Identity Management | Data Protection | Authentication Strategies
Desired State Configuration for FIM
Craig Martin – FIM MVP
© 2014 Edgile, Inc. – All Rights Reserved
[Video] A Practical Overview of Desired
State Configuration
[eBook] PowerShell.org DSC Hub
[TechNet] Windows PowerShell Desired
State Configuration Overview
Development
Test
Production
Configuration
Intent
DSC Engine
Dependency Resolution
Logging & Error Handling
Reboot Resiliency
Repeatable Automation
Technology Specific
Traditional Scripts
Resources
Technology Specific
Intent
WHAT : Structural Configuration
Stays same irrespective of the environment
WHERE : Environmental Configuration
Changes as system goes from Dev  Test  Prod
Make It So
HOW
: DSC Resources
Do the heavy lifting in an idempotent way
###
### Define the configuration
###
configuration Foo
{
node (hostname)
{
WindowsFeature XPSViewerFoo
{
Ensure = “Present"
Name
= "XPS-Viewer"
}
}
}
###
### Generate the MOF file from the Configuration
###
foo
###
### View the generated MOF
###
psedit .\foo\CraigFimDev626.mof
###
### Process the configuration in the LCM
###
Start-DscConfiguration -Wait -Verbose -Path .\Foo
Provider
Description
DSC Archive Resource
Unpacks archive (.zip) files at specific paths on target nodes.
DSC Environment Resource
Manages system environment variables on target nodes.
DSC File Resource
Manages files and directories on target nodes.
DSC Group Resource
Manages local groups on target nodes.
DSC Log Resource
Logs configuration messages.
DSC Package Resource
Installs and manages packages, such as Windows Installer and
setup.exe packages, on target nodes.
DSC WindowsProcess Resource
Configures Windows processes on target nodes.
DSC Registry Resource
Manages registry keys and values on target nodes.
DSC WindowsFeature Resource
Adds or removes Windows features and roles on target nodes.
DSC Script Resource
Runs Windows PowerShell script blocks on target nodes.
DSC Service Resource
Manages services on target nodes.
DSC User Resource
Manages local user accounts on target nodes.
Resource
Description
xComputer
Name a computer and add it to a domain/workgroup
xVHD
Create and managed VHDs
xVMHyperV
Create and manage a Hyper-V Virtual Machine
xVMSwitch
Create and manage a Hyper-V Virtual Switch
xDNSServerAddress
Bind a DNS Server address to one or more NIC
xIPAddress
Configure IPAddress (v4 and v6)
xDSCWebService
Configure DSC Service (aka Pull Server)
xWebsite
Deploy and configure a website on IIS
Resource
Description
Module Name
Link
xADDomain
Create and manage an Active Directory Domain
xActiveDirectory
click here
xADDomainController
Create and manage an AD Domain Controller
xActiveDirectory
click here
xADUser
Create and manage an AD User
xActiveDirectory
click here
xWaitForADDomain
Pause configuration implementation until the AD Domain is available.
xActiveDirectory
click here
xSqlServerInstall
Create and manage a SQL Server Installation.
xSqlps
click here
xSqlHAService
Create and manage a SQL High Availability Service.
xSqlps
click here
xSqlHAEndpoint
Create and manage the endpoint used to access a SQL High Availability
Group.
xSqlps
click here
xSqlHAGroup
Create and manage a SQL High Availability Group.
xSqlps
click here
xWaitForSqlHAGroup
Pause configuration implementation until a SQL HA Group is available.
xSqlps
click here
xCluster
Create and manage a cluster.
xFailOverCluster
click here
xWaitForCluster
Pause configuration until a cluster is available. Used for cross machine
synchronization.
xFailOverCluster
click here
xSmbShare
Create and manage a SMB Share.
xSmbShare
click here
xFirewall
Create and manage Firewall rules
xNetworking
click here
xVhdFile
Manage files to be copied into a Vhd.
xHyper-V
click here
xWebsite
Added functionality to xWebsite to support configuration of https websites.
