Configure PAM using scripts
If you choose to install SQL and SharePoint on separate servers, they must be configured using the instructions below. If SQL, SharePoint and the PAM components are installed on the same machine, the below steps must be run from that machine.
The steps below assume that a PRIV Domain is already setup, for instructions to configure a PRIV domain, view the addendum at the end of the document.
steps:
Download the PAM deployment scripts
Unzip the compressed file “PAMDeploymentScripts.zip” to the %SYSTEMDRIVE%\PAM folder on all machines.
On any one of the machines, open the PAMDeploymentConfig.xml file and update the details using the chart below or guidance within the XML file itself. If the CORP and PRIV forests are already setup, all you need to update are the DNSName and the NetbiosName.
In the Roles section, update the service account, machine details, and the location of the installation binaries for SQL, SharePoint and MIM roles.
- The MIM binary location must point to the directory containing the “Service and Portal” folder. The Client binary location must point to the directory containing the “Add-ins and Extensions.msi”.
If this is a PRIVOnly environment, in which there is no CORP forest, then the PRIVOnly tag must be set to True.
- For PRIVOnly environments, update the DNSName and NetbiosName of the PRIV Domain to match the CORP domain. Make sure the machine suffixes are correct for the machines where SQL, SharePoint, and MIM will be installed, as the default template file assumes a CORP and PRIV configuration.
Copy the same PAMDeploymentConfig.xml to %SYSTEMDRIVE%\PAM folder on all the machines, CORPDC, PRIVDC, PAM Server, SQL Server, and SharePoint servers.
Deployment worksheet
Before you proceed update the PAMDeploymentConfig.xml and place the updated copy on all machines.
Setup
| Machine | Who to run as | Commands |
|---|---|---|
| PRIVDC | PRIV Domain Admin | .\PAMDeployment.ps1 Select menu option 1 (PRIV Forest Configuration) |
| The above step generates a SIDs.txt. This file needs to be copied into $envDrive:PAM of the CORPDC before running the next step. | ||
| CORPDC | CORP Domain Admin | .\PAMDeployment.ps1 Select menu option 2 (CORP Forest Configuration) |
| PAMServer (or SQL Server) | CORP Domain Admin | .\PAMDeployment.ps1 Select menu option 2 (CORP Forest Configuration) |
| PAMServer | Local Admin (MIM Admin after domain join) | .\PAMDeployment.ps1 Select menu option 4 (SharePoint Setup) |
| PAMServer | Local Admin (MIM Admin after domain join) | .\PAMDeployment.ps1 Select menu option 5 (MIM PAM Setup) |
| PAMServer | MIMAdmin | .\PAMDeployment.ps1 Select menu option 6 (PAM Trust Setup) .\PAMDeployment.ps1 Select menu option 6 (PAM Trust Setup) |
Validation
| Machine | Who to run as | Commands |
|---|---|---|
| CORPClient | CORP User (local admin) | .\PAMDeployment.ps1 Select menu option 7 (MIM PAM Client Setup) |
| CORPDC | CORP Domain Admin | Import-module .\PAMValidation.psm1 ; Create-PAMValidationCORPDCConfig |
| PAMServer | MIMAdmin | Import-module .\PAMValidation.psm1 ; Move-PAMValidationUsersToPAM |
| CORPClient | CORP User (local admin) | Import-module .\PAMValidation.psm1 ; Enable-PAMUsersCORPClientRemote |
| CORPClient | <PRIV>\PRIV.pamRequestor user and in the case of PRIVOnly : <CORP>\pamrequestor |
Import-module .\PAMValidation.psm1 ; Test-PAMValidationScenarioNoApprovalRequest |