Desired State Configuration for FIMCraig Martin – FIM MVP

Identity Management | Data Protection | Authentication Strategies

© 2014 Edgile, Inc. – All Rights Reserved

What is DSC?

• [Video] A Practical Overview of Desired State Configuration

• [eBook] PowerShell.org DSC Hub• [TechNet] Windows PowerShell Des

ired State Configuration Overview

Get-Help

• Simplifies configuration

• Prevents configuration drift

• Enables continuous deployment

PowerShell Desired State Configuration…

Development Test Production

Configuration Management Platform

DSC Engine

PowerShell

3rd Party CM ToolsUI

DSC Resources

3rd Party Adapters

Logging Reporting Protocol

DIY versus DSC

Traditional Scripts

Intent

Logging & Error

Handling

Reboot Resiliency

Technology Specific

Dependency Resolution

Repeatable

Automation

DSC Engine

Dependency ResolutionLogging & Error

HandlingReboot Resiliency

Repeatable Automation

ResourcesTechnology Specific

ConfigurationIntent

Make It SoHOW : DSC Resources

Do the heavy lifting in an idempotent way

IntentWHAT : Structural Configuration

Stays same irrespective of the environmentWHERE : Environmental Configuration

Changes as system goes from Dev Test Prod

DSC Decouples …

Simple DSC Demo

Simple DSC Configuration###### Define the configuration###configuration Foo{ node (hostname) { WindowsFeature XPSViewerFoo { Ensure = “Present" Name = "XPS-Viewer" } }}

###### Generate the MOF file from the Configuration###foo

###### View the generated MOF###psedit .\foo\CraigFimDev626.mof

###### Process the configuration in the LCM###Start-DscConfiguration -Wait -Verbose -Path .\Foo

DSC Waves

http://blogs.msdn.com/b/powershell/archive/2013/10/25/windows-management-framework-4-0-is-now-available.aspx

Wave 0 – October 25th, 2013

Provider Description

DSC Archive Resource Unpacks archive (.zip) files at specific paths on target nodes.

DSC Environment Resource Manages system environment variables on target nodes.

DSC File Resource Manages files and directories on target nodes.

DSC Group Resource Manages local groups on target nodes.

DSC Log Resource Logs configuration messages.

DSC Package Resource Installs and manages packages, such as Windows Installer and setup.exe packages, on target nodes.

DSC WindowsProcess Resource Configures Windows processes on target nodes.

DSC Registry Resource Manages registry keys and values on target nodes.

DSC WindowsFeature Resource Adds or removes Windows features and roles on target nodes.

DSC Script Resource Runs Windows PowerShell script blocks on target nodes.

DSC Service Resource Manages services on target nodes.

DSC User Resource Manages local user accounts on target nodes.

http://blogs.msdn.com/b/powershell/archive/2013/12/26/holiday-gift-desired-state-configuration-dsc-resource-kit-wave-1.aspx

Wave 1 – December 26th, 2013

Resource Description

xComputer Name a computer and add it to a domain/workgroup

xVHD Create and managed VHDs

xVMHyperV Create and manage a Hyper-V Virtual Machine

xVMSwitch Create and manage a Hyper-V Virtual Switch

xDNSServerAddress Bind a DNS Server address to one or more NIC

xIPAddress Configure IPAddress (v4 and v6)

xDSCWebService Configure DSC Service (aka Pull Server)

xWebsite Deploy and configure a website on IIS

http://blogs.msdn.com/b/powershell/archive/2014/02/07/need-more-dsc-resources-announcing-dsc-resource-kit-wave-2.aspx

Wave 2 – February 7th, 2014Resource Description Module Name Link

xADDomain Create and manage an Active Directory Domain xActiveDirectory  click here

xADDomainController Create and manage an AD Domain Controller xActiveDirectory  click here

xADUser Create and manage an AD User xActiveDirectory  click here

xWaitForADDomain Pause configuration implementation until the AD Domain is available. 

xActiveDirectory  click here

xSqlServerInstall Create and manage a SQL Server Installation. xSqlps  click here

xSqlHAService Create and manage a SQL High Availability Service. xSqlps  click here

xSqlHAEndpoint Create and manage the endpoint used to access a SQL High Availability Group.

xSqlps  click here

xSqlHAGroup Create and manage a SQL High Availability Group. xSqlps  click here

xWaitForSqlHAGroup Pause configuration implementation until a SQL HA Group is available. 

