub\xNetworking\Tests\MSFT_xIPAddress.Tests.ps1:3 char:5

• Import-Module -Name xDSCResourceDesigner
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ResourceUnavailable: (xDSCResourceDesigner:String) [Import-Module], FileNotFoundException
  • FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

This would require a change to the xDefaultGatewayAddress resource.

I think it would require two new parameters to be added:

1. Ensure = {Absent | Present} - Default to Present
2. Metric = 0-65536 - Default to 0.

This should enable existing configs to continue to work just fine, but allow multiple Default Gateways to be specified.

An example:
I was trying to use xFirewall to enable the built-in Firewall rules for FSRM:

Using:

xFirewall FSRMFirewall8
{
    Name = "FSRM-SrmSvc-In (RPC)"
    State = "Enabled"
    Access = "Allow"
}

It was enabling the rule just fine, but was replacing the properties:

This can be worked around by manually setting all the properties of the Firewall rule but it is a bit of a pain, especially as the built in rules contain a lot of settings and there are often a lot of them - e.g. 8 rules for FSRM.

It would be nice if this would enable a built-in rule:
xFirewall FSRMFirewall8
{
Name = "FSRM-SrmSvc-In (RPC)"
State = "Enabled"
}

It would be possible to implement a special code path for when only the Name and State are passed and the rule exists that just fires:
Enable-NetFirewallRule or Disable-NetFirewallRule

Or is there a better way of doing this? I'm not completely sure that this would be a 100% obvious way of using the xFirewall resource because if any other parameter was set with State it would revert to the Delete and Recreate method which would still remove all properties of the built-in rule. Perhaps an new resource could be created for just disabling/enabling existing firewall rules?

Given that a gateway is set at the resource level, and DNS is already its own resource, I'm thinking it would make sense to set the default gateway as its own resource as well. This would break up the logic for the resources into more descrete components and allow more targeted changes in our code fixes and for setting the configuraiton.

Thoughts?

While working on PR #4 I found that I was not able to install xDSCResourceDesigner from the central repository. Was asked to file an issue on this as I should have been able to pull this down.

Each time I run this

Configuration test {

    Import-DSCResource -ModuleName xNetworking

node localhost
{
   xFirewall firsttry {
   Name = "NotepadFirewallRule"
   Program = "c:\windows\system32\notepad.exe"
   Action = "Block"
   Description = "Rule to allow notepad to be accessed remotely"
   Enabled = "True"
   Direction = "Inbound"
   DisplayName = "Windows Team Notepad FW Rule"
   Profile = ("Domain","Private")
   Service = "WinRM"
}
}

start-dscconfiguration -path path

I get the following error

The PowerShell provider MSFT_xFirewall threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

It's basically a copy of what is in the example....but it doesn't apply. Is there something I'm missing? I have other settings that work fine on this machine.

The following parameters are missing from the MSFT_xFirewall resource and need to be added (after PR #52 has been merged):
DynamicTarget
EdgeTraversalPolicy
IcmpType
LocalOnlyMapping
LooseSourceMapping
OverrideBlockRules
Owner

At this point I don't think they are critical (unless someone needs them right now of course).

Running this for enabling the built in RDP firewall rules...

    # Enable Firewall Rule 'Remote Desktop - Shadow (TCP-In)'
    xFirewall AllowFirewallRDPShadowTCPIn
    {
        Name = 'Remote Desktop - Shadow (TCP-In)'
        Ensure = 'Present'
        Enabled = 'True'
    }

    # Enable Firewall Rule 'Remote Desktop - User Mode (TCP-In)'
    xFirewall AllowFirewallRDPUserModeTCPIn
    {
        Name = 'Remote Desktop - User Mode (TCP-In)'
        Ensure = 'Present'
        Enabled = 'True'
    }

    # Enable Firewall Rule 'Remote Desktop - User Mode (UDP-In)'
    xFirewall AllowFirewallRDPUserModeUDPIn
    {
        Name = 'Remote Desktop - User Mode (UDP-In)'
        Ensure = 'Present'
        Enabled = 'True'
    }

Works for 'Remote Desktop - Shadow (TCP-In)' and 'Remote Desktop - User Mode (UDP-In)' but 'Remote Desktop - User Mode (TCP-In)' is created again completely open - Any, any, any regarding ports, programs, protocols, etc!

