Presentation is loading. Please wait.

Presentation is loading. Please wait.

Desired State Configuration for FIM

Similar presentations

Presentation on theme: "Desired State Configuration for FIM"— Presentation transcript:

1 Desired State Configuration for FIM
Identity Management | Data Protection | Authentication Strategies Desired State Configuration for FIM Craig Martin – FIM MVP © 2014 Edgile, Inc. – All Rights Reserved

2 What is DSC?

3 Get-Help [Video] A Practical Overview of Desired State Configuration
[eBook] DSC Hub [TechNet] Windows PowerShell Desired State Configuration Overview

4 PowerShell Desired State Configuration…
Simplifies configuration Prevents configuration drift Enables continuous deployment Development Test Production

5 Configuration Management Platform
3rd Party CM Tools PowerShell UI DSC Engine 3rd Party Adapters Logging Reporting Protocol DSC Resources

6 Dependency Resolution Logging & Error Handling Repeatable Automation
DIY versus DSC Configuration Intent Traditional Scripts Dependency Resolution Intent Logging & Error Handling DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Reboot Resiliency Repeatable Automation Technology Specific Resources Technology Specific

7 DSC Decouples … Intent Make It So WHAT : Structural Configuration
Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes from Dev  Test  Prod Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way

8 Simple DSC Demo

9 Simple DSC Configuration
### ### Define the configuration configuration Foo { node (hostname) WindowsFeature XPSViewerFoo Ensure = “Present" Name = "XPS-Viewer" } ### Generate the MOF file from the Configuration foo ### View the generated MOF psedit .\foo\CraigFimDev626.mof ### Process the configuration in the LCM Start-DscConfiguration -Wait -Verbose -Path .\Foo

10 DSC Waves

11 Wave 0 – October 25th, 2013 Provider Description DSC Archive Resource Unpacks archive (.zip) files at specific paths on target nodes. DSC Environment Resource Manages system environment variables on target nodes. DSC File Resource Manages files and directories on target nodes. DSC Group Resource Manages local groups on target nodes. DSC Log Resource Logs configuration messages. DSC Package Resource Installs and manages packages, such as Windows Installer and setup.exe packages, on target nodes. DSC WindowsProcess Resource Configures Windows processes on target nodes. DSC Registry Resource Manages registry keys and values on target nodes. DSC WindowsFeature Resource Adds or removes Windows features and roles on target nodes. DSC Script Resource Runs Windows PowerShell script blocks on target nodes. DSC Service Resource Manages services on target nodes. DSC User Resource Manages local user accounts on target nodes.

12 Wave 1 – December 26th, 2013 Resource Description xComputer Name a computer and add it to a domain/workgroup xVHD Create and managed VHDs xVMHyperV Create and manage a Hyper-V Virtual Machine xVMSwitch Create and manage a Hyper-V Virtual Switch xDNSServerAddress Bind a DNS Server address to one or more NIC xIPAddress Configure IPAddress (v4 and v6) xDSCWebService Configure DSC Service (aka Pull Server) xWebsite Deploy and configure a website on IIS

13 Wave 2 – February 7th, 2014 Resource Description Module Name Link xADDomain Create and manage an Active Directory Domain xActiveDirectory  click here xADDomainController Create and manage an AD Domain Controller xADUser Create and manage an AD User xWaitForADDomain Pause configuration implementation until the AD Domain is available.  xSqlServerInstall Create and manage a SQL Server Installation. xSqlps xSqlHAService Create and manage a SQL High Availability Service. xSqlHAEndpoint Create and manage the endpoint used to access a SQL High Availability Group. xSqlHAGroup Create and manage a SQL High Availability Group. xWaitForSqlHAGroup Pause configuration implementation until a SQL HA Group is available.  xCluster Create and manage a cluster. xFailOverCluster xWaitForCluster Pause configuration until a cluster is available.  Used for cross machine synchronization. xSmbShare Create and manage a SMB Share. xFirewall Create and manage Firewall rules xNetworking xVhdFile Manage files to be copied into a Vhd. xHyper-V xWebsite Added functionality to xWebsite to support configuration of https websites. xWebAdministration xVhd Bug fixes

