Benefits realised, risks managed, using DSC

Desired State Configuration is a framework developed by Microsoft for managing systems, that provides significant benefits compared to traditional automated builds, or manual installs.

Benefits extend beyond the initial build, into the operation of a system, for example, it can provide:

  • A means to ensure on-going compliance, reduce risk & increase security
  • Improvements to the quality of change & release management.
  • A method to document the state of a system, and with good process, ensure these documents automatically remain relevant & up to date.
  • A community that encourages collaboration + continuous improvement with other IT pros and developers, on a global scale.
  • & many more benefits.

The technical concept is not new, having roots in Linux & Unix-based systems, but in recent years has become fully integrated into the Windows too.  Although it is Microsoft-centric, the framework provides support for managing other operating systems, devices, applications, and systems.

What makes it different?

Many systems are built using an imperative approach, meaning, we script the specific steps to take, in a specific order, to take a system from one state to another. This might, for example, install and configure software required for a business application.

Once this process is complete, there is no further need for the script, except if it needs to be repeated. In fact, in many cases, re-running this process on an existing system can be dangerous, as it may attempt to re-do activities already complete, potentially leaving a system in a broken state.

Desired State Configuration (DSC) is declarative, but, what does that mean? To understand, we will break DSC into a few component parts:

  • Templates
  • Resources
  • Environmental settings
  • The “Make it so” engine

Let’s first describe these in the context of a restaurant:


When creating declarative systems, you create a template that specifies what you want, e.g.

  • Create a web server
  • Place some content in it
  • Set it up for a specific domain name “”
  • Make sure it is secure (e.g. turn https on).

A component built into Windows is supplied with this template & the necessary resources and makes it happen on the system.  We’ll talk about these resources in a bit. This maître d’ component is called the Local Configuration Manager, if you’re a Star Trek fan, you could think of it as Captain Picard on the bridge of the Enterprise, saying “make it so”.

Having declared what we want the system to be, the “make it so” engine in Desired State Configuration will continually check the system against the template, to make sure the configuration remains in the state that you desire.

For example, if someone or something was to make a change (e.g. turn off “https”), the next time the system was compared against its template, it would be found to be out of step. DSC can either ‘monitor’ and report changes or alternatively take direct action to re-apply the template, restoring the system to its desired state.

Re-iterating, in this declarative model, we expect to run the same script repeatedly, this effectively becomes an on-going quality and compliance check by which the system can be measured.

Many resources are free, and openly developed

Hopefully, you can see how important the resources are. They describe how the actions in the template will be undertaken.

These resources can perform all sorts of actions, here are a few examples

  • ensuring the presence of files in a location
  • setting a registry key
  • creating a database login,
  • ensuring a piece of software is installed,
  • configure complex configuration in systems such as Active Directory, SQL, Exchange
  • install a package on a Linux server
  • .. and there are hundreds more, many posted on the Powershell Gallery

Microsoft has released the source code for these, and many more resources, in an open forum where they can be freely used, shared and improved. More are created and shared by a thriving global community.

The permissive sharing model allows resources to be used in many scenarios, with testing and feedback supplied by a global network of contributors.

Virtually every resource comes with examples and samples templates, these illustrate both simple scenarios, and also very complex ones (e.g. a highly available SQL Server), and provide guidance to help your team get started.

A template to match all your environments

The environment in which the template is deployed can be specified separately, this allows scenarios such as:

  • The ability to build the same application template but in different environments.
  • Ability to scale, or size, each environment depending on its purpose. E.g. a production environment might have many web servers to cope with the load.

By using DSC, you can ensure consistency across many different environments, serving different purposes. This provides greater assurance that each environment is functionally the same, reducing the likelihood of issues as changes are tested & deployed.

Since DSC is built on Microsoft’s ubiquitous scripting language, PowerShell, its reach and flexibility is extremely broad.

Furthermore, since DSC has a simple, text-based, format, makes them easy to share & differences can be straightforwardly compared, and historically tracked (using version control).  There are high-quality editors available to simplify the creation of these templates & assist in checking their quality.

Benefits realised.

Hopefully, having read this, you can understand how a declarative approach can be used to achieve the benefits set out at the start of this article

Where to start?

If you’re a manager, ensure you reward people who are automating using tools that encourage collaboration. This is the first step. Encourage your team to look at declaratively modelling a specific system. There are many products, such as Chef, Puppet, that can integrate with DSC and ensure you are able to scale your new declarative world. DSC can also be used by itself, and that is probably the best way to begin.

A great place to begin technically is the free Microsoft virtual academy courses. Even though they are a few years old, they remain relevant.

If you’re interested in a more technical explanation of declarative vs imperative approach, I highly recommend this article from Puppet Labs.

If you’d like to follow my journey, then sign up to my RSS feed, and /or join me in the conversation below.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s