DSCResources/MSFT_AdfsFarm/en-US/about_AdfsFarm.help.txt
|
.NAME
AdfsFarm .DESCRIPTION The AdfsFarm DSC resource manages the installation of an Active Directory Federation Services server farm, and the primary node of the farm. To further manage the configuration of ADFS, the ADFSProperties DSC resource should be used. Note: removal of the ADFS server farm using this resource is not supported. Remove the Adfs-Federation role from the server instead. .PARAMETER FederationServiceName Key - String Specifies the DNS name of the federation service. This value must match the subject name of the specified certificate. .PARAMETER CertificateThumbprint Required - String Specifies the thumbprint of the certificate to use for HTTPS bindings and service communication for ADFS. This value should match the thumbprint of a valid certificate in the Local Computer certificate store. .PARAMETER Credential Required - String Specifies a PSCredential object that must have domain administrator privileges. .PARAMETER FederationServiceDisplayName Write - String Specifies the display name of the Federation Service. .PARAMETER GroupServiceAccountIdentifier Write - String Specifies the Group Managed Service Account under which the Active Directory Federation Services (AD FS) service runs. .PARAMETER OverwriteConfiguration Write - Boolean This parameter must be used to remove an existing Active Directory Federation Services (AD FS) configuration database and overwrite it with a new database. .PARAMETER ServiceAccountCredential Write - String Specifies the Active Directory account under which the AD FS service runs in the form: <domain name>\\<user name>. .PARAMETER SQLConnectionString Write - String Specifies the SQL Server database that will store the AD FS configuration settings. If not specified, the AD FS installer uses the Windows Internal Database to store configuration settings. .PARAMETER AdminConfiguration Write - HashTable Specifies the Admin Configuration .PARAMETER Ensure Read - String The state of the ADFS Farm. .EXAMPLE 1 This configuration will create the first node in an Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer. The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates. The standard user account specified in the ServiceAccountCredential parameter will be used for the service account. Configuration AdfsFarm_ServiceAccount-WID_Config { Param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $ServiceAccountCredential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $DomainAdminCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName AdfsDsc Node localhost { WindowsFeature InstallAdfs { Name = 'ADFS-Federation' } AdfsFarm Contoso { FederationServiceName = 'fs.corp.contoso.com' FederationServiceDisplayName = 'Contoso ADFS Service' CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed' ServiceAccountCredential = $ServiceAccountCredential Credential = $DomainAdminCredential } } } .EXAMPLE 2 This configuration will create the first node in an Active Directory Federation Services (AD FS) server farm using the Windows Internal Database (WID) on the local server computer. The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates. The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account. Configuration AdfsFarm_gMSA-WID_Config { Param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $DomainAdminCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName AdfsDsc Node localhost { WindowsFeature InstallAdfs { Name = 'ADFS-Federation' } AdfsFarm Contoso { FederationServiceName = 'fs.corp.contoso.com' FederationServiceDisplayName = 'Contoso ADFS Service' CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed' GroupServiceAccountIdentifier = 'contoso\adfsgmsa$' Credential = $DomainAdminCredential } } } .EXAMPLE 3 This configuration will create the first node in an Active Directory Federation Services (AD FS) server farm using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using Windows Authentication. The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates. The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account. Configuration AdfsFarm_gMSA_SQL_Integrated_Config { Param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $DomainAdminCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName AdfsDsc Node localhost { WindowsFeature InstallAdfs { Name = 'ADFS-Federation' } AdfsFarm Contoso { FederationServiceName = 'fs.corp.contoso.com' FederationServiceDisplayName = 'Contoso ADFS Service' CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed' GroupServiceAccountIdentifier = 'contoso\adfsgmsa$' SQLConnectionString = 'Data Source=sql01.contoso.com;Integrated Security=True' Credential = $DomainAdminCredential } } } .EXAMPLE 4 This configuration will create the first node in an Active Directory Federation Services (AD FS) server farm using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using SQL Authentication. The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates. The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account. Configuration AdfsFarm_gMSA_SQL_Config { Param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $DomainAdminCredential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SqlCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName AdfsDsc Node localhost { WindowsFeature InstallAdfs { Name = 'ADFS-Federation' } $SqlUserName = $SqlCredential.UserName $SqlPassword = $SqlCredential.GetNetworkCredential().Password AdfsFarm Contoso { FederationServiceName = 'fs.corp.contoso.com' FederationServiceDisplayName = 'Contoso ADFS Service' CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed' GroupServiceAccountIdentifier = 'contoso\adfsgmsa$' SQLConnectionString = "Data Source=sql01.contoso.com;User ID=$SqlUserName;Password=$SqlPassword" Credential = $DomainAdminCredential } } } .EXAMPLE 5 This configuration will create the first node in an Active Directory Federation Services (AD FS) server farm using a Microsoft SQL Server database on a remote computer named sql01.contoso.com using Windows Authentication. The certificate with the specified thumbprint will be used as the SSL certificate and the service communications certificate. Automatically generated, self-signed certificates will be used for the token signing and token decryption certificates. The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the service account. The AdminConfiguration parameter will be used to pass the CN of a pre-configured ADFS Active Directory configuration object, removing the requirement of needing Domain Admin credentials for the ADFS Farm install. See https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-ad-fs-delegated-admin for further details. Configuration AdfsFarm_gMSA_SQL_Integrated_Delegated_Admin_Config { Param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $LocalAdminCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName AdfsDsc Node localhost { WindowsFeature InstallAdfs { Name = 'ADFS-Federation' } AdfsFarm Contoso { FederationServiceName = 'fs.corp.contoso.com' FederationServiceDisplayName = 'Contoso ADFS Service' CertificateThumbprint = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed' GroupServiceAccountIdentifier = 'contoso\adfsgmsa$' SQLConnectionString = 'Data Source=sql01.contoso.com;Integrated Security=True' Credential = $LocalAdminCredential AdminConfiguration = @( @{ DKMContainerDn = 'CN=9530440c-bc84-4fe6-a3f9-8d60162a7bcf,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com' } ) } } } |