14 Wave 3 – March 28th, 2014 Module Resource  Description  xWebAdministration xWebAppPool  Create, remove, start, stop an IIS Application Pool  xWebVirtualDirectory  Create or remove a virtual directory  xWebApplication  Create or remove a web application  xWebConfigKeyValue  Configure AppSettings section of Web.Config  xDatabase xDatabase  Create, drop & deploy databases  xDBPackage  Backup & restore databases  xSystemSecurity xUAC  Enable or disable User Account Control prompt  xIEEsc  Enable or disable IE Enhanced Security Configuration  xRemoteDesktopSessionHost xRDSessionDeployment  Creates and configures a deployment in RDSH.    xRDSessionCollection  Creates a RDSH collection.   xRDSessionCollectionConfiguration   Configures a RDSH collection.   xRDRemoteApp  Publish applications for your RDSH collection  xPSDesiredStateConfiguration xWindowsProcess  Adds ability to run as a specific user to the existing WindowsProcess resource   xService  Update to existing Service resource to include create/configure service  xRemoteFile  Download files from a URI  xPackage  Adds ability to run as a specific user to the existing resource, includes VS Setup  xArchive Create, update, extract a Zip file  xEndpoint  Creates a remoting endpoint  Updates xDscResourceDesigner, xComputer, xVMHyperV, xDNSServerAddress Feature additions and bug fixes

15 Wave 4 – June 6th, 2014 Module Resource(s)  Description  xAzure xAzureAffinityGroup Defines the relationship between compute and storage xAzureQuickVM Simple resource for creating VMs with limited options xAzureService Creates a cloud service for the VMs xAzureStorageAccount creates the online storage account where the blobs for the test environment will reside xAzureSubscription sets the current Azure subscription context xAzureVM creates a virtual machine in Azure including access to VM Guest extensions xJEA xJeaEndPoint Allows creation of PowerShell JEA Endpoints that leverage one or more JEA Toolkits and properties of the endpoints including access control xJeaToolKit Allows creation of a JEA Toolkit that defines which applications, scripts, and commands should be available within a PowerShell constrained endpoint configuration xDnsServer xDnsServerSecondaryZone This resource allows setting a Secondary zone on a given DNS server. Secondary zones allow client machine in primary DNS zone to do DNS resolution of machines in the secondary DNS zone. xDnsServerZoneTransfer This resource allows a DNS Server zone data to be replicated to another DNS server. xDhcpServer xDhcpServerScope Sets a scope for consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. xDhcpServerReservation Sets lease assignments used to ensure that a specified client on a subnet can always use the same IP address xDhcpServerOption Supports setting DNS domain and DNS Server IP Address options at a DHCP server scope level. xWinEventLog Adds support for configuring Windows Event Logs. xActiveDirectory (updated) xADDomainTrust Used to establish a cross-domain trust Updates xPSDesiredStateConfiguration, xDscResourceDesigner, xDscDiagnostics Feature additions and bug fixes

16 Wave 5 – July 17th, 2014 Module Resource(s)  Description  xWordPress xIisWordPressSite This DSC Composite Configuration allows you to configure an IIS site to run WordPress and set the contents of the WordPress   configuration file. xWordPressSite This DSC Resource allows you to configure a WordPress Site xPhp This DSC Resource allows you to Setup PHP in IIS. This is used in the xWordPress  examples. xMySql xMySqlServer DSC Resource allows you to configure a MySQL server xMySqlDatabase This DSC Resource allows you to configure a MySql Database. xMySqlUser This DSC Resource allows you to configure a MySql User. xMySqlGrant This DSC Resource allows you to configure a MySql Grant (permissions). xMySqlProvison This DSC Resource allows  you to configure a MySql Server, with a database, and a user, and grant to that database for that user. xPsDesiredStateConfiguration xWindowsOptionalFeature This resource allows configuring Windows Optional Features for Windows client SKUs xWebAdministration xIisModule This enables registration of modules (such as FastCgiModules) with IIS xWindowsUpdate xHotfix Handles  installation of  a Windows update (or a hotfix) from a given path (file path or a URI) Updates xSqlPs xDscResourceDesigner xDhcpServer xAzure Minor updates & bug fixes have been made for these.