Set-TargetResource: Applying settings for firewall rule with Name 'Remote Desktop - User Mode (TCP-In)'.
VERBOSE: [MIM01]: [[xFirewall]AllowFirewallRDPUserModeTCPIn] Set-TargetResource: Find firewall rule with Name 'Remote Desktop - User Mode (TCP-In)'.
VERBOSE: [MIM01]: [[xFirewall]AllowFirewallRDPUserModeTCPIn] Get-FirewallRule: No Firewall Rule found with Name 'Remote Desktop - User Mode (TCP-In)'.
VERBOSE: [MIM01]: [[xFirewall]AllowFirewallRDPUserModeTCPIn] Set-TargetResource: We want the firewall rule with Name 'Remote Desktop - User Mode (TCP-In)' to exist since Ensure is set to Present.
VERBOSE: [MIM01]: [[xFirewall]AllowFirewallRDPUserModeTCPIn] Set-TargetResource: We want the firewall rule with Name 'Remote Desktop - User Mode (TCP-In)' to exist, but it does not.
VERBOSE: [MIM01]: [[xFirewall]AllowFirewallRDPUserModeTCPIn] New-NetFirewallRule DisplayName: Remote Desktop - User Mode (TCP-In)

In the later versions of the xDnsServerAddress resource, the -Validate switch has been added to the Set-DnsClientServerAddress cmdlet. If this address is not contactable, unavailable or unreachable etc., then the DSC configuration fails.

This call should be removed as the resource is not there to validate whether the DNS server is (yet) available, reachable or contactable - it should just do what it's told!

Add NetEventPacketCapture to the list of resources.

Now that the majority of core networking DSC resources are pretty much complete, it might be useful to look at implementing some of the more advanced networking features for servers.

In my mind QoS Policy is high up on this list and something I use regularly (especially to manage Live Migration and Cluster traffic). I'll implement this at some point in 2016, unless someone out there wants to have a go at it? 😄

The README.md specifies for xFirewall:

Action: Permit or Block the supplied configuration.

However, Permit is not an allowed value for Action. The allowed values are NotConfigured, Allow, or Block.

I would like to see the enforcement of a default gateway address when setting an IP address (also discussed in issue #18) removed. The gateway address really has nothing to do with the IP address assignment other than MS putting it in the same GUI!

This should be a relatively easy, non-breaking change too.

Cannot specify a set of Remote and or Local IP addresses/subnets for the xFirewall configuration

The purpose of this resource would be to set the DHCP parameter of a specific to Enabled or Disabled.

The expected MOF:

[ClassVersion("1.0.0"), FriendlyName("xDHCPClient")]
class MSFT_xDHCPClient: OMI_BaseResource
{
  [Key] string InterfaceAlias;
  [Write,ValueMap{"Enabled", "Disabled"},Values{"Enabled", "Disabled"}] string State;
  [Write,ValueMap{"IPv4", "IPv6"},Values{"IPv4", "IPv6"}] string AddressFamily;
};

This change would address Issue #17.

At the same time this resource is released the check for DHCP Status in the xIPAddress should be removed completely as it should not be there. This is referenced by Issue #32.

I'm happy to make this change and submit a PR for this if no one has any objections?

Hi! I'm dealing with a requirement to manage hostsfile and found an existing community effort to address this, but thought that it would logical to add this functionality to the Networking resource module going forward. Are there any objections if I add a HostsFile resource to this module?

