AdfsFarmNode - X-Guardian/AdfsDsc GitHub Wiki

AdfsFarmNode

Parameters

Parameter Attribute DataType Description Allowed Values
FederationService Name Key String Specifies the DNS name of the federation service.
CertificateThumbprint Required String Specifies the value of the certificate thumbprint of the certificate that should be used in the SSL binding of the Default Web Site in IIS. This value should match the thumbprint of a valid certificate in the Local Computer certificate store.
Credential Required PSCredential Specifies a PSCredential object that must have domain administrator privileges.
GroupServiceAccount Identifier Write String Specifies the Group Managed Service Account under which the Active Directory Federation Services (AD FS) service runs.
OverwriteConfiguration Write Boolean This parameter must be used to remove an existing AD FS configuration database and overwrite it with a new database.
PrimaryComputerName Write String Specifies the name of the primary in a farm. The cmdlet adds the computer to the farm that has the primary that you specify.
PrimaryComputerPort Write SInt32 Specifies the primary computer port. The computer uses the HTTP port that you specify to connect with the primary computer in order to synchronize configuration settings. Specify a value of 80 for this parameter, or specify an alternate value if the HTTP port on the primary computer is not 80. If this parameter is not specified, a default port value of 80 is assumed.
ServiceAccount Credential Write PSCredential Specifies the Active Directory account under which the AD FS service runs. All nodes in the farm must use the same service account.
SQLConnectionString Write String Specifies the SQL Server database that will store the AD FS configuration settings. If not specified, AD FS uses Windows Internal Database to store configuration settings.
Ensure Read String The state of the ADFS Farm.

Description

The AdfsFarmNode DSC resource manages an additional node in a pre-existing Active Directory Federation Service server farm.

Requirements

  • The SQLConnectionString parameter should be the same as was specified for the ADFS Farm.
  • The ServiceAccountCredential or GroupServiceAccountIdentifier should be the same as was specified for the ADFS farm.

Examples

Example 1

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is installed on a computer named PrimaryWIDHost.

The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.

The standard user account specified in the ServiceAccountCredential parameter will be used for the service account.

Configuration AdfsFarmNode_ServiceAccount_WID_Config
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $ServiceAccountCredential,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $DomainAdminCredential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        WindowsFeature InstallAdfs
        {
            Name   = 'ADFS-Federation'
        }

        AdfsFarmNode SecondWIDHost
        {
            FederationServiceName    = 'fs.corp.contoso.com'
            CertificateThumbprint    = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'
            ServiceAccountCredential = $ServiceAccountCredential
            Credential               = $DomainAdminCredential
            PrimaryComputerName      = 'PrimaryWIDHost'
        }
    }
}

Example 2

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is installed on a computer named PrimaryWIDHost.

The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.

The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.

Configuration AdfsFarmNode_gMSA_WID_Config
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $DomainAdminCredential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        WindowsFeature InstallAdfs
        {
            Name = 'ADFS-Federation'
        }

        AdfsFarmNode SecondWIDHost
        {
            FederationServiceName         = 'fs.corp.contoso.com'
            CertificateThumbprint         = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'
            GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
            Credential                    = $DomainAdminCredential
            PrimaryComputerName           = 'PrimaryWIDHost'
        }
    }
}

Example 3

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using Windows Authentication and whose primary node is installed on a computer named adfs01.contoso.com.

The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.

The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.

Configuration AdfsFarmNode_gMSA_SQL_Integrated_Config
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $DomainAdminCredential
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        WindowsFeature InstallAdfs
        {
            Name = 'ADFS-Federation'
        }

        AdfsFarmNode SecondWIDHost
        {
            FederationServiceName         = 'sts.contoso.com'
            CertificateThumbprint         = '933D8ACDD49CEF529EB159504C4095575E3496BB'
            GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
            SQLConnectionString           = 'Data Source=sql01.contoso.com;Integrated Security=True'
            Credential                    = $DomainAdminCredential
            PrimaryComputerName           = 'adfs01.contoso.com'
        }
    }
}

Example 4

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using SQL Authentication and whose primary node is installed on a computer named adfs01.contoso.com.

The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.

The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.

Configuration AdfsFarmNode_gMSA_SQL_Config
{
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $DomainAdminCredential,
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $SqlCredential
    )

    Import-DscResource -ModuleName AdfsDsc

    Node localhost
    {
        WindowsFeature InstallAdfs
        {
            Name = 'ADFS-Federation'
        }

        $SqlUserName = $SqlCredential.UserName
        $SqlPassword = $SqlCredential.GetNetworkCredential().Password

        AdfsFarmNode SecondWIDHost
        {
            FederationServiceName         = 'sts.contoso.com'
            CertificateThumbprint         = '933D8ACDD49CEF529EB159504C4095575E3496BB'
            GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
            SQLConnectionString           = "Data Source=sql01.contoso.com;User ID=$SqlUserName;Password=$SqlPassword"
            Credential                    = $DomainAdminCredential
            PrimaryComputerName           = 'adfs01.contoso.com'
        }
    }
}