4

I've got a machine that I need to copy files to from a network share (on domain) for a deployment from a machine that's off domain.

Currently I have the following code;

Configuration deployWebsite 
{ 
  param 
  (
  [string[]] $MachineName = "localhost"
  )

  Node $MachineName 
  { 

    File Test {
      SourcePath = "\\buildserver\mywebsite"
      DestinationPath = "C:\deployments"
      Recurse = $true
      Type = "Directory"

    }
  }
}
deployWebsite -MachineName "at-test-2012"

I run this and I'm able to generate a MOF file which is fine.

The error I get is as follows;

PS C:\dsc> Start-DscConfiguration -Path .\deployWebsite -CimSession $sess -Wait -Verbose -Force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsof
t/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer AT-TEST-2012 with user sid S-1-5-21-77344112-180879520-4075690869-1002.
VERBOSE: [AT-TEST-2012]: LCM:  [ Start  Set      ]
VERBOSE: [AT-TEST-2012]: LCM:  [ Start  Resource ]  [[File]Test]
VERBOSE: [AT-TEST-2012]: LCM:  [ Start  Test     ]  [[File]Test]
VERBOSE: [AT-TEST-2012]:                            [[File]Test] Access is denied.
VERBOSE: [AT-TEST-2012]:                            [[File]Test] The related file/directory is: \\buildserver\mywebsite.
VERBOSE: [AT-TEST-2012]:                            [[File]Test] The path cannot point to the root directory or to the root of a net share.
VERBOSE: [AT-TEST-2012]:                            [[File]Test] The related file/directory is: \\buildserver\mywebsite.
VERBOSE: [AT-TEST-2012]:                            [[File]Test] SourcePath must be specified if you want to configure the destination directory recursively. Make sure that SourcePath is a di
rectory and that it is accessible.
SourcePath must be specified if you want to configure the destination directory recursively. Make sure that SourcePath is a directory and that it is accessible.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : at-test-2012

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : at-test-2012

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 3.979 seconds

The CIM session seemed to be setup fine.

PS C:\dsc> Get-CimSession


Id           : 1
Name         : CimSession1
InstanceId   : 7ae9cd9b-fc65-4879-94c1-ec9805479500
ComputerName : at-test-2012
Protocol     : WSMAN

It was created with the following code;

$sess = New-CIMSession -cn at-test-2012 -Authentication Credssp -Credential $cred

And it was passed credentials for a user that is local admin over the workgroup machine and is a local user on the domain machine its trying to pull files from.

If I try another test by creating a PSSession, and trying to copy the files then it works fine and I see the files appear on the workgroup machine. 

$cred = Get-Credential -Credential deployuser
$sess = New-PSSession -cn at-test-2012 -Authentication Credssp -Credential $cred 

Invoke-Command -Session $sess -ScriptBlock {Copy-Item -Path '\\buildserver\mywebsite' -Destination 'C:\deployments'}

The problem being that Start-DscConfiguration doesn't appear to support PSSessions, only CIMSessions.

So, any pointers on what to try next? I think my CIMsession is setup correctly and I think I have all the necessary settings on the fileshare, workgroup machine all set correctly as the PSSession works fine.

Cheers, Andy

atownsend
  • 41
  • 2
  • The error send to indicate that a file test source path can't be the root of a network share. \\buildserver\mywebsite would seen to qualify. – smithian Oct 22 '15 at 12:08
  • Even if i specify the full path to a folder or file it generates the same error. It still seems to be more of a permissions error as it generates an "access denied" message. What is unclear though is why the script doesn't appear to be using the credentials supplied to it. – atownsend Oct 22 '15 at 13:21
  • Try adding both server names to the cimsession – smithian Oct 22 '15 at 13:41
  • Just to ensure that the cimsession works can you try the following command: Get-DscLocalConfigurationManager -CimSession $sess – Nana Lakshmanan Jul 27 '16 at 18:27

1 Answers1

0

Typically I approach a problem like this in one of three ways:

  1. Create a scheduled task on the remote machine with explicit credential, to do the Start-DscConfiguration locally. It will run exactly as local user for purposes of the next hop in remoting.
  2. Consider creating and using a JEA endpoint. This is more complicated, but heads you down the path towards simplifying the ongoing credential management of managing remote machines.
  3. You may be able to create a mapped drive to the remote share with explicit creds using something like a Script resource

Beware doing remote Start-DscConfiguration if you have additional configurations that may do network affecting changes.
For instance, creating the previously mentioned JEA endpoints via the JustEnoughAdministration resource can reset WinRM and prematurely interrupt both local and remote Start-DscConfiguration calls that -Wait.

The scheduled task is immune to both network affecting issues within the Configuration, as well as simple network flakiness from other environment factors. The big trick is if you need to then monitor for the stabilization of the configuration, which is an exercise for the reader (or a future question/answer.)

Matthew Wetmore
  • 1,631
  • 12
  • 20