Presentation is loading. Please wait.

Presentation is loading. Please wait.

Desired State Configuration for FIM Craig Martin – FIM MVP Identity Management | Data Protection | Authentication Strategies © 2014 Edgile, Inc. – All.

Similar presentations


Presentation on theme: "Desired State Configuration for FIM Craig Martin – FIM MVP Identity Management | Data Protection | Authentication Strategies © 2014 Edgile, Inc. – All."— Presentation transcript:

1 Desired State Configuration for FIM Craig Martin – FIM MVP Identity Management | Data Protection | Authentication Strategies © 2014 Edgile, Inc. – All Rights Reserved

2

3

4 DevelopmentTestProduction

5

6 Traditional Scripts Intent Logging & Error Handling Reboot Resiliency Technology Specific Dependency Resolution Repeatable Automation DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent

7 Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes from Dev  Test  Prod

8

9 ### ### Define the configuration ### configuration Foo { node (hostname) { WindowsFeature XPSViewerFoo { Ensure = “Present" Name = "XPS-Viewer" } ### ### Generate the MOF file from the Configuration ### foo ### ### View the generated MOF ### psedit.\foo\CraigFimDev626.mof ### ### Process the configuration in the LCM ### Start-DscConfiguration -Wait -Verbose -Path.\Foo

10

11 ProviderDescription DSC Archive ResourceUnpacks archive (.zip) files at specific paths on target nodes. DSC Environment ResourceManages system environment variables on target nodes. DSC File ResourceManages files and directories on target nodes. DSC Group ResourceManages local groups on target nodes. DSC Log ResourceLogs configuration messages. DSC Package Resource Installs and manages packages, such as Windows Installer and setup.exe packages, on target nodes. DSC WindowsProcess ResourceConfigures Windows processes on target nodes. DSC Registry ResourceManages registry keys and values on target nodes. DSC WindowsFeature ResourceAdds or removes Windows features and roles on target nodes. DSC Script ResourceRuns Windows PowerShell script blocks on target nodes. DSC Service ResourceManages services on target nodes. DSC User ResourceManages local user accounts on target nodes.

12 ResourceDescription xComputerName a computer and add it to a domain/workgroup xVHDCreate and managed VHDs xVMHyperVCreate and manage a Hyper-V Virtual Machine xVMSwitchCreate and manage a Hyper-V Virtual Switch xDNSServerAddressBind a DNS Server address to one or more NIC xIPAddressConfigure IPAddress (v4 and v6) xDSCWebServiceConfigure DSC Service (aka Pull Server) xWebsiteDeploy and configure a website on IIS

13 ResourceDescriptionModule NameLink xADDomainCreate and manage an Active Directory Domain xActiveDirectory click here xADDomainControllerCreate and manage an AD Domain Controller xActiveDirectory click here xADUserCreate and manage an AD User xActiveDirectory click here xWaitForADDomainPause configuration implementation until the AD Domain is available. xActiveDirectory click here xSqlServerInstallCreate and manage a SQL Server Installation. xSqlps click here xSqlHAServiceCreate and manage a SQL High Availability Service. xSqlps click here xSqlHAEndpointCreate and manage the endpoint used to access a SQL High Availability Group. xSqlps click here xSqlHAGroupCreate and manage a SQL High Availability Group. xSqlps click here xWaitForSqlHAGroupPause configuration implementation until a SQL HA Group is available. xSqlps click here xClusterCreate and manage a cluster. xFailOverCluster click here xWaitForClusterPause configuration until a cluster is available. Used for cross machine synchronization. xFailOverCluster click here xSmbShareCreate and manage a SMB Share. xSmbShare click here xFirewallCreate and manage Firewall rules xNetworking click here xVhdFileManage files to be copied into a Vhd. xHyper-V click here xWebsiteAdded functionality to xWebsite to support configuration of https websites. xWebAdministration click here xVhdBug fixes xHyper-V click here

