AdfsDsc

1.4.0

DSCResources/MSFT_AdfsFarmNode/en-US/about_AdfsFarmNode.help.txt

                                .NAME

    AdfsFarmNode

.DESCRIPTION

    The AdfsFarmNode DSC resource manages an additional node in a pre-existing Active Directory

    Federation Service server farm.

    ## Requirements

    - The `SQLConnectionString` parameter should be the same as was specified for the ADFS Farm.

    - The `ServiceAccountCredential` or `GroupServiceAccountIdentifier` should be the same as was

    specified for the ADFS farm.

.PARAMETER FederationServiceName

    Key - String

    Specifies the DNS name of the federation service.

.PARAMETER CertificateThumbprint

    Required - String

    Specifies the value of the certificate thumbprint of the certificate that should be used in the SSL binding of the Default Web Site in IIS. This value should match the thumbprint of a valid certificate in the Local Computer certificate store.

.PARAMETER Credential

    Required - String

    Specifies a PSCredential object that must have domain administrator privileges.

.PARAMETER GroupServiceAccountIdentifier

    Write - String

    Specifies the Group Managed Service Account under which the Active Directory Federation Services (AD FS) service runs.

.PARAMETER OverwriteConfiguration

    Write - Boolean

    This parameter must be used to remove an existing AD FS configuration database and overwrite it with a new database.

.PARAMETER PrimaryComputerName

    Write - String

    Specifies the name of the primary in a farm. The cmdlet adds the computer to the farm that has the primary that you specify.

.PARAMETER PrimaryComputerPort

    Write - Sint32

    Specifies the primary computer port. The computer uses the HTTP port that you specify to connect with the primary computer in order to synchronize configuration settings. Specify a value of 80 for this parameter, or specify an alternate value if the HTTP port on the primary computer is not 80. If this parameter is not specified, a default port value of 80 is assumed.

.PARAMETER ServiceAccountCredential

    Write - String

    Specifies the Active Directory account under which the AD FS service runs. All nodes in the farm must use the same service account.

.PARAMETER SQLConnectionString

    Write - String

    Specifies the SQL Server database that will store the AD FS configuration settings. If not specified, AD FS uses Windows Internal Database to store configuration settings.

.EXAMPLE 1

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS)

server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is

installed on a computer named PrimaryWIDHost.

The certificate with the specified thumbprint will be used as the SSL certificate and the service

communications certificate. Automatically generated, self-signed certificates will be used for the token

signing and token decryption certificates.

The standard user account specified in the ServiceAccountCredential parameter will be used for the service

account.

Configuration AdfsFarmNode_ServiceAccount-WID_Config

{

    param

    (

        [Parameter(Mandatory = $true)]

        [ValidateNotNullOrEmpty()]

        [System.Management.Automation.PSCredential]

        $ServiceAccountCredential,

        [Parameter(Mandatory = $true)]

        [ValidateNotNullOrEmpty()]

        [System.Management.Automation.PSCredential]

        $DomainAdminCredential

    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Import-DscResource -ModuleName AdfsDsc

    Node localhost

    {

        WindowsFeature InstallAdfs

        {

            Name   = 'ADFS-Federation'

        }

        AdfsFarmNode SecondWIDHost

        {

            FederationServiceName    = 'fs.corp.contoso.com'

            CertificateThumbprint    = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'

            ServiceAccountCredential = $ServiceAccountCredential

            Credential               = $DomainAdminCredential

            PrimaryComputerName      = 'PrimaryWIDHost'

        }

    }

}

.EXAMPLE 2

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS)

server farm using the Windows Internal Database (WID) on the local server computer and whose primary node is

installed on a computer named PrimaryWIDHost.

The certificate with the specified thumbprint will be used as the SSL certificate and the service

communications certificate. Automatically generated, self-signed certificates will be used for the token

signing and token decryption certificates.

The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the

service account.

Configuration AdfsFarmNode_gMSA-WID_Config

{

    param

    (

        [Parameter(Mandatory = $true)]

        [ValidateNotNullOrEmpty()]

        [System.Management.Automation.PSCredential]

        $DomainAdminCredential

    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Import-DscResource -ModuleName AdfsDsc

    Node localhost

    {

        WindowsFeature InstallAdfs

        {

            Name = 'ADFS-Federation'

        }

        AdfsFarmNode SecondWIDHost

        {

            FederationServiceName         = 'fs.corp.contoso.com'

            CertificateThumbprint         = '8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed'

            GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'

            Credential                    = $DomainAdminCredential

            PrimaryComputerName           = 'PrimaryWIDHost'

        }

    }

}

.EXAMPLE 3

This configuration will add the computer as a node in an existing Active Directory Federation Services (AD FS)

server farm using using a Microsoft SQL Server database on a remote computer named SQLHost and whose primary

node is installed on a computer named PrimaryWIDHost.

The certificate with the specified thumbprint will be used as the SSL certificate and the service

communications certificate. Automatically generated, self-signed certificates will be used for the token

signing and token decryption certificates.

The group Managed Service Account specified in the GroupServiceAccountIdentifier parameter will be used for the

service account.

Configuration AdfsFarmNode_gMSA-SQL_Config

{

    param

    (

        [Parameter(Mandatory = $true)]

        [ValidateNotNullOrEmpty()]

        [System.Management.Automation.PSCredential]

        $DomainAdminCredential

    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Import-DscResource -ModuleName AdfsDsc

    Node localhost

    {

        WindowsFeature InstallAdfs

        {

            Name = 'ADFS-Federation'

        }

        AdfsFarmNode SecondWIDHost

        {

            FederationServiceName         = 'sts.contoso.com'

            CertificateThumbprint         = '933D8ACDD49CEF529EB159504C4095575E3496BB'

            GroupServiceAccountIdentifier = 'contoso\adfsgmsa$'

            SQLConnectionString           = 'Data Source=SQL01;Integrated Security=True'

            Credential                    = $DomainAdminCredential

            PrimaryComputerName           = 'PrimaryWIDHost'

        }

    }

}