xWebAdministration
click here
xVhd
Bug fixes
xHyper-V
click here
Module
Resource
Description
xWebAdministration
xWebAppPool
Create, remove, start, stop an IIS Application Pool
xWebVirtualDirectory
Create or remove a virtual directory
xWebApplication
Create or remove a web application
xWebConfigKeyValue
Configure AppSettings section of Web.Config
xDatabase
Create, drop & deploy databases
xDBPackage
Backup & restore databases
xUAC
Enable or disable User Account Control prompt
xIEEsc
Enable or disable IE Enhanced Security Configuration
xRDSessionDeployment
Creates and configures a deployment in RDSH.
xRDSessionCollection
Creates a RDSH collection.
xRDSessionCollectionConfiguration
Configures a RDSH collection.
xRDRemoteApp
Publish applications for your RDSH collection
xWindowsProcess
Adds ability to run as a specific user to the existing WindowsProcess
resource
xService
Update to existing Service resource to include create/configure service
xRemoteFile
Download files from a URI
xPackage
Adds ability to run as a specific user to the existing resource, includes VS
Setup
xArchive
Create, update, extract a Zip file
xEndpoint
Creates a remoting endpoint
xDscResourceDesigner, xComputer, xVMHyperV,
xDNSServerAddress
Feature additions and bug fixes
xDatabase
xSystemSecurity
xRemoteDesktopSessionHost
xPSDesiredStateConfiguration
Updates
Module
Resource(s)
Description
xAzure
xAzureAffinityGroup
Defines the relationship between compute and storage
xAzureQuickVM
Simple resource for creating VMs with limited options
xAzureService
Creates a cloud service for the VMs
xAzureStorageAccount
creates the online storage account where the blobs for the test environment will reside
xAzureSubscription
sets the current Azure subscription context
xAzureVM
creates a virtual machine in Azure including access to VM Guest extensions
xJeaEndPoint
Allows creation of PowerShell JEA Endpoints that leverage one or more JEA Toolkits and properties of the
endpoints including access control
xJeaToolKit
Allows creation of a JEA Toolkit that defines which applications, scripts, and commands should be available
within a PowerShell constrained endpoint configuration
xDnsServerSecondaryZone
This resource allows setting a Secondary zone on a given DNS server. Secondary zones allow client machine in
primary DNS zone to do DNS resolution of machines in the secondary DNS zone.
xDnsServerZoneTransfer
This resource allows a DNS Server zone data to be replicated to another DNS server.
xDhcpServerScope
Sets a scope for consecutive range of possible IP addresses that the DHCP server can lease to clients on a
subnet.
xDhcpServerReservation
Sets lease assignments used to ensure that a specified client on a subnet can always use the same IP address
xDhcpServerOption
Supports setting DNS domain and DNS Server IP Address options at a DHCP server scope level.
xWinEventLog
xWinEventLog
Adds support for configuring Windows Event Logs.
xActiveDirectory
(updated)
xADDomainTrust
Used to establish a cross-domain trust
Updates
xPSDesiredStateConfiguration,
xDscResourceDesigner,
xDscDiagnostics
Feature additions and bug fixes
xJEA
xDnsServer
xDhcpServer
Module
Resource(s)
Description
xWordPress
xIisWordPressSite
This DSC Composite Configuration allows you to configure an IIS site to run
WordPress and set the contents of the WordPress configuration file.
xWordPressSite
This DSC Resource allows you to configure a WordPress Site
xPhp
xPhp
This DSC Resource allows you to Setup PHP in IIS. This is used in the
xWordPress examples.
xMySql
xMySqlServer
DSC Resource allows you to configure a MySQL server
xMySqlDatabase
This DSC Resource allows you to configure a MySql Database.
xMySqlUser
This DSC Resource allows you to configure a MySql User.
xMySqlGrant
This DSC Resource allows you to configure a MySql Grant (permissions).
xMySqlProvison
This DSC Resource allows you to configure a MySql Server, with a database, and a
user, and grant to that database for that user.
xPsDesiredStateConfiguration
xWindowsOptionalFeature
This resource allows configuring Windows Optional Features for Windows client
SKUs
xWebAdministration
xIisModule
This enables registration of modules (such as FastCgiModules) with IIS
xWindowsUpdate
xHotfix
Handles installation of a Windows update (or a hotfix) from a given path (file path
or a URI)
Updates
xSqlPs
xDscResourceDesigner
xDhcpServer
xAzure
Minor updates & bug fixes have been made for these.