14 ModuleResource Description xWebAdministrationxWebAppPool Create, remove, start, stop an IIS Application Pool xWebVirtualDirectory Create or remove a virtual directory xWebApplication Create or remove a web application xWebConfigKeyValue Configure AppSettings section of Web.Config xDatabase Create, drop & deploy databases xDBPackage Backup & restore databases xSystemSecurityxUAC Enable or disable User Account Control prompt xIEEsc Enable or disable IE Enhanced Security Configuration xRemoteDesktopSessionHostxRDSessionDeployment Creates and configures a deployment in RDSH. xRDSessionCollection Creates a RDSH collection. xRDSessionCollectionConfiguration Configures a RDSH collection. xRDRemoteApp Publish applications for your RDSH collection xPSDesiredStateConfigurationxWindowsProcess Adds ability to run as a specific user to the existing WindowsProcess resource xService Update to existing Service resource to include create/configure service xRemoteFile Download files from a URI xPackage Adds ability to run as a specific user to the existing resource, includes VS Setup xArchiveCreate, update, extract a Zip file xEndpoint Creates a remoting endpoint UpdatesxDscResourceDesigner, xComputer, xVMHyperV, xDNSServerAddress Feature additions and bug fixes

15 ModuleResource(s) Description xAzurexAzureAffinityGroupDefines the relationship between compute and storage xAzureQuickVMSimple resource for creating VMs with limited options xAzureServiceCreates a cloud service for the VMs xAzureStorageAccountcreates the online storage account where the blobs for the test environment will reside xAzureSubscriptionsets the current Azure subscription context xAzureVMcreates a virtual machine in Azure including access to VM Guest extensions xJEAxJeaEndPointAllows creation of PowerShell JEA Endpoints that leverage one or more JEA Toolkits and properties of the endpoints including access control xJeaToolKitAllows creation of a JEA Toolkit that defines which applications, scripts, and commands should be available within a PowerShell constrained endpoint configuration xDnsServerxDnsServerSecondaryZoneThis resource allows setting a Secondary zone on a given DNS server. Secondary zones allow client machine in primary DNS zone to do DNS resolution of machines in the secondary DNS zone. xDnsServerZoneTransferThis resource allows a DNS Server zone data to be replicated to another DNS server. xDhcpServerxDhcpServerScopeSets a scope for consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. xDhcpServerReservationSets lease assignments used to ensure that a specified client on a subnet can always use the same IP address xDhcpServerOptionSupports setting DNS domain and DNS Server IP Address options at a DHCP server scope level. xWinEventLog Adds support for configuring Windows Event Logs. xActiveDirectory xActiveDirectory (updated) xADDomainTrustUsed to establish a cross-domain trust UpdatesxPSDesiredStateConfiguration, xDscResourceDesigner, xDscDiagnostics Feature additions and bug fixes

16 ModuleResource(s) Description xWordPressxIisWordPressSiteThis DSC Composite Configuration allows you to configure an IIS site to run WordPress and set the contents of the WordPress configuration file. xWordPressSiteThis DSC Resource allows you to configure a WordPress Site xPhp This DSC Resource allows you to Setup PHP in IIS. This is used in the xWordPress examples. xMySqlxMySqlServerDSC Resource allows you to configure a MySQL server xMySqlDatabaseThis DSC Resource allows you to configure a MySql Database. xMySqlUserThis DSC Resource allows you to configure a MySql User. xMySqlGrantThis DSC Resource allows you to configure a MySql Grant (permissions). xMySqlProvisonThis DSC Resource allows you to configure a MySql Server, with a database, and a user, and grant to that database for that user. xPsDesiredStateConfigurationxWindowsOptionalFeatureThis resource allows configuring Windows Optional Features for Windows client SKUs xWebAdministrationxIisModuleThis enables registration of modules (such as FastCgiModules) with IIS xWindowsUpdatexHotfixHandles installation of a Windows update (or a hotfix) from a given path (file path or a URI) UpdatesxSqlPs xDscResourceDesigner xDhcpServer xAzure Minor updates & bug fixes have been made for these.

