I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.
Migration Paths
There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods. This method will only work if ADFS 2.0 is in a farm configuration. If you are not in a farm configuration, you must do a manual migration. See the links below.
http://technet.microsoft.com/en-us/library/dn486815.aspx
http://technet.microsoft.com/en-us/library/dn486787.aspx
Assumptions
- Base build new AD FS 3.0 server with Windows Server 2012 R2
- Add server to the local domain
- Export SSL certificate on AD FS 2.0 server (with private key)
- AD FS service account and password that was used to deploy AD FS 2.0
- Directory Sync is running
Import SSL Certificate
***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.
***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one
I assume that you have exported the SSL certificate and this is the procedure on how to import it.
Open the Start Screen
Type MMC
Click the MMC app
MMC opens
Click File
Click Add/Remove Snap-in
Select Certificates
Click Add>
Select Computer Account
Click Next
Select Local Computer
Click Finish
Click OK
Expand Certificates
Expand Personal
Right Click Certificates
Select Import
Select Local Machine
Click Next
Browse to the Exported Certificate
Click Next
Enter Password
Mark the key as exportable
Click Next
Place in the Personal certificate store
Click Next
Click Finish
Successful
Install AD FS Role on Windows Server 2012 R2
Login to the AD FS 3.0 Server
Open Server Manager
Click Local Server
Click Manage
Click Add Roles and Features
Click Next
Click Next
Click Next
Select Active Directory Federation Services
Click Next
Click Next
Click Next
Click Install
Installation starts
Install completed. Don’t close and continue to the next step
Configure AD FS 3.0
Click Configure the federation service on this server
Select Create the first federation server in a federation farm
Click Next
Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.
Click Next
Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm
Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name
Click Next
Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions
Enter Password
Click Next
Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.
Click Next
Click Next
Click Configure
Configuration started
Configuration