Module
Resource(s)
Description
xSafeHarbor
(none)
This is a sample configuration demonstrating how to set up a secure
environment to run a particular application or service.
Note - some updates & bug fixes have been made since the original
release.
xAzure
xAzureSqlDatabaseServerFirewallRule
Configures Azure SQL Database Server Firewall Rules.
xRemoteDesktopAdmin
xRemoteDesktopAdmin
This resource configures Remote Desktop settings and configures
the Windows firewall to support Remote Desktop
xPsDesiredStateConfiguration
xGroup
Extends the in-box Group resource with support for cross-domain
account lookup and UPN-formatted names used for identifying
users, computers, and group domain-based accounts.
xChrome
xChrome
Deploys the Chrome browser
xFirefox
xFirefox
Deploys the Firefox browser
Updates
xAzureSqlDatabase
xPsDesiredStateConfiguration
xWaitForAdDomain
xSqlServerInstall
xFirewall
Bug fixes have been made to improve each of these items. Please
see the individual topics for details.
Module
Resource(s)
Description
xAdcsDeployment
xAdcsCertificationAuthority,
xAdcsWebEnrollment
The purpose of these resources is to install and configure the Certificate Authority
role and the Certificate Services Web Enrollment on a Windows Server following
installation of the component using the WindowsFeature resource.
xCredSSP
xCredSSP
The xCredSSP module enables or disables Credential Security Support Provider
(CredSSP) authentication, and supports configuring the server and client roles, plus
which server or servers the client credentials can be delegated to.
xPendingReboot
xPendingReboot
xPendingReboot examines three specific registry locations where a Windows Server
might indicate that a reboot is pending and allows DSC to predictably handle the
condition.
Updates
xRemoteDesktopAdmin
Bug fixes have been made to improve each of these items. Please see the individual
topics for details.
File
Group
Registry
Service
User
Package
WindowsFeature
WindowsProcess
Environment
Archive
Log
Script
xWebsite
xComputer
xIPAddress
xDNSServerAddress
xDSCWebService
xVHD
xVMHyperV
xVMSwitch
xVhdFile
xADDomain
xADUser
xADDomainController
xWaitForADDomain
xSqlServerInstall
xSqlHAService
xSqlHAEndpoint
xSqlHAGroup
xWaitForSqlHAGroup
xCluster
xWaitForCluster
xSmbShare
xFirewall
xDatabase
xDBPackage
xWebAppPool
xWebVirtualDirectory
xWebApplication
xWebConfigKeyValue
xUAC
xIEEsc
xWindowsProcess
xService
xRemoteFile
xPackage
xCompress
xEndpoint
xRDRemoteApp
xRDSessionDeployment
xRDSessionCollection
xRDSessionCollection
Configuration
xAzureQuickVM
xAzureVM
xAzureStorageAccount
xAzureSubscription
xAzureService
xAzureAffinityGroup
xJeaEndPoint
xJeaToolKit
xDnsServerSecondaryZone
xDnsServerZoneTransfer
xDhcpServerScope
xDhcpServerReservation
xDhcpServerOption
xWinEventLog
xADDomainTrust
xFileUpload
xIISWordPress
xWordPressSite
xPhp
xMySqlServer
xMySqlDatabase
xMySqlUser
xMySqlGrant
xMySqlProvision
xWindowsOptionalFeature
xHotfix
xIISModule
Function Get-TargetResource
{
# TODO: Add parameters here
# Make sure to use the same parameters for
# Get-TargetResource, Set-TargetResource, and Test-TargetResource
param(
)
}
Function Set-TargetResource
{
# TODO: Add parameters here
# Make sure to use the same parameters for
# Get-TargetResource, Set-TargetResource, and Test-TargetResource
param(
)
}
Function Test-TargetResource
{