17 ModuleResource(s) Description xSafeHarbor(none)This is a sample configuration demonstrating how to set up a secure environment to run a particular application or service. Note - some updates & bug fixes have been made since the original release. xAzurexAzureSqlDatabaseServerFirewallRuleConfigures Azure SQL Database Server Firewall Rules. xRemoteDesktopAdmin This resource configures Remote Desktop settings and configures the Windows firewall to support Remote Desktop xPsDesiredStateConfigurationxGroupExtends the in-box Group resource with support for cross-domain account lookup and UPN-formatted names used for identifying users, computers, and group domain-based accounts. xChrome Deploys the Chrome browser xFirefox Deploys the Firefox browser UpdatesxAzureSqlDatabase xPsDesiredStateConfiguration xWaitForAdDomain xSqlServerInstall xFirewall Bug fixes have been made to improve each of these items. Please see the individual topics for details.

18 ModuleResource(s) Description xAdcsDeploymentxAdcsCertificationAuthority, xAdcsWebEnrollment The purpose of these resources is to install and configure the Certificate Authority role and the Certificate Services Web Enrollment on a Windows Server following installation of the component using the WindowsFeature resource. xCredSSP The xCredSSP module enables or disables Credential Security Support Provider (CredSSP) authentication, and supports configuring the server and client roles, plus which server or servers the client credentials can be delegated to. xPendingReboot xPendingReboot examines three specific registry locations where a Windows Server might indicate that a reboot is pending and allows DSC to predictably handle the condition. UpdatesxRemoteDesktopAdminBug fixes have been made to improve each of these items. Please see the individual topics for details.

19 xWebsite xComputer xIPAddress xDNSServerAddress xDSCWebService xVHD xVMHyperV xVMSwitch xWebsite xComputer xIPAddress xDNSServerAddress xDSCWebService xVHD xVMHyperV xVMSwitch File Group Registry Service User Package WindowsFeature WindowsProcess Environment Archive Log Script File Group Registry Service User Package WindowsFeature WindowsProcess Environment Archive Log Script xIISWordPress xWordPressSite xPhp xMySqlServer xMySqlDatabase xMySqlUser xMySqlGrant xMySqlProvision xWindowsOptionalFeature xHotfix xIISModule xIISWordPress xWordPressSite xPhp xMySqlServer xMySqlDatabase xMySqlUser xMySqlGrant xMySqlProvision xWindowsOptionalFeature xHotfix xIISModule xVhdFile xADDomain xADUser xADDomainController xWaitForADDomain xSqlServerInstall xSqlHAService xSqlHAEndpoint xSqlHAGroup xWaitForSqlHAGroup xCluster xWaitForCluster xSmbShare xFirewall xVhdFile xADDomain xADUser xADDomainController xWaitForADDomain xSqlServerInstall xSqlHAService xSqlHAEndpoint xSqlHAGroup xWaitForSqlHAGroup xCluster xWaitForCluster xSmbShare xFirewall xAzureAffinityGroup xJeaEndPoint xJeaToolKit xDnsServerSecondaryZone xDnsServerZoneTransfer xDhcpServerScope xDhcpServerReservation xDhcpServerOption xWinEventLog xADDomainTrust xFileUpload xAzureAffinityGroup xJeaEndPoint xJeaToolKit xDnsServerSecondaryZone xDnsServerZoneTransfer xDhcpServerScope xDhcpServerReservation xDhcpServerOption xWinEventLog xADDomainTrust xFileUpload xAzureQuickVM xAzureVM xAzureStorageAccount xAzureSubscription xAzureService xAzureQuickVM xAzureVM xAzureStorageAccount xAzureSubscription xAzureService xWebVirtualDirectory xWebApplication xWebConfigKeyValue xUAC xIEEsc xWindowsProcess xService xRemoteFile xPackage xCompress xEndpoint xRDRemoteApp xRDSessionDeployment xRDSessionCollection Configuration xWebVirtualDirectory xWebApplication xWebConfigKeyValue xUAC xIEEsc xWindowsProcess xService xRemoteFile xPackage xCompress xEndpoint xRDRemoteApp xRDSessionDeployment xRDSessionCollection Configuration xDatabase xDBPackage xWebAppPool xDatabase xDBPackage xWebAppPool