17 Wave 6 – August 20th, 2014 Module Resource(s)  Description  xSafeHarbor (none) This is a sample configuration demonstrating how to set up a secure environment to run a particular application or service. Note - some updates & bug fixes have been made since the original release. xAzure xAzureSqlDatabaseServerFirewallRule Configures Azure SQL Database Server Firewall Rules. xRemoteDesktopAdmin This resource configures Remote Desktop settings and configures the Windows firewall to support Remote Desktop xPsDesiredStateConfiguration xGroup Extends the in-box Group resource with support for cross-domain account lookup and UPN-formatted names used for identifying users, computers, and group domain-based accounts. xChrome Deploys the Chrome browser xFirefox Deploys the Firefox browser Updates xAzureSqlDatabase xWaitForAdDomain xSqlServerInstall xFirewall Bug fixes have been made to improve each of these items. Please see the individual topics for details.

18 Wave 7 – September 26th, 2014 Module Resource(s)  Description  xAdcsDeployment xAdcsCertificationAuthority,   xAdcsWebEnrollment The purpose of these resources is to install and configure the Certificate Authority role and the Certificate Services Web Enrollment on a Windows Server following installation of the component using the WindowsFeature resource. xCredSSP The xCredSSP module enables or disables Credential Security Support Provider (CredSSP) authentication, and supports configuring  the server and client roles, plus which server or servers the client credentials can be delegated to. xPendingReboot xPendingReboot examines three specific registry locations where a Windows Server might indicate that a reboot is pending and allows DSC to predictably handle the condition. Updates xRemoteDesktopAdmin Bug fixes have been made to improve each of these items. Please see the individual topics for details.

19 DSC Resources xWebVirtualDirectory xWebApplication xWebConfigKeyValue
4/11/2017 DSC Resources xWebVirtualDirectory xWebApplication  xWebConfigKeyValue  xUAC xIEEsc  xWindowsProcess  xService  xRemoteFile  xPackage  xCompress  xEndpoint xRDRemoteApp xRDSessionDeployment xRDSessionCollection  xRDSessionCollection Configuration xDatabase  xDBPackage xWebAppPool  xAzureAffinityGroup xJeaEndPoint xJeaToolKit xDnsServerSecondaryZone xDnsServerZoneTransfer xDhcpServerScope xDhcpServerReservation xDhcpServerOption xWinEventLog xADDomainTrust xFileUpload  xAzureQuickVM xAzureVM xAzureStorageAccount xAzureSubscription xAzureService File Group Registry Service User Package WindowsFeature WindowsProcess Environment Archive Log Script xVhdFile xADDomain xADUser xADDomainController xWaitForADDomain xSqlServerInstall xSqlHAService xSqlHAEndpoint xSqlHAGroup xWaitForSqlHAGroup xCluster xWaitForCluster xSmbShare xFirewall xIISWordPress xWordPressSite xPhp xMySqlServer xMySqlDatabase xMySqlUser xMySqlGrant xMySqlProvision xWindowsOptionalFeature xHotfix xIISModule xWebsite xComputer xIPAddress xDNSServerAddress xDSCWebService xVHD xVMHyperV xVMSwitch

20 Custom DSC Resources

21 Building a Custom DSC Resource
Function Get-TargetResource { # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( ) } Function Set-TargetResource Function Test-TargetResource

