AdfsFarmNode - X-Guardian/AdfsDsc GitHub Wiki
AdfsFarmNode
Parameters
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
FederationService Name | Key | String | Specifies the DNS name of the federation service. | |
CertificateThumbprint | Required | String | Specifies the value of the certificate thumbprint of the certificate that should be used in the SSL binding of the Default Web Site in IIS. This value should match the thumbprint of a valid certificate in the Local Computer certificate store. | |
Credential | Required | PSCredential | Specifies a PSCredential object that must have domain administrator privileges. | |
GroupServiceAccount Identifier | Write | String | Specifies the Group Managed Service Account under which the Active Directory Federation Services (AD FS) service runs. | |
OverwriteConfiguration | Write | Boolean | This parameter must be used to remove an existing AD FS configuration database and overwrite it with a new database. | |
PrimaryComputerName | Write | String | Specifies the name of the primary in a farm. The cmdlet adds the computer to the farm that has the primary that you specify. | |
PrimaryComputerPort | Write | SInt32 | Specifies the primary computer port. The computer uses the HTTP port that you specify to connect with the primary computer in order to synchronize configuration settings. Specify a value of 80 for this parameter, or specify an alternate value if the HTTP port on the primary computer is not 80. If this parameter is not specified, a default port value of 80 is assumed. | |
ServiceAccount Credential | Write | PSCredential | Specifies the Active Directory account under which the AD FS service runs. All nodes in the farm must use the same service account. | |
SQLConnectionString | Write | String | Specifies the SQL Server database that will store the AD FS configuration settings. If not specified, AD FS uses Windows Internal Database to store configuration settings. | |
Ensure | Read | String | The state of the ADFS Farm. |
Description
The AdfsFarmNode DSC resource manages an additional node in a pre-existing Active Directory Federation Service server farm.
Requirements
- The
SQLConnectionString
parameter should be the same as was specified for the ADFS Farm. - The
ServiceAccountCredential
orGroupServiceAccountIdentifier
should be the same as was specified for the ADFS farm.
Examples
Example 1
This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is installed on a computer named PrimaryWIDHost.
The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.
The standard user account specified in the ServiceAccountCredential parameter will be used for the service account.
Configuration AdfsFarmNode_ServiceAccount_WID_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$ServiceAccountCredential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$DomainAdminCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
WindowsFeature InstallAdfs
{
Name = 'ADFS-Federation'
}
AdfsFarmNode SecondWIDHost
{
FederationServiceName = 'fs.corp.contoso.com'
CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'
ServiceAccountCredential = $ServiceAccountCredential
Credential = $DomainAdminCredential
PrimaryComputerName = 'PrimaryWIDHost'
}
}
}
Example 2
This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is installed on a computer named PrimaryWIDHost.
The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.
The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.
Configuration AdfsFarmNode_gMSA_WID_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$DomainAdminCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
WindowsFeature InstallAdfs
{
Name = 'ADFS-Federation'
}
AdfsFarmNode SecondWIDHost
{
FederationServiceName = 'fs.corp.contoso.com'
CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'
GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
Credential = $DomainAdminCredential
PrimaryComputerName = 'PrimaryWIDHost'
}
}
}
Example 3
This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using Windows Authentication and whose primary node is installed on a computer named adfs01.contoso.com.
The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.
The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.
Configuration AdfsFarmNode_gMSA_SQL_Integrated_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$DomainAdminCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
WindowsFeature InstallAdfs
{
Name = 'ADFS-Federation'
}
AdfsFarmNode SecondWIDHost
{
FederationServiceName = 'sts.contoso.com'
CertificateThumbprint = '933D8ACDD49CEF529EB159504C4095575E3496BB'
GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
SQLConnectionString = 'Data Source=sql01.contoso.com;Integrated Security=True'
Credential = $DomainAdminCredential
PrimaryComputerName = 'adfs01.contoso.com'
}
}
}
Example 4
This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS) server farm using using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using SQL Authentication and whose primary node is installed on a computer named adfs01.contoso.com.
The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates.
The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account.
Configuration AdfsFarmNode_gMSA_SQL_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$DomainAdminCredential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SqlCredential
)
Import-DscResource -ModuleName AdfsDsc
Node localhost
{
WindowsFeature InstallAdfs
{
Name = 'ADFS-Federation'
}
$SqlUserName = $SqlCredential.UserName
$SqlPassword = $SqlCredential.GetNetworkCredential().Password
AdfsFarmNode SecondWIDHost
{
FederationServiceName = 'sts.contoso.com'
CertificateThumbprint = '933D8ACDD49CEF529EB159504C4095575E3496BB'
GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'
SQLConnectionString = "Data Source=sql01.contoso.com;User ID=$SqlUserName;Password=$SqlPassword"
Credential = $DomainAdminCredential
PrimaryComputerName = 'adfs01.contoso.com'
}
}
}