建立網域不 AD FS 發電廠系統管理員權限Creating an AD FS Farm without domain admin privileges

適用於:Windows Server 2016Applies To: Windows Server 2016

概觀Overview

開始在 Windows Server 2016 AD FS 使用,您可以安裝-AdfsFarm cmdlet 本機系統管理員身分伺服器上執行您聯盟,提供您的網域管理員已準備好 Active Directory。Starting with AD FS in Windows Server 2016, you can run the cmdlet Install-AdfsFarm as a local administrator on your federation server, provided your Domain Administrator has prepared Active Directory. 下列本文中的指令碼,可以用於準備廣告。The script below in this article can be used to prepare AD. 步驟如下:The steps are as follows:

1) 為網域管理員中,執行指令碼 (或手動建立的 Active Directory 物件與權限)。As Domain Administrator, run the script (or create the Active Directory objects and permissions manually). 2) 指令碼將會退還包含新建立的廣告物件 DN AdminConfiguration 物件The script will return an AdminConfiguration object containing the DN of the newly created AD object 3) 聯盟伺服器上執行安裝-AdfsFarm cmdlet 傳遞物件做為 AdminConfiguration 參數上方的 #2 從本機系統管理員身分登入On the federation server, execute the Install-AdfsFarm cmdlet while logged on as a local administrator, passing the object from #2 above as the AdminConfiguration parameter

假設Assumptions

  • Contoso\localadmin 是聯盟伺服器上的非網域管理員 builtin 系統管理員Contoso\localadmin is a non-Domain Admin builtin admin on the federation server
  • Contoso\FsSvcAcct 是將 AD FS 服務 account 核對Contoso\FsSvcAcct is a domain account that will be the AD FS service account
  • Contoso\FsGmsaAcct$ 是將 AD FS 服務 account gMSA accountContoso\FsGmsaAcct$ is a gMSA account that will be the AD FS service account
  • $svcCred 是 AD FS 服務的認證$svcCred is the credentials of the AD FS service account
  • $localAdminCred 為本機 (非 DA) 的認證管理員 account 聯盟伺服器上$localAdminCred is the credentials of the local (non DA) admin account on the federation server

使用 AD FS 服務 Account 核對Using a domain account as AD FS Service Account

準備廣告Prepare AD

執行為網域系統管理員Run the following as domain administrator

PS:\>$adminConfig=(C:\scriptlocation\CreateNonDADkmContainer.ps1 "contoso\fssvcacct")

範例輸出Sample Output

OU Name9530440c-bc84-4fe6-a3f9-8d60162a7bcf
Creating organizational unit with DN: CN=9530440c-bc84-4fe6-a3f9-8d60162a7bcf,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com

建立 AD FS 陣列Create the AD FS Farm

在聯盟伺服器上為 [本機系統管理員,較高的 PowerShell 命令視窗中執行下列命令。On the federation server as a local admin, execute the following in an elevated PowerShell command window.

首先,如果聯盟伺服器管理員以上述網域系統管理員身分未使用的相同 PowerShell 工作階段,重新建立 adminConfig 物件使用上述的輸出。First, if the federation server admin is not using the same PowerShell session as the above domain admin, re-create the adminConfig object using the output from the above.

PS:\>$adminConfig = @{"DKMContainerDn"="CN=9530440c-bc84-4fe6-a3f9-8d60162a7bcf,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com"}

接下來,建立發電廠:Next, create the farm:

PS:\>$svcCred = (get-credential)
PS:\>$localAdminCred = (get-credential) 
PS:\>Install-AdfsFarm -CertificateThumbprint 270D041785C579D75C1C981DA0F9C36ECFDB65E0 -FederationServiceName "fs.contoso.com" -ServiceAccountCredential $svcCred -Credential $localAdminCred -OverwriteConfiguration -AdminConfiguration $adminConfig -Verbose