# TODO: Add parameters here
# Make sure to use the same parameters for
# Get-TargetResource, Set-TargetResource, and Test-TargetResource
param(
)
}
### Export the FIM confiugration from both servers
$policy1 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server1:5725
$policy2 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server2:5725
### Set some Join Rules
$joinrules = @{
Person = "MailNickname DisplayName";
Group = "DisplayName";
ObjectTypeDescription = "Name";
AttributeTypeDescription = "Name";
BindingDescription = "BoundObjectType BoundAttributeType";
ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey";
SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order";
ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView"
}
### Do the joining
$matches = Join-FIMConfig -source $policy1 -target $policy2 -join $joinrules -defaultJoin DisplayName
### Produce the diff
$diff = $matches | Compare-FIMConfig
### Import the diff to FIM
$undoneImports = $diff | Import-FimConfig -Uri http://server2:5725
### Didn't work? Yeah, do it again
$undoneImports | Import-FimConfig -Uri http://server2:5725
### Check starting state - Halt script if trouble found with the preliminaries
Write-Verbose "Checking for FIM."
try
{
Get-Service fimservice -ErrorAction stop | Out-Null
}
catch
{
Write-Warning "FIM not found. Please run this script from the FIM server, duh."
exit
}
Write-Verbose "Checking target environment."
if(!$(Test-Path("$scriptPath\\Config$environment.xml")))
{
Write-Warning "Config values not found for environment '$environment'. Please try again, harder next time."
exit
}
### Create the Set: ‘FIM UG: Presenters'
New-FimSet -DisplayName “FIM UG: Presenters" -Filter "/Person[Slacker = False]"
### Create the Set: ‘FIM UG: Organizers'
New-FimSet -DisplayName “FIM UG: Organizers" -Filter "/Person[CommunityHero = True]"
### Create the Set: ‘FIM UG: Participants'
New-FimSet -DisplayName “FIM UG: Participants" -Filter "/Person[ScarTisue = True]"
Configuration FimServiceConfiguration
{
Import-DscResource -ModuleName FimPowerShellModule
Node MyFimServer
{
cFimPerson GreatPerson
{
AccountName = ‘GreatPerson'
DisplayName = ‘Great Person'
Domain
= 'Redmond'
FirstName
= 'Craig'
Manager
= ‘GreatManager'
ObjectSID
= (Get-ObjectSid GreatPerson)
Ensure
= 'Present'
}
cFimManagementPolicyRule GreatMpr
{
ActionParameter
ActionType
Description
Disabled
DisplayName
GrantRight
PrincipalSet
ResourceCurrentSet
ResourceFinalSet
ManagementPolicyRuleType
AuthenticationWorkflowDefinition
AuthorizationWorkflowDefinition
ActionWorkflowDefinition
Ensure
}
}
}
=
=
=
=
=
=
=
=
=
=
=
=
=
=
'*'
'Modify'
'initial description'
$false
'Great Mpr'
$true
‘All People'
‘All People'
‘All Great People'
'Request'
‘Call Me Maybe? AuthN Workflow'
‘Manager Approval AuthZ Workflow'
‘Some Great Reward Action Workflow'
"Present“
Module
Resource(s)
Description
FimPowerShellModule
cFimActivityInformationConfiguration
cFimAttributeTypeDescription
cFimBindingDescription
cFimEmailTemplate
cFimFilterScope
cFimGroup
cFimHomePageConfiguration
cFimManagementPolicyRule
cFimmsidmSystemConfiguration
cFimNavigationBarConfiguration
cFimObjectTypeDescription
cFimObjectVisualizationConfiguration
cFimPerson
cFimPortalUIConfiguration
cFimResource
cFimSearchScopeConfiguration
cFimSet
cFimSynchronizationFilter
cFimSystemResourceRetentionConfiguration
cFimWorkflowDefinition
The purpose of
these resources is to
configure the FIM Service.