22 Configuration Migration for FIM

23 Prescribed Approach - TechNet
Configure a FIM server until it is good enough Copy that configuration to other servers

24 Config Migration Script
### Export the FIM confiugration from both servers $policy1 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri $policy2 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri ### Set some Join Rules $joinrules Person = "MailNickname DisplayName"; Group = "DisplayName"; ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey"; SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order"; ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView" } ### Do the joining $matches = Join-FIMConfig -source $policy1 -target $policy2 -join $joinrules -defaultJoin DisplayName ### Produce the diff $diff = $matches | Compare-FIMConfig ### Import the diff to FIM $undoneImports = $diff | Import-FimConfig -Uri ### Didn't work? Yeah, do it again $undoneImports | Import-FimConfig -Uri

25 Good, Bad, Ugly Good Bad Ugly FIM ships with PowerShell commands
Very good coverage of the FIM Service Bad Configuration migration is a flawed approach No tie back to source control Ugly People don’t understand the tools, and very often just hack the XML files

26 Prescribed Approach - Craig
Automation is done with imperative scripts Write scripts to load the configuration into FIM Use source control to manage those scripts

27 Imperative Configuration Script
### Check starting state - Halt script if trouble found with the preliminaries Write-Verbose "Checking for FIM." try { Get-Service fimservice -ErrorAction stop | Out-Null } catch Write-Warning "FIM not found. Please run this script from the FIM server, duh." exit Write-Verbose "Checking target environment." if(!$(Test-Path("$scriptPath\\Config$environment.xml"))) Write-Warning "Config values not found for environment '$environment'. Please try again, harder next time." ### Create the Set: ‘FIM UG: Presenters' New-FimSet -DisplayName “FIM UG: Presenters" -Filter "/Person[Slacker = False]" ### Create the Set: ‘FIM UG: Organizers' New-FimSet -DisplayName “FIM UG: Organizers" -Filter "/Person[CommunityHero = True]" ### Create the Set: ‘FIM UG: Participants' New-FimSet -DisplayName “FIM UG: Participants" -Filter "/Person[ScarTisue = True]"

28 Good, Bad, Ugly Good Bad Ugly FIM ships with PowerShell commands
Fine-grained configuration Easy to track with source control Bad Only good for the first configuration deployment (no patches) Ugly Need to write a lot of script (okay, that’s actually a good thing, just not good for the project)

29 The Desired Approach Use PowerShell Desired State Configuration to deploy and manage FIM configuration Use custom DSC resources for the FIM Service and FIM Synchronization Service Generate a DSC configuration document for FIM Service and FIM Synchronization Service Manage the configuration documents in source control

30 Configuration FimServiceConfiguration
{ Import-DscResource -ModuleName FimPowerShellModule Node MyFimServer cFimPerson GreatPerson AccountName = ‘GreatPerson' DisplayName = ‘Great Person' Domain = 'Redmond' FirstName = 'Craig' Manager = ‘GreatManager' ObjectSID = (Get-ObjectSid GreatPerson) Ensure = 'Present' } cFimManagementPolicyRule GreatMpr ActionParameter = '*' ActionType = 'Modify' Description = 'initial description' Disabled = $false DisplayName = 'Great Mpr' GrantRight = $true PrincipalSet = ‘All People' ResourceCurrentSet = ‘All People' ResourceFinalSet = ‘All Great People' ManagementPolicyRuleType = 'Request' AuthenticationWorkflowDefinition = ‘Call Me Maybe? AuthN Workflow' AuthorizationWorkflowDefinition = ‘Manager Approval AuthZ Workflow' ActionWorkflowDefinition = ‘Some Great Reward Action Workflow' Ensure = "Present“

31 Desired State Configuration for FIM

32 DSC Resource for FIM Service
Module Resource(s)  Description  FimPowerShellModule cFimActivityInformationConfiguration cFimAttributeTypeDescription cFimBindingDescription cFim Template cFimFilterScope cFimGroup cFimHomePageConfiguration cFimManagementPolicyRule cFimmsidmSystemConfiguration cFimNavigationBarConfiguration cFimObjectTypeDescription cFimObjectVisualizationConfiguration cFimPerson cFimPortalUIConfiguration cFimResource cFimSearchScopeConfiguration cFimSet cFimSynchronizationFilter cFimSystemResourceRetentionConfiguration cFimWorkflowDefinition The purpose of these resources is to configure the FIM Service.