使用 AD FS 服務 Account gMSAUsing a gMSA as the AD FS Service Account

準備廣告Prepare AD

PS:\>$adminConfig=(C:\scriptlocation\CreateNonDADkmContainer.ps1 "contoso\FsGmsaAcct$")

範例輸出Sample Output

OU Name8065f653-af9d-42ff-aec8-56e02be4d5f3
Creating organizational unit with DN: CN=8065f653-af9d-42ff-aec8-56e02be4d5f3,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com

建立 AD FS 陣列Create the AD FS Farm

在聯盟伺服器上為 [本機系統管理員,較高的 PowerShell 命令視窗中執行下列命令。On the federation server as a local admin, execute the following in an elevated PowerShell command window.

首先,如果聯盟伺服器管理員以上述網域系統管理員身分未使用的相同 PowerShell 工作階段,重新建立 adminConfig 物件使用上述的輸出。First, if the federation server admin is not using the same PowerShell session as the above domain admin, re-create the adminConfig object using the output from the above.

PS:\>$adminConfig = @{"DKMContainerDn"="CN=8065f653-af9d-42ff-aec8-56e02be4d5f3,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com"}

接下來,建立發電廠:Next, create the farm:

PS:\>Set-ADServiceAccount -Identity fsgmsaacct -PrincipalsAllowedToDelegateToAccount "localadmin"
PS:\>$localAdminCred = (get-credential) 
PS:\>Install-AdfsFarm -CertificateThumbprint 270D041785C579D75C1C981DA0F9C36ECFDB65E0 -FederationServiceName "fs.contoso.com" -Credential $localAdminCred -GroupServiceAccountIdentifier "contoso\fsgmsaacct$" -OverwriteConfiguration -AdminConfiguration $adminConfig

備妥 AD 指令碼Script for preparing AD

下列 PowerShell 指令碼可用於完成上面範例The following PowerShell script can be used to accomplish the examples above

#[CmdletBinding()] 
param (
   [Parameter(Mandatory=$True)]
   [string]$AcctToAclDkmContainer
)

$userNameSplit = $AcctToAclDkmContainer.Split("\");
if ($userNameSplit.Length -ne 2)
{
    Write-error "Specify non-DA local admin user in 'domain\username' format"
    exit 1
}

push-location ad:

# The OU Name is a randomly generated Guid
[string]$guid = (New-Guid).Guid
write-host ("OU Name" + $guid)

$ouName = $guid
$initialPath = "CN=Microsoft,CN=Program Data," + (Get-ADDomain).DistinguishedName
$ouPath = "CN=ADFS," + $initialPath
$ou = "CN=" + $ouName + "," + $ouPath

Write-Host ("Creating organizational unit with DN: " + $ou)

if ((Get-ADObject -Filter {distinguishedName -eq $ouPath}) -eq $null)
{
    Write-Host ("First creating initial path " + $ouPath)
    New-ADObject -Name "ADFS" -Type Container -Path $initialPath
}

New-ADObject -Name $ouName -Type Container -Path $ouPath

if ($AcctToAclDkmContainer.EndsWith("$"))
{
    $strSID = (Get-ADServiceAccount -Identity $userNameSplit[1]).SID
}
else
{
    $objUser = New-Object System.Security.Principal.NTAccount($AcctToAclDkmContainer)
    $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
}

[System.DirectoryServices.ActiveDirectorySecurityInheritance]$adSecInEnum = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
$ace1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $strSID,"GenericRead","Allow",$adSecInEnum
$ace2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $strSID,"CreateChild","Allow",$adSecInEnum
$ace3 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $strSID,"WriteOwner","Allow",$adSecInEnum
$ace4 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $strSID,"DeleteTree","Allow",$adSecInEnum

$acl = get-acl -Path $ou

$acl.AddAccessRule($ace1)
$acl.AddAccessRule($ace2)
$acl.AddAccessRule($ace3)
$acl.AddAccessRule($ace4)

set-acl -Path $ou -AclObject $acl

pop-location

$adminConfig = @{"DKMContainerDn"=$ou}

return $adminConfig