xSqlps  click here

xCluster Create and manage a cluster. xFailOverCluster  click here

xWaitForCluster Pause configuration until a cluster is available.  Used for cross machine synchronization.

xFailOverCluster  click here

xSmbShare Create and manage a SMB Share. xSmbShare  click here

xFirewall Create and manage Firewall rules xNetworking  click here

xVhdFile Manage files to be copied into a Vhd. xHyper-V  click here

xWebsite Added functionality to xWebsite to support configuration of https websites.

xWebAdministration  click here

xVhd Bug fixes xHyper-V  click here

http://blogs.msdn.com/b/powershell/archive/2014/03/28/dsc-resource-kit-wave-3.aspx

Wave 3 – March 28th, 2014

Module Resource  Description 

xWebAdministration xWebAppPool  Create, remove, start, stop an IIS Application Pool 

xWebVirtualDirectory  Create or remove a virtual directory 

xWebApplication  Create or remove a web application 

xWebConfigKeyValue  Configure AppSettings section of Web.Config 

xDatabase xDatabase  Create, drop & deploy databases 

xDBPackage  Backup & restore databases 

xSystemSecurity xUAC  Enable or disable User Account Control prompt 

xIEEsc  Enable or disable IE Enhanced Security Configuration 

xRemoteDesktopSessionHost xRDSessionDeployment  Creates and configures a deployment in RDSH.   

xRDSessionCollection  Creates a RDSH collection.  

xRDSessionCollectionConfiguration   Configures a RDSH collection.  

xRDRemoteApp  Publish applications for your RDSH collection 

xPSDesiredStateConfiguration xWindowsProcess  Adds ability to run as a specific user to the existing WindowsProcess resource  

xService  Update to existing Service resource to include create/configure service 

xRemoteFile  Download files from a URI 

xPackage  Adds ability to run as a specific user to the existing resource, includes VS Setup 

xArchive Create, update, extract a Zip file 

xEndpoint  Creates a remoting endpoint 

Updates xDscResourceDesigner, xComputer, xVMHyperV, xDNSServerAddress

Feature additions and bug fixes

http://blogs.msdn.com/b/powershell/archive/2014/06/06/dsc-resource-kit-wave-4-is-live.aspx

Wave 4 – June 6th, 2014Module Resource(s)  Description 

xAzure xAzureAffinityGroup Defines the relationship between compute and storage

xAzureQuickVM Simple resource for creating VMs with limited options

xAzureService Creates a cloud service for the VMs

xAzureStorageAccount creates the online storage account where the blobs for the test environment will reside

xAzureSubscription sets the current Azure subscription context

xAzureVM creates a virtual machine in Azure including access to VM Guest extensions

xJEA xJeaEndPoint Allows creation of PowerShell JEA Endpoints that leverage one or more JEA Toolkits and properties of the endpoints including access control

xJeaToolKit Allows creation of a JEA Toolkit that defines which applications, scripts, and commands should be available within a PowerShell constrained endpoint configuration

xDnsServer xDnsServerSecondaryZone This resource allows setting a Secondary zone on a given DNS server. Secondary zones allow client machine in primary DNS zone to do DNS resolution of machines in the secondary DNS zone.

xDnsServerZoneTransfer This resource allows a DNS Server zone data to be replicated to another DNS server.

xDhcpServer xDhcpServerScope Sets a scope for consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet.

  xDhcpServerReservation Sets lease assignments used to ensure that a specified client on a subnet can always use the same IP address

  xDhcpServerOption Supports setting DNS domain and DNS Server IP Address options at a DHCP server scope level.

xWinEventLog xWinEventLog Adds support for configuring Windows Event Logs.

xActiveDirectory (updated)

xADDomainTrust Used to establish a cross-domain trust

Updates xPSDesiredStateConfiguration, xDscResourceDesigner, xDscDiagnostics

Feature additions and bug fixes

http://blogs.msdn.com/b/powershell/archive/2014/07/17/powershell-dsc-resource-kit-wave-5-arrives.aspx

Wave 5 – July 17th, 2014

Module Resource(s)  Description 

xWordPress xIisWordPressSite This DSC Composite Configuration allows you to configure an IIS site to run WordPress and set the contents of the WordPress   configuration file.

xWordPressSite This DSC Resource allows you to configure a WordPress Site

xPhp xPhp This DSC Resource allows you to Setup PHP in IIS. This is used in the xWordPress  examples.

xMySql xMySqlServer DSC Resource allows you to configure a MySQL server

xMySqlDatabase This DSC Resource allows you to configure a MySql Database.

