by Eurisko at 2013-04-01 07:56:51
I was curious if anyone else on here leveraged PowerShell with Microsoft AD FS 2.x? ( posted in the Community section to see if there was enough interest to create a forum for AD FS w/PowerShell as well.)by coderaven at 2013-04-01 09:04:05
My current project is to be able to do a full DR rebuild of an AD FS server.
Now, “best practice” from Microsoft is to do a full “system state” backup, and backup the SQL DB if it’s not on the local machine, etc.
(Here’s why we can’t do the easier “best practice” method.)
That’s great for backups/restores into this same environment that it currently lives in. However, part of our requirements for this setup, was that we had to protect against potential Active Directory corruption, physical machines being compromised, rootkits, etc.
Since our application runs our own code on the front end, and is just SQL on the back end, the DR strategy was developed to be a warm DR site where nothing but databases get’s restored ( No “executing” code gets restored there, but the databases get restored via other methods constantly.)
So, going down that path that it’s a new AD environment, new machine physical name, etc, that left me with manually rebuilding the full setup from scratch. Which, thanks to several scripts I have written over the last year or so, isn’t TOO bad, but it’s still pretty manual, and requires a large amount of user intervention.
**** My PowerShell goal: *****
1.) Script(s) to completely backup all data used on a standalone AD FS 2.x server.
2.) Script(s) to completely restore all data onto a new AD FS 2.x server.
I’ll be the first to admit, my PowerShell skills are not very advanced, I’m still lacking a lot of basic concepts, and most of my scripts in the past are single threaded scripts I have created through “trial and error” learning. If anyone else has done anything like this, I would love to not have to re-invent the wheel, or if anyone is interested in working with me, that would be awesome! (I don’t expect anyone to do this project for me obviously.)
I am interested in figuring out what’s the best way to tackle this from a structure angle. I hate to do a lot of work, only to find I could have done it completely different, in a much better way. (I know several of my scripts do a lot of extra work, due to my PowerShell knowledge limitations already.)
Any feedback & input is greatly appreciated!
You can PowerShell script the entire process. When you backup everything you really just need 3 thing.by Eurisko at 2013-04-01 10:28:09
1. Backup your ADFS database. If you are using the internal database engine or SQL Server the process is not much different.
2. In your AD structure, backup "LDAP://CN=ADFS,CN=Microsoft,CN=Program Data,DC=Your,DC=Domain"
3. Backup your Certificate infrastructure. See the documentation on that process.
It would also be a good idea to export all of your existing information to CSV/XML using the ADFS incase you need to verify setting after the process. See a intro to the PowerShell cmdlets for ADFS 2.0 here.
Backing up the SQL database will be pretty easy using the SQL 2012 SQL Module. Here is a good example. If using the internal database, remote connectivity my not be enabled by default.
Here is a pretty good example of exporting an AD structure.
The certificate process is documented pretty well out there.
It can be a complex process but is completely doable. Just break it down into small steps and test, test, test.
Let me know if you have any questions.
#2 is what scares me the most. I’ll be restoring this to a NEW domain of a different name, and the machine name will even be different. Will I really be able to simply restore that piece of AD back into it and have it actually work?by coderaven at 2013-04-01 11:08:05
I was going to export everything from ADFS (get-adfsclaimsprovidertrust, get-adfsrelyingpartytrust, etc) dump them to clixml, then work on scripts to create each item based on the data in those dumps. (just had to handle null values, and add additional url’s etc when it recreated something).
I had gotten the idea when I seen an article Here showing that for migrating just the rules for a CP or RP.
The database restore is already automated, so that would just leave #2 & #3 then.
This certainly gives me more options to look at. Off to the lab to play with #2.
#2 may be able to be skipped depending on what the new install does. I would just keep a backup.
When you create the new server, it will create a registration there. When the new ADFS install attaches to the existing database, it may recreate the AD structure, I would just test that and see if you can move without it. Having that object export would help if it does not or if you need to modify the ACL of the objects to what it was before, changing to the new account and what rights are needed. Ultimately you would not restore the root ADFS object but the sub-components would match up to what is in the database.