desired state configuration for fim craig martin – fim mvp identity management | data protection |...
Post on 14-Dec-2015
213 Views
Preview:
TRANSCRIPT
Desired State Configuration for FIMCraig Martin – FIM MVP
Identity Management | Data Protection | Authentication Strategies
© 2014 Edgile, Inc. – All Rights Reserved
• [Video] A Practical Overview of Desired State Configuration
• [eBook] PowerShell.org DSC Hub• [TechNet] Windows PowerShell Des
ired State Configuration Overview
Get-Help
• Simplifies configuration
• Prevents configuration drift
• Enables continuous deployment
PowerShell Desired State Configuration…
Development Test Production
Configuration Management Platform
DSC Engine
PowerShell
3rd Party CM ToolsUI
DSC Resources
3rd Party Adapters
Logging Reporting Protocol
DIY versus DSC
Traditional Scripts
Intent
Logging & Error
Handling
Reboot Resiliency
Technology Specific
Dependency Resolution
Repeatable
Automation
DSC Engine
Dependency ResolutionLogging & Error
HandlingReboot Resiliency
Repeatable Automation
ResourcesTechnology Specific
ConfigurationIntent
Make It SoHOW : DSC Resources
Do the heavy lifting in an idempotent way
IntentWHAT : Structural Configuration
Stays same irrespective of the environmentWHERE : Environmental Configuration
Changes as system goes from Dev Test Prod
DSC Decouples …
Simple DSC Configuration###### Define the configuration###configuration Foo{ node (hostname) { WindowsFeature XPSViewerFoo { Ensure = “Present" Name = "XPS-Viewer" } }}
###### Generate the MOF file from the Configuration###foo
###### View the generated MOF###psedit .\foo\CraigFimDev626.mof
###### Process the configuration in the LCM###Start-DscConfiguration -Wait -Verbose -Path .\Foo
http://blogs.msdn.com/b/powershell/archive/2013/10/25/windows-management-framework-4-0-is-now-available.aspx
Wave 0 – October 25th, 2013
Provider Description
DSC Archive Resource Unpacks archive (.zip) files at specific paths on target nodes.
DSC Environment Resource Manages system environment variables on target nodes.
DSC File Resource Manages files and directories on target nodes.
DSC Group Resource Manages local groups on target nodes.
DSC Log Resource Logs configuration messages.
DSC Package Resource Installs and manages packages, such as Windows Installer and setup.exe packages, on target nodes.
DSC WindowsProcess Resource Configures Windows processes on target nodes.
DSC Registry Resource Manages registry keys and values on target nodes.
DSC WindowsFeature Resource Adds or removes Windows features and roles on target nodes.
DSC Script Resource Runs Windows PowerShell script blocks on target nodes.
DSC Service Resource Manages services on target nodes.
DSC User Resource Manages local user accounts on target nodes.
http://blogs.msdn.com/b/powershell/archive/2013/12/26/holiday-gift-desired-state-configuration-dsc-resource-kit-wave-1.aspx
Wave 1 – December 26th, 2013
Resource Description
xComputer Name a computer and add it to a domain/workgroup
xVHD Create and managed VHDs
xVMHyperV Create and manage a Hyper-V Virtual Machine
xVMSwitch Create and manage a Hyper-V Virtual Switch
xDNSServerAddress Bind a DNS Server address to one or more NIC
xIPAddress Configure IPAddress (v4 and v6)
xDSCWebService Configure DSC Service (aka Pull Server)
xWebsite Deploy and configure a website on IIS
http://blogs.msdn.com/b/powershell/archive/2014/02/07/need-more-dsc-resources-announcing-dsc-resource-kit-wave-2.aspx
Wave 2 – February 7th, 2014Resource Description Module Name Link
xADDomain Create and manage an Active Directory Domain xActiveDirectory click here
xADDomainController Create and manage an AD Domain Controller xActiveDirectory click here
xADUser Create and manage an AD User xActiveDirectory click here
xWaitForADDomain Pause configuration implementation until the AD Domain is available.
xActiveDirectory click here
xSqlServerInstall Create and manage a SQL Server Installation. xSqlps click here
xSqlHAService Create and manage a SQL High Availability Service. xSqlps click here
xSqlHAEndpoint Create and manage the endpoint used to access a SQL High Availability Group.