20

21

22

23

24 ### Export the FIM confiugration from both servers $policy1 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server1:5725 $policy2 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server2:5725 ### Set some Join Rules $joinrules = @{ Person = "MailNickname DisplayName"; Group = "DisplayName"; ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey"; SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order"; ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView" } ### Do the joining $matches = Join-FIMConfig -source $policy1 -target $policy2 -join $joinrules -defaultJoin DisplayName ### Produce the diff $diff = $matches | Compare-FIMConfig ### Import the diff to FIM $undoneImports = $diff | Import-FimConfig -Uri http://server2:5725 ### Didn't work? Yeah, do it again $undoneImports | Import-FimConfig -Uri http://server2:5725

25

26

27 ### Check starting state - Halt script if trouble found with the preliminaries Write-Verbose "Checking for FIM." try { Get-Service fimservice -ErrorAction stop | Out-Null } catch { Write-Warning "FIM not found. Please run this script from the FIM server, duh." exit } Write-Verbose "Checking target environment." if(!$(Test-Path("$scriptPath\\Config$environment.xml"))) { Write-Warning "Config values not found for environment '$environment'. Please try again, harder next time." exit } ### Create the Set: ‘FIM UG: Presenters' New-FimSet -DisplayName “FIM UG: Presenters" -Filter "/Person[Slacker = False]" ### Create the Set: ‘FIM UG: Organizers' New-FimSet -DisplayName “FIM UG: Organizers" -Filter "/Person[CommunityHero = True]" ### Create the Set: ‘FIM UG: Participants' New-FimSet -DisplayName “FIM UG: Participants" -Filter "/Person[ScarTisue = True]"

28

29

30

31

32 ModuleResource(s) Description FimPowerShellModulecFimActivityInformationConfiguration cFimAttributeTypeDescription cFimBindingDescription cFimEmailTemplate cFimFilterScope cFimGroup cFimHomePageConfiguration cFimManagementPolicyRule cFimmsidmSystemConfiguration cFimNavigationBarConfiguration cFimObjectTypeDescription cFimObjectVisualizationConfiguration cFimPerson cFimPortalUIConfiguration cFimResource cFimSearchScopeConfiguration cFimSet cFimSynchronizationFilter cFimSystemResourceRetentionConfiguration cFimWorkflowDefinition The purpose of these resources is to configure the FIM Service.

33 ModuleResource(s) Description FimSyncPowerShellModulecFimSyncFilterRule cFimSyncImportAttributeFlowRule cFimSyncJoinRule cFimSyncMADeprovisioningOptions cFimSyncMAExtension cFimSyncManagementAgent cFimSyncMAPartitionData cFimSyncMAPrivateConfiguration cFimSyncMVAttributeType cFimSyncMVDeletionRule cFimSyncMVExtension cFimSyncMVObjectType cFimSyncMVProvisioningRule cFimSyncProjectionRule cFimSyncRunProfile The purpose of these resources is to configure the FIM Synchronization Service.

34

35

36

37

38

39

40

41 Driving Alignment Between Business and Security


Download ppt "Desired State Configuration for FIM Craig Martin – FIM MVP Identity Management | Data Protection | Authentication Strategies © 2014 Edgile, Inc. – All."

Similar presentations


Ads by Google