xMySqlUser This DSC Resource allows you to configure a MySql User.

xMySqlGrant This DSC Resource allows you to configure a MySql Grant (permissions).

xMySqlProvison This DSC Resource allows  you to configure a MySql Server, with a database, and a user, and grant to that database for that user.

xPsDesiredStateConfiguration

xWindowsOptionalFeature

This resource allows configuring Windows Optional Features for Windows client SKUs

xWebAdministration xIisModule This enables registration of modules (such as FastCgiModules) with IIS

xWindowsUpdate xHotfix Handles  installation of  a Windows update (or a hotfix) from a given path (file path or a URI)

Updates xSqlPsxDscResourceDesignerxDhcpServerxAzure

Minor updates & bug fixes have been made for these.

http://blogs.msdn.com/b/powershell/archive/2014/08/20/dsc-resource-kit-wave-6-is-here.aspx

Wave 6 – August 20th, 2014

Module Resource(s)  Description 

xSafeHarbor (none) This is a sample configuration demonstrating how to set up a secure environment to run a particular application or service.Note - some updates & bug fixes have been made since the original release.

xAzure xAzureSqlDatabaseServerFirewallRule

Configures Azure SQL Database Server Firewall Rules.

xRemoteDesktopAdmin xRemoteDesktopAdmin This resource configures Remote Desktop settings and configures the Windows firewall to support Remote Desktop

xPsDesiredStateConfiguration

xGroup Extends the in-box Group resource with support for cross-domain account lookup and UPN-formatted names used for identifying users, computers, and group domain-based accounts.

xChrome xChrome Deploys the Chrome browser

xFirefox xFirefox Deploys the Firefox browser

Updates xAzureSqlDatabasexPsDesiredStateConfigurationxWaitForAdDomainxSqlServerInstallxFirewall

Bug fixes have been made to improve each of these items. Please see the individual topics for details.

http://blogs.msdn.com/b/powershell/archive/2014/09/26/continuing-the-dsc-resource-kit-additions-wave-7-is-live.aspx

Wave 7 – September 26th, 2014

Module Resource(s)  Description 

xAdcsDeployment

xAdcsCertificationAuthority,  xAdcsWebEnrollment

The purpose of these resources is to install and configure the Certificate Authority role and the Certificate Services Web Enrollment on a Windows Server following installation of the component using the WindowsFeature resource.

xCredSSP xCredSSP The xCredSSP module enables or disables Credential Security Support Provider (CredSSP) authentication, and supports configuring  the server and client roles, plus which server or servers the client credentials can be delegated to.

xPendingReboot xPendingReboot xPendingReboot examines three specific registry locations where a Windows Server might indicate that a reboot is pending and allows DSC to predictably handle the condition.

Updates xRemoteDesktopAdmin Bug fixes have been made to improve each of these items. Please see the individual topics for details.

xWebsitexComputerxIPAddressxDNSServerAddressxDSCWebServicexVHDxVMHyperVxVMSwitch

FileGroupRegistryServiceUserPackageWindowsFeatureWindowsProcessEnvironmentArchiveLogScript

DSC Resources

xIISWordPressxWordPressSitexPhpxMySqlServerxMySqlDatabasexMySqlUserxMySqlGrantxMySqlProvisionxWindowsOptionalFeaturexHotfixxIISModule

xVhdFilexADDomainxADUserxADDomainControllerxWaitForADDomainxSqlServerInstallxSqlHAServicexSqlHAEndpointxSqlHAGroupxWaitForSqlHAGroupxClusterxWaitForClusterxSmbSharexFirewall

xAzureAffinityGroupxJeaEndPointxJeaToolKit xDnsServerSecondaryZonexDnsServerZoneTransferxDhcpServerScopexDhcpServerReservationxDhcpServerOptionxWinEventLogxADDomainTrustxFileUpload 

xAzureQuickVMxAzureVMxAzureStorageAccount xAzureSubscriptionxAzureService

xWebVirtualDirectoryxWebApplication xWebConfigKeyValue xUACxIEEsc xWindowsProcess xService xRemoteFile xPackage xCompress xEndpointxRDRemoteAppxRDSessionDeploymentxRDSessionCollection xRDSessionCollectionConfiguration

xDatabase xDBPackagexWebAppPool 

Custom DSC Resources

Building a Custom DSC Resource Function Get-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}