xSqlps click here
xSqlHAGroup Create and manage a SQL High Availability Group. xSqlps click here
xWaitForSqlHAGroup Pause configuration implementation until a SQL HA Group is available.
xSqlps click here
xCluster Create and manage a cluster. xFailOverCluster click here
xWaitForCluster Pause configuration until a cluster is available. Used for cross machine synchronization.
xFailOverCluster click here
xSmbShare Create and manage a SMB Share. xSmbShare click here
xFirewall Create and manage Firewall rules xNetworking click here
xVhdFile Manage files to be copied into a Vhd. xHyper-V click here
xWebsite Added functionality to xWebsite to support configuration of https websites.
xWebAdministration click here
xVhd Bug fixes xHyper-V click here
http://blogs.msdn.com/b/powershell/archive/2014/03/28/dsc-resource-kit-wave-3.aspx
Wave 3 – March 28th, 2014
Module Resource Description
xWebAdministration xWebAppPool Create, remove, start, stop an IIS Application Pool
xWebVirtualDirectory Create or remove a virtual directory
xWebApplication Create or remove a web application
xWebConfigKeyValue Configure AppSettings section of Web.Config
xDatabase xDatabase Create, drop & deploy databases
xDBPackage Backup & restore databases
xSystemSecurity xUAC Enable or disable User Account Control prompt
xIEEsc Enable or disable IE Enhanced Security Configuration
xRemoteDesktopSessionHost xRDSessionDeployment Creates and configures a deployment in RDSH.
xRDSessionCollection Creates a RDSH collection.
xRDSessionCollectionConfiguration Configures a RDSH collection.
xRDRemoteApp Publish applications for your RDSH collection
xPSDesiredStateConfiguration xWindowsProcess Adds ability to run as a specific user to the existing WindowsProcess resource
xService Update to existing Service resource to include create/configure service
xRemoteFile Download files from a URI
xPackage Adds ability to run as a specific user to the existing resource, includes VS Setup
xArchive Create, update, extract a Zip file
xEndpoint Creates a remoting endpoint
Updates xDscResourceDesigner, xComputer, xVMHyperV, xDNSServerAddress
Feature additions and bug fixes
http://blogs.msdn.com/b/powershell/archive/2014/06/06/dsc-resource-kit-wave-4-is-live.aspx
Wave 4 – June 6th, 2014Module Resource(s) Description
xAzure xAzureAffinityGroup Defines the relationship between compute and storage
xAzureQuickVM Simple resource for creating VMs with limited options
xAzureService Creates a cloud service for the VMs
xAzureStorageAccount creates the online storage account where the blobs for the test environment will reside
xAzureSubscription sets the current Azure subscription context
xAzureVM creates a virtual machine in Azure including access to VM Guest extensions
xJEA xJeaEndPoint Allows creation of PowerShell JEA Endpoints that leverage one or more JEA Toolkits and properties of the endpoints including access control
xJeaToolKit Allows creation of a JEA Toolkit that defines which applications, scripts, and commands should be available within a PowerShell constrained endpoint configuration
xDnsServer xDnsServerSecondaryZone This resource allows setting a Secondary zone on a given DNS server. Secondary zones allow client machine in primary DNS zone to do DNS resolution of machines in the secondary DNS zone.
xDnsServerZoneTransfer This resource allows a DNS Server zone data to be replicated to another DNS server.
xDhcpServer xDhcpServerScope Sets a scope for consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet.
xDhcpServerReservation Sets lease assignments used to ensure that a specified client on a subnet can always use the same IP address
xDhcpServerOption Supports setting DNS domain and DNS Server IP Address options at a DHCP server scope level.
xWinEventLog xWinEventLog Adds support for configuring Windows Event Logs.
xActiveDirectory (updated)
xADDomainTrust Used to establish a cross-domain trust
Updates xPSDesiredStateConfiguration, xDscResourceDesigner, xDscDiagnostics
Feature additions and bug fixes
http://blogs.msdn.com/b/powershell/archive/2014/07/17/powershell-dsc-resource-kit-wave-5-arrives.aspx
Wave 5 – July 17th, 2014
Module Resource(s) Description
xWordPress xIisWordPressSite This DSC Composite Configuration allows you to configure an IIS site to run WordPress and set the contents of the WordPress configuration file.