Module
Resource(s)
Description
FimSyncPowerShellModule
cFimSyncFilterRule
cFimSyncImportAttributeFlowRule
cFimSyncJoinRule
cFimSyncMADeprovisioningOptions
cFimSyncMAExtension
cFimSyncManagementAgent
cFimSyncMAPartitionData
cFimSyncMAPrivateConfiguration
cFimSyncMVAttributeType
cFimSyncMVDeletionRule
cFimSyncMVExtension
cFimSyncMVObjectType
cFimSyncMVProvisioningRule
cFimSyncProjectionRule
cFimSyncRunProfile
The purpose of these resources
is to configure the FIM
Synchronization Service.
configuration DemoFimServiceConfiguration
{
Import-DscResource -ModuleName FimPowerShellModule
node (hostname)
{
cFimManagementPolicyRule GreatManagementPolicyRule
{…}
cFimSet AllGreatPeople
{…}
cFimWorkflowDefinition SomeGreatRewardActionWorkflow
{…}
}
}
GreatManagementPolicyRule
{
ActionParameter
ActionType
ActionWorkflowDefinition
Description
Disabled
DisplayName
GrantRight
ResourceFinalSet
ManagementPolicyRuleType
Ensure
Credential
DependsOn
}
= '*'
= 'TransitionIn'
= 'Some Great Reward Action Workflow'
= 'initial description'
= $false
= 'Great Management Policy Rule'
= $false
= 'All Great People'
= 'SetTransition'
= 'Present'
= $fimAdminCredential
='[cFimWorkflowDefinition]SomeGreatRewardActionWorkflow',
'[cFimSet]AllGreatPeople'
cFimSet AllGreatPeople
{
DisplayName
= 'All Great People'
Filter
= @'
<Filter
xmlns
="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd ="http://www.w3.org/2001/XMLSchema"
Dialect
="http://schemas.microsoft.com/2006/11/XPathFilterDialect"
>
/Person[LastName='Great']
</Filter>
'@
Ensure
= 'Present'
Credential
= $fimAdminCredential
}
cFimWorkflowDefinition SomeGreatRewardActionWorkflow
{
DisplayName
= 'Some Great Reward Action Workflow'
RequestPhase
= 'Action'
XOML
= @'
<ns0:SequentialWorkflow
ActorId
="00000000-0000-0000-0000-000000000000"
RequestId
="00000000-0000-0000-0000-000000000000"
x:Name
="SequentialWorkflow"
TargetId
="00000000-0000-0000-0000-000000000000"
WorkflowDefinitionId ="00000000-0000-0000-0000-000000000000"
xmlns
="http://schemas.microsoft.com/winfx/2006/xaml/workflow"
xmlns:x
="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:ns0
=“…"
>
<ns0:EmailNotificationActivity
x:Name
="authenticationGateActivity1"
To
="[//Target];"
CC
="{x:Null}"
EmailTemplate
="{ObjectType:"EmailTemplate",AttributeName:"DisplayName",AttributeValue:"Some Great
Rewarding Email Template"}"
SuppressException ="False"
Bcc
="{x:Null}"
/>
</ns0:SequentialWorkflow>
'@
Ensure
= 'Present'
Credential
= $fimAdminCredential
DependsOn
= '[cFimEmailTemplate]SomeGreatRewardingEmailTemplate'
}
cFimEmailTemplate SomeGreatRewardingEmailTemplate
{
DisplayName
= 'Some Great Rewarding Email Template'
EmailBody
= 'Some Great Reward will be coming my way'
EmailSubject
= 'Some Great Reward'
EmailTemplateType
= 'Notification'
Ensure
= 'Present'
Credential
= $fimAdminCredential
}
Driving Alignment Between Business and Security