Function Set-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}

Function Test-TargetResource{ # TODO: Add parameters here # Make sure to use the same parameters for # Get-TargetResource, Set-TargetResource, and Test-TargetResource param( )}

Configuration Migrationfor FIM

• Configure a FIM server until it is good enough

• Copy that configuration to other servers

Prescribed Approach - TechNet

### Export the FIM confiugration from both servers$policy1 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server1:5725$policy2 = Export-FIMConfig -policyConfig -portalConfig -schemaConfig -Uri http://server2:5725

### Set some Join Rules$joinrules = @{ Person = "MailNickname DisplayName"; Group = "DisplayName"; ObjectTypeDescription = "Name"; AttributeTypeDescription = "Name"; BindingDescription = "BoundObjectType BoundAttributeType"; ConstantSpecifier = "BoundObjectType BoundAttributeType ConstantValueKey"; SearchScopeConfiguration = "DisplayName SearchScopeResultObjectType Order"; ObjectVisualizationConfiguration = "DisplayName AppliesToCreate AppliesToEdit AppliesToView"}

### Do the joining$matches = Join-FIMConfig -source $policy1 -target $policy2 -join $joinrules -defaultJoin DisplayName

### Produce the diff$diff = $matches | Compare-FIMConfig

### Import the diff to FIM$undoneImports = $diff | Import-FimConfig -Uri http://server2:5725

### Didn't work? Yeah, do it again$undoneImports | Import-FimConfig -Uri http://server2:5725

Config Migration Script

• Good• FIM ships with PowerShell commands• Very good coverage of the FIM Service

• Bad• Configuration migration is a flawed approach• No tie back to source control

• Ugly• People don’t understand the tools, and very often

just hack the XML files

Good, Bad, Ugly

• Automation is done with imperative scripts

• Write scripts to load the configuration into FIM

• Use source control to manage those scripts

Prescribed Approach - Craig

Imperative Configuration Script### Check starting state - Halt script if trouble found with the preliminariesWrite-Verbose "Checking for FIM."try{ Get-Service fimservice -ErrorAction stop | Out-Null}catch{ Write-Warning "FIM not found. Please run this script from the FIM server, duh." exit}

Write-Verbose "Checking target environment."if(!$(Test-Path("$scriptPath\\Config$environment.xml"))){ Write-Warning "Config values not found for environment '$environment'. Please try again, harder next time." exit}

### Create the Set: ‘FIM UG: Presenters'New-FimSet -DisplayName “FIM UG: Presenters" -Filter "/Person[Slacker = False]"

### Create the Set: ‘FIM UG: Organizers'New-FimSet -DisplayName “FIM UG: Organizers" -Filter "/Person[CommunityHero = True]"

### Create the Set: ‘FIM UG: Participants'New-FimSet -DisplayName “FIM UG: Participants" -Filter "/Person[ScarTisue = True]"

• Good• FIM ships with PowerShell commands• Fine-grained configuration• Easy to track with source control

• Bad• Only good for the first configuration deployment

(no patches)

• Ugly• Need to write a lot of script (okay, that’s actually a

good thing, just not good for the project)

Good, Bad, Ugly

• Use PowerShell Desired State Configuration to deploy and manage FIM configuration

• Use custom DSC resources for the FIM Service and FIM Synchronization Service

• Generate a DSC configuration document for FIM Service and FIM Synchronization Service

• Manage the configuration documents in source control

The Desired Approach

Configuration FimServiceConfiguration { Import-DscResource -ModuleName FimPowerShellModule Node MyFimServer {

cFimPerson GreatPerson { AccountName = ‘GreatPerson' DisplayName = ‘Great Person' Domain = 'Redmond' FirstName = 'Craig' Manager = ‘GreatManager' ObjectSID = (Get-ObjectSid GreatPerson) Ensure = 'Present' }

cFimManagementPolicyRule GreatMpr { ActionParameter = '*' ActionType = 'Modify' Description = 'initial description' Disabled = $false DisplayName = 'Great Mpr' GrantRight = $true PrincipalSet = ‘All People' ResourceCurrentSet = ‘All People' ResourceFinalSet = ‘All Great People' ManagementPolicyRuleType = 'Request' AuthenticationWorkflowDefinition = ‘Call Me Maybe? AuthN Workflow' AuthorizationWorkflowDefinition = ‘Manager Approval AuthZ Workflow' ActionWorkflowDefinition = ‘Some Great Reward Action Workflow' Ensure = "Present“ } } }