xWordPressSite This DSC Resource allows you to configure a WordPress Site
xPhp xPhp This DSC Resource allows you to Setup PHP in IIS. This is used in the xWordPress examples.
xMySql xMySqlServer DSC Resource allows you to configure a MySQL server
xMySqlDatabase This DSC Resource allows you to configure a MySql Database.
xMySqlUser This DSC Resource allows you to configure a MySql User.
xMySqlGrant This DSC Resource allows you to configure a MySql Grant (permissions).
xMySqlProvison This DSC Resource allows you to configure a MySql Server, with a database, and a user, and grant to that database for that user.
xPsDesiredStateConfiguration
xWindowsOptionalFeature
This resource allows configuring Windows Optional Features for Windows client SKUs
xWebAdministration xIisModule This enables registration of modules (such as FastCgiModules) with IIS
xWindowsUpdate xHotfix Handles installation of a Windows update (or a hotfix) from a given path (file path or a URI)
Updates xSqlPsxDscResourceDesignerxDhcpServerxAzure
Minor updates & bug fixes have been made for these.
http://blogs.msdn.com/b/powershell/archive/2014/08/20/dsc-resource-kit-wave-6-is-here.aspx
Wave 6 – August 20th, 2014
Module Resource(s) Description
xSafeHarbor (none) This is a sample configuration demonstrating how to set up a secure environment to run a particular application or service.Note - some updates & bug fixes have been made since the original release.
xAzure xAzureSqlDatabaseServerFirewallRule
Configures Azure SQL Database Server Firewall Rules.
xRemoteDesktopAdmin xRemoteDesktopAdmin This resource configures Remote Desktop settings and configures the Windows firewall to support Remote Desktop
xPsDesiredStateConfiguration
xGroup Extends the in-box Group resource with support for cross-domain account lookup and UPN-formatted names used for identifying users, computers, and group domain-based accounts.
xChrome xChrome Deploys the Chrome browser
xFirefox xFirefox Deploys the Firefox browser
Updates xAzureSqlDatabasexPsDesiredStateConfigurationxWaitForAdDomainxSqlServerInstallxFirewall
Bug fixes have been made to improve each of these items. Please see the individual topics for details.
http://blogs.msdn.com/b/powershell/archive/2014/09/26/continuing-the-dsc-resource-kit-additions-wave-7-is-live.aspx
Wave 7 – September 26th, 2014
Module Resource(s) Description
xAdcsDeployment
xAdcsCertificationAuthority, xAdcsWebEnrollment
The purpose of these resources is to install and configure the Certificate Authority role and the Certificate Services Web Enrollment on a Windows Server following installation of the component using the WindowsFeature resource.
xCredSSP xCredSSP The xCredSSP module enables or disables Credential Security Support Provider (CredSSP) authentication, and supports configuring the server and client roles, plus which server or servers the client credentials can be delegated to.
xPendingReboot xPendingReboot xPendingReboot examines three specific registry locations where a Windows Server might indicate that a reboot is pending and allows DSC to predictably handle the condition.
Updates xRemoteDesktopAdmin Bug fixes have been made to improve each of these items. Please see the individual topics for details.