33 DSC Resource for FIM Sync
Module Resource(s)  Description  FimSyncPowerShellModule cFimSyncFilterRule cFimSyncImportAttributeFlowRule cFimSyncJoinRule cFimSyncMADeprovisioningOptions cFimSyncMAExtension cFimSyncManagementAgent cFimSyncMAPartitionData cFimSyncMAPrivateConfiguration cFimSyncMVAttributeType cFimSyncMVDeletionRule cFimSyncMVExtension cFimSyncMVObjectType cFimSyncMVProvisioningRule cFimSyncProjectionRule cFimSyncRunProfile The purpose of these resources is to configure the FIM Synchronization Service.

34 Sample FIM Configuration in DSC
configuration DemoFimServiceConfiguration { Import-DscResource -ModuleName FimPowerShellModule node (hostname) cFimManagementPolicyRule GreatManagementPolicyRule {…} cFimSet AllGreatPeople cFimWorkflowDefinition SomeGreatRewardActionWorkflow }

35 Sample MPR cFimManagementPolicyRule GreatManagementPolicyRule {
ActionParameter = '*' ActionType = 'TransitionIn' ActionWorkflowDefinition = 'Some Great Reward Action Workflow' Description = 'initial description' Disabled = $false DisplayName = 'Great Management Policy Rule' GrantRight = $false ResourceFinalSet = 'All Great People' ManagementPolicyRuleType = 'SetTransition' Ensure = 'Present' Credential = $fimAdminCredential DependsOn ='[cFimWorkflowDefinition]SomeGreatRewardActionWorkflow', '[cFimSet]AllGreatPeople' }

36 Sample Set cFimSet AllGreatPeople { DisplayName = 'All Great People'
Filter <Filter xmlns ="" xmlns:xsi ="" xmlns:xsd ="" Dialect ="" > /Person[LastName='Great'] </Filter> Ensure = 'Present' Credential = $fimAdminCredential }

37 Sample WorkflowDefinition
cFimWorkflowDefinition SomeGreatRewardActionWorkflow { DisplayName = 'Some Great Reward Action Workflow' RequestPhase = 'Action' XOML <ns0:SequentialWorkflow ActorId =" " RequestId =" " x:Name ="SequentialWorkflow" TargetId =" " WorkflowDefinitionId =" " xmlns ="" xmlns:x ="" xmlns:ns =“…" > <ns0: NotificationActivity x:Name ="authenticationGateActivity1" To ="[//Target];" CC ="{x:Null}" Template ="{ObjectType:" Template",AttributeName:"DisplayName",AttributeValue:"Some Great Rewarding Template"}" SuppressException ="False" Bcc ="{x:Null}" /> </ns0:SequentialWorkflow> Ensure = 'Present' Credential = $fimAdminCredential DependsOn = '[cFim Template]SomeGreatRewarding Template' }

38 Sample EmailTemplate cFimEmailTemplate SomeGreatRewardingEmailTemplate
{ DisplayName = 'Some Great Rewarding Template' Body = 'Some Great Reward will be coming my way' Subject = 'Some Great Reward' TemplateType = 'Notification' Ensure = 'Present' Credential = $fimAdminCredential }

39 FIM DSC Demo

40 FIM Configuration Management
Configuration Generation Configuration Deployment Configuration Updates Configuration Enforcement

41 Driving Alignment Between Business and Security

Download ppt "Desired State Configuration for FIM"

Similar presentations

Ads by Google