The following DSC script:

Configuration WebServer
{
    Import-DSCResource -Module xNetworking

    Node "perftest01"
    {
        xFirewall "IIS Remote Administration"
        {
            Name = "IIS Remote Administration"
            DisplayName = "IIS Remote Administration"
            Ensure = "Present"
            Enabled = $true
            Action = "Allow"
            Profile = "Domain"
            Direction = "InBound"
            RemotePort = "Any"
            LocalPort = "PlayToDiscovery"
            Protocol = "TCP"
            Description = "Firewall rule for deployments to administer IIS."
        }
    }
}

WebServer
clear; Start-DscConfiguration -Force -Verbose -Wait -path .\WebServer

fails with the logs:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PERFTEST01 with user sid
S-1-5-21-1778218145-2021600166-3147052739-5183.
VERBOSE: [PERFTEST01]: LCM:  [ Start  Set      ]
VERBOSE: [PERFTEST01]: LCM:  [ Start  Resource ]  [[xFirewall]IIS Remote Administration]
VERBOSE: [PERFTEST01]: LCM:  [ Start  Test     ]  [[xFirewall]IIS Remote Administration]
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-TargetResource: Checking
settings for firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-TargetResource: Find
firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-TargetResource: Check
each defined parameter against the existing Firewall Rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Get-FirewallRuleProperty: Get
all the properties and add filter info to rule map.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-RuleProperties: LocalPort
 property value 'System.String[]' does not match desired state 'System.String[]'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-RuleProperties: Test
Firewall rule with Name 'IIS Remote Administration' returning False.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-TargetResource: Check
Firewall rule with Name 'IIS Remote Administration' returning False.
VERBOSE: [PERFTEST01]: LCM:  [ End    Test     ]  [[xFirewall]IIS Remote Administration]  in 2.3130 seconds.
VERBOSE: [PERFTEST01]: LCM:  [ Start  Set      ]  [[xFirewall]IIS Remote Administration]
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: Applying
settings for firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: Find
firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: We want
the firewall rule with Name 'IIS Remote Administration' to exist since Ensure is set to Present.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: We want
the firewall rule with Name 'IIS Remote Administration' to exist and it does. Check for valid properties.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: Check each
 defined parameter against the existing firewall rule with Name 'IIS Remote Administration'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Get-FirewallRuleProperty: Get
all the properties and add filter info to rule map.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-RuleProperties: LocalPort
 property value 'System.String[]' does not match desired state 'System.String[]'.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Test-RuleProperties: Test
Firewall rule with Name 'IIS Remote Administration' returning False.
VERBOSE: [PERFTEST01]:                            [[xFirewall]IIS Remote Administration] Set-TargetResource: Updating
existing firewall rule with Name 'IIS Remote Administration'.
Parameter set cannot be resolved using the specified named parameters.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : AmbiguousParameterSet,Set-NetFirewallRule
    + PSComputerName        : perftest01

VERBOSE: [PERFTEST01]: LCM:  [ End    Set      ]  [[xFirewall]IIS Remote Administration]  in 0.8280 seconds.
The PowerShell DSC resource MSFT_xFirewall threw one or more non-terminating errors while running the
Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational.
Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : perftest01

VERBOSE: [PERFTEST01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : perftest01

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 4.16 seconds

At this page on New-NetFirewallRule, the documentation says that PlayToDiscovery is a valid keyword when the procotol is TCP, so this operation should not fail.

If a user is setting the IP address via DSC, then it seems reasonable that they don't want DHCP enabled. Currently the test for xIPAddress only checks whether the IP is correct, not whether the interface got that IP via DHCP. I ran into this when trying to convert an interface from DHCP to a static IP, but I wanted to use the same IP that had been assigned to it via DHCP. Right now, it seems I can't use xIPAddress to accomplish this?

The DSCResource.tests\TestHelper.psm1 module has had two functions added for initializing and restoring a test environment prior and following running unit/integration tests.

These functions are:

• Initialize-TestEnvironment
• Restore-TestEnvironment

The existing unit and integration tests need to be updated to use these new functions.

The unit and test templates also need to be updated to use these new functions, until these templates get moved into the DSCResources module so they can be used by any DSC Resource.

PR for this issue to follow.

When xFirewall is used in a DSC configuration, Get-DscConfiguration fails with the error:
"Unable to cast object of type 'System.Management.Automation.PSObject' to type 'System.Collections.IList'."