xWebsitexComputerxIPAddressxDNSServerAddressxDSCWebServicexVHDxVMHyperVxVMSwitch
FileGroupRegistryServiceUserPackageWindowsFeatureWindowsProcessEnvironmentArchiveLogScript
DSC Resources
xIISWordPressxWordPressSitexPhpxMySqlServerxMySqlDatabasexMySqlUserxMySqlGrantxMySqlProvisionxWindowsOptionalFeaturexHotfixxIISModule
xVhdFilexADDomainxADUserxADDomainControllerxWaitForADDomainxSqlServerInstallxSqlHAServicexSqlHAEndpointxSqlHAGroupxWaitForSqlHAGroupxClusterxWaitForClusterxSmbSharexFirewall
xAzureAffinityGroupxJeaEndPointxJeaToolKit xDnsServerSecondaryZonexDnsServerZoneTransferxDhcpServerScopexDhcpServerReservationxDhcpServerOptionxWinEventLogxADDomainTrustxFileUpload
xAzureQuickVMxAzureVMxAzureStorageAccount xAzureSubscriptionxAzureService
xWebVirtualDirectoryxWebApplication xWebConfigKeyValue xUACxIEEsc xWindowsProcess xService xRemoteFile xPackage xCompress xEndpointxRDRemoteAppxRDSessionDeploymentxRDSessionCollection xRDSessionCollectionConfiguration
xDatabase xDBPackagexWebAppPool
Building a Custom DSC Resource Function Get-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}
Function Set-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}
Function Test-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}
• Configure a FIM server until it is good enough
• Copy that configuration to other servers
Prescribed Approach - TechNet
### Export the FIM confiugration from both servers$policy1 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server1:5725$policy2 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server2:5725
### Set some Join Rules$joinrules = @{ Person = "MailNickname DisplayName"; Group = "DisplayName"; ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey"; SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order"; ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView"}
### Do the joining$matches = Join-FIMConfig -source $policy1 -target $policy2 -join $joinrules -defaultJoin DisplayName
### Produce the diff$diff = $matches | Compare-FIMConfig
### Import the diff to FIM$undoneImports = $diff | Import-FimConfig -Uri http://server2:5725
### Didn't work? Yeah, do it again$undoneImports | Import-FimConfig -Uri http://server2:5725
Config Migration Script
• Good• FIM ships with PowerShell commands• Very good coverage of the FIM Service
• Bad• Configuration migration is a flawed approach• No tie back to source control
• Ugly• People don’t understand the tools, and very often
just hack the XML files
Good, Bad, Ugly
• Automation is done with imperative scripts
• Write scripts to load the configuration into FIM
• Use source control to manage those scripts
Prescribed Approach - Craig
Imperative Configuration Script### Check starting state - Halt script if trouble found with the preliminariesWrite-Verbose "Checking for FIM."try{ Get-Service fimservice -ErrorAction stop | Out-Null}catch{ Write-Warning "FIM not found. Please run this script from the FIM server, duh." exit}
Write-Verbose "Checking target environment."if(!$(Test-Path("$scriptPath\\Config$environment.xml"))){ Write-Warning "Config values not found for environment '$environment'. Please try again, harder next time." exit}
### Create the Set: ‘FIM UG: Presenters'New-FimSet -DisplayName “FIM UG: Presenters" -Filter "/Person[Slacker = False]"
### Create the Set: ‘FIM UG: Organizers'New-FimSet -DisplayName “FIM UG: Organizers" -Filter "/Person[CommunityHero = True]"
### Create the Set: ‘FIM UG: Participants'New-FimSet -DisplayName “FIM UG: Participants" -Filter "/Person[ScarTisue = True]"
• Good• FIM ships with PowerShell commands• Fine-grained configuration• Easy to track with source control
• Bad• Only good for the first configuration deployment
(no patches)
• Ugly• Need to write a lot of script (okay, that’s actually a
good thing, just not good for the project)
Good, Bad, Ugly
• Use PowerShell Desired State Configuration to deploy and manage FIM configuration
• Use custom DSC resources for the FIM Service and FIM Synchronization Service
• Generate a DSC configuration document for FIM Service and FIM Synchronization Service
• Manage the configuration documents in source control
The Desired Approach
Configuration FimServiceConfiguration { Import-DscResource -ModuleName FimPowerShellModule Node MyFimServer {
cFimPerson GreatPerson { AccountName = ‘GreatPerson' DisplayName = ‘Great Person' Domain = 'Redmond' FirstName = 'Craig' Manager = ‘GreatManager' ObjectSID = (Get-ObjectSid GreatPerson) Ensure = 'Present' }
cFimManagementPolicyRule GreatMpr { ActionParameter = '*' ActionType = 'Modify' Description = 'initial description' Disabled = $false DisplayName = 'Great Mpr' GrantRight = $true PrincipalSet = ‘All People' ResourceCurrentSet = ‘All People' ResourceFinalSet = ‘All Great People' ManagementPolicyRuleType = 'Request' AuthenticationWorkflowDefinition = ‘Call Me Maybe? AuthN Workflow' AuthorizationWorkflowDefinition = ‘Manager Approval AuthZ Workflow' ActionWorkflowDefinition = ‘Some Great Reward Action Workflow' Ensure = "Present“ } } }
DSC Resource for FIM ServiceModule Resource(s) Description
FimPowerShellModule cFimActivityInformationConfigurationcFimAttributeTypeDescriptioncFimBindingDescriptioncFimEmailTemplatecFimFilterScopecFimGroupcFimHomePageConfigurationcFimManagementPolicyRulecFimmsidmSystemConfigurationcFimNavigationBarConfigurationcFimObjectTypeDescriptioncFimObjectVisualizationConfigurationcFimPersoncFimPortalUIConfigurationcFimResourcecFimSearchScopeConfigurationcFimSetcFimSynchronizationFiltercFimSystemResourceRetentionConfigurationcFimWorkflowDefinition
The purpose of these resources is to configure the FIM Service.
DSC Resource for FIM Sync
Module Resource(s) Description
FimSyncPowerShellModule
cFimSyncFilterRule cFimSyncImportAttributeFlowRule cFimSyncJoinRule cFimSyncMADeprovisioningOptions cFimSyncMAExtension cFimSyncManagementAgent cFimSyncMAPartitionData cFimSyncMAPrivateConfiguration cFimSyncMVAttributeType cFimSyncMVDeletionRule cFimSyncMVExtension cFimSyncMVObjectType cFimSyncMVProvisioningRule cFimSyncProjectionRule cFimSyncRunProfile
The purpose of these resources is to configure the FIM Synchronization Service.
Sample FIM Configuration in DSC configuration DemoFimServiceConfiguration{ Import-DscResource -ModuleName FimPowerShellModule
node (hostname) { cFimManagementPolicyRule GreatManagementPolicyRule {…}
cFimSet AllGreatPeople {…}
cFimWorkflowDefinition SomeGreatRewardActionWorkflow {…} }}
Sample MPR cFimManagementPolicyRule GreatManagementPolicyRule { ActionParameter = '*' ActionType = 'TransitionIn' ActionWorkflowDefinition = 'Some Great Reward Action Workflow' Description = 'initial description' Disabled = $false DisplayName = 'Great Management Policy Rule' GrantRight = $false ResourceFinalSet = 'All Great People' ManagementPolicyRuleType = 'SetTransition' Ensure = 'Present' Credential = $fimAdminCredential DependsOn ='[cFimWorkflowDefinition]SomeGreatRewardActionWorkflow',
'[cFimSet]AllGreatPeople'}
Sample Set cFimSet AllGreatPeople{ DisplayName = 'All Great People' Filter = @'<Filter xmlns ="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd ="http://www.w3.org/2001/XMLSchema" Dialect ="http://schemas.microsoft.com/2006/11/XPathFilterDialect" >/Person[LastName='Great']</Filter>'@ Ensure = 'Present' Credential = $fimAdminCredential}
Sample WorkflowDefinition cFimWorkflowDefinition SomeGreatRewardActionWorkflow{ DisplayName = 'Some Great Reward Action Workflow' RequestPhase = 'Action' XOML = @'<ns0:SequentialWorkflow ActorId ="00000000-0000-0000-0000-000000000000" RequestId ="00000000-0000-0000-0000-000000000000" x:Name ="SequentialWorkflow" TargetId ="00000000-0000-0000-0000-000000000000" WorkflowDefinitionId ="00000000-0000-0000-0000-000000000000" xmlns ="http://schemas.microsoft.com/winfx/2006/xaml/workflow" xmlns:x ="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0 =“…"><ns0:EmailNotificationActivity x:Name ="authenticationGateActivity1" To ="[//Target];" CC ="{x:Null}" EmailTemplate ="{ObjectType:"EmailTemplate",AttributeName:"DisplayName",AttributeValue:"Some Great Rewarding Email Template"}" SuppressException ="False" Bcc ="{x:Null}" /></ns0:SequentialWorkflow>'@ Ensure = 'Present' Credential = $fimAdminCredential DependsOn = '[cFimEmailTemplate]SomeGreatRewardingEmailTemplate'}
Sample EmailTemplate cFimEmailTemplate SomeGreatRewardingEmailTemplate{ DisplayName = 'Some Great Rewarding Email Template' EmailBody = 'Some Great Reward will be coming my way' EmailSubject = 'Some Great Reward' EmailTemplateType = 'Notification' Ensure = 'Present' Credential = $fimAdminCredential}
• Configuration Generation• Configuration Deployment• Configuration Updates• Configuration Enforcement
FIM Configuration Management
top related