Desired State Configurationfor FIM

DSC Resource for FIM ServiceModule Resource(s)  Description 

FimPowerShellModule cFimActivityInformationConfigurationcFimAttributeTypeDescriptioncFimBindingDescriptioncFimEmailTemplatecFimFilterScopecFimGroupcFimHomePageConfigurationcFimManagementPolicyRulecFimmsidmSystemConfigurationcFimNavigationBarConfigurationcFimObjectTypeDescriptioncFimObjectVisualizationConfigurationcFimPersoncFimPortalUIConfigurationcFimResourcecFimSearchScopeConfigurationcFimSetcFimSynchronizationFiltercFimSystemResourceRetentionConfigurationcFimWorkflowDefinition

The purpose of these resources is to configure the FIM Service.

DSC Resource for FIM Sync

Module Resource(s)  Description 

FimSyncPowerShellModule

cFimSyncFilterRule cFimSyncImportAttributeFlowRule cFimSyncJoinRule cFimSyncMADeprovisioningOptions cFimSyncMAExtension cFimSyncManagementAgent cFimSyncMAPartitionData cFimSyncMAPrivateConfiguration cFimSyncMVAttributeType cFimSyncMVDeletionRule cFimSyncMVExtension cFimSyncMVObjectType cFimSyncMVProvisioningRule cFimSyncProjectionRule cFimSyncRunProfile

The purpose of these resources is to configure the FIM Synchronization Service.

Sample FIM Configuration in DSC configuration DemoFimServiceConfiguration{ Import-DscResource -ModuleName FimPowerShellModule

node (hostname) { cFimManagementPolicyRule GreatManagementPolicyRule {…}

cFimSet AllGreatPeople {…}

cFimWorkflowDefinition SomeGreatRewardActionWorkflow {…} }}

Sample MPR cFimManagementPolicyRule GreatManagementPolicyRule { ActionParameter = '*' ActionType = 'TransitionIn' ActionWorkflowDefinition = 'Some Great Reward Action Workflow' Description = 'initial description' Disabled = $false DisplayName = 'Great Management Policy Rule' GrantRight = $false ResourceFinalSet = 'All Great People' ManagementPolicyRuleType = 'SetTransition' Ensure = 'Present' Credential = $fimAdminCredential DependsOn ='[cFimWorkflowDefinition]SomeGreatRewardActionWorkflow',

'[cFimSet]AllGreatPeople'}

Sample Set cFimSet AllGreatPeople{ DisplayName = 'All Great People' Filter = @'<Filter xmlns ="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd ="http://www.w3.org/2001/XMLSchema" Dialect ="http://schemas.microsoft.com/2006/11/XPathFilterDialect" >/Person[LastName='Great']</Filter>'@ Ensure = 'Present' Credential = $fimAdminCredential}

Sample WorkflowDefinition cFimWorkflowDefinition SomeGreatRewardActionWorkflow{ DisplayName = 'Some Great Reward Action Workflow' RequestPhase = 'Action' XOML = @'<ns0:SequentialWorkflow ActorId ="00000000-0000-0000-0000-000000000000" RequestId ="00000000-0000-0000-0000-000000000000" x:Name ="SequentialWorkflow" TargetId ="00000000-0000-0000-0000-000000000000" WorkflowDefinitionId ="00000000-0000-0000-0000-000000000000" xmlns ="http://schemas.microsoft.com/winfx/2006/xaml/workflow" xmlns:x ="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0 =“…"><ns0:EmailNotificationActivity x:Name ="authenticationGateActivity1" To ="[//Target];" CC ="{x:Null}" EmailTemplate ="{ObjectType:"EmailTemplate",AttributeName:"DisplayName",AttributeValue:"Some Great Rewarding Email Template"}" SuppressException ="False" Bcc ="{x:Null}" /></ns0:SequentialWorkflow>'@ Ensure = 'Present' Credential = $fimAdminCredential DependsOn = '[cFimEmailTemplate]SomeGreatRewardingEmailTemplate'}

Sample EmailTemplate cFimEmailTemplate SomeGreatRewardingEmailTemplate{ DisplayName = 'Some Great Rewarding Email Template' EmailBody = 'Some Great Reward will be coming my way' EmailSubject = 'Some Great Reward' EmailTemplateType = 'Notification' Ensure = 'Present' Credential = $fimAdminCredential}

FIM DSC Demo

• Configuration Generation• Configuration Deployment• Configuration Updates• Configuration Enforcement

FIM Configuration Management

Driving Alignment Between Business and Security