We want to use the ArcGIS PowerShell DSC Module to deploy our ArcGIS environment. The deployment consists of a Base Deployment (Portal, ArcGIS Server and Data Store), two federated servers and the Web Adaptors (portal, hosting, fed1, fed1) deployed on a web server in a DMZ. All servers except the web server in the DMZ are domain joined.
Is there a configuration of the DSC that would be able to deploy the entire environment (including the WAs in the DMZ)?
We tried to use a DSC configuration to install the WAs in the DMZ but because it is not domain joined we got errors. We are now looking at an option to install and configure the WAs using a separate .ps1 script while using the DSC for the rest of the installations. We are looking at two options for this but not sure if they are valid.
Option 1:
Option 2:
Any ideas @CameronKroeker - thanks for any assistance with this.
Hi @julian_svcs,
Yes, it is possible to deploy a base enterprise with the web server in the DMZ, however, it does require some additional environment configuration.
- Trusted Hosts will need to be configured properly for all target nodes to establish trust (either the ip of each node and/or hostname.)
- A common Administrator account will need to be used for the Invoke-ArcGISConfiguration -Credential flag. Since the web server node isn't on the domain, a domain administrator account cannot be used. It will need to be a local administrator account. This local administrator account will need exist on all target nodes and have the same username and password. Note: If you get an access denied error check that the LocalAccountTokenFilterPolicy is configured.
Here are some helpful resources:
Here are a couple commands that can be used to test the connection between the dmz node and domain joined nodes:
WinRM HTTPS:
Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5986 -UseSSL -Credential LocalAdministratorUsername
WinRM HTTP:
New-CimSession -Port 5985 -ComputerNameTargetNodeMachineNameOrIP -Authentication default -Credential LocalAdministratorUsername
Test-WSMan -ComputerName TargetNodeMachineNameOrIP -Authentication default -Port 5985 -Credential LocalAdministratorUsername
Thanks,
Cameron K.
Awesome, thanks @CameronKroeker . I'll check it out and get back to you.
Thanks for writing this out! I recall having to do this a few years ago for a deployment that wasn't domain joined at all. We are in a position where we need to do something similar again.
Quick question/clarification - we would also have to use the -UseSSL argument as well when we invoke the configuration? Or is it possible to get away with using just WinRM HTTP?
Hi @AlexBakhtin
I do not believe -UseSSL argument is required so as long as WinRM HTTP is properly configured on orchestrating node and all target nodes.
Thanks,
Cameron K.
Great, thank you!
Hi @CameronKroeker, wanted to post another update. We are in the process of deploying to a true DMZ architecture (web server in the DMZ, enterprise deployment on domain). The web server is not domain joined and we made sure that both servers have the same local administrator account. We are running into an issue where when we invoke the configuration:
Invoke-ArcGISConfiguration -ConfigurationParametersFile .\SV_113.json -Mode InstallLicenseConfigure -Credential gis-sa -DebugSwitch -EnableMSILogging
We are able to get as far as installing Portal, Server, and Data Store. However it looks like we are running into an issue in getting Web Adaptor installed on the web server as we see the following error:
Trace-DSCJob : 6/14/2024 11:36:25 AM: The WS-Management service cannot process the request. The WMI service returned an 'access denied' error.
At C:\Program Files\WindowsPowerShell\Modules\ArcGIS\4.3.0\ArcGIS.psm1:261 char:5
+ Trace-DSCJob -Job $Job -JobName $ConfigurationName -DebugMode $De ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Trace-DSCJob
Looking into the WMI Service, from what I can tell in running the code block below from the orchestrating node, I'm also getting access denied:
PS D:\DSC\config> Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem" -ComputerName <target>
Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem" -ComputerN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
I suspect there might be a communication issue occurring and I wasn't able to find any resolution as of yet. What I can confirm is that we are able to establish connectivity from the orchestrating node (enterprise server) to the target node (web server in DMZ) via WinRM:
PS D:\DSC\config> New-CimSession -Port 5985 -ComputerName <target> -Credential gis-sa
Id : 2
Name : CimSession2
InstanceId : 7a657e96-fe1f-4572-8a86-d658e42739ed
ComputerName : <target>
Protocol : WSMAN
Do you have any thoughts or places we can start looking to troubleshoot this?
Thanks!
Are all the nodes same version of Windows? I found this, might be worth trying:
I also just realized that when -UseSSL argument is passed in, the module passes in the -Credential to the Start-DscConfiguration using New-CimSession, whereas without -UseSSL argument New-CimSession is not used. For example:
Perhaps I was mistaken and -UseSSL is required so that it uses New-CimSession.
Thanks,
Cameron K.
Thanks for sending this along, we found similar documentation. We confirmed that all nodes are on the same version of Windows 2019. We will go back and configure to set it up to use WinRM HTTPS so that we can use the -UseSSL argument and I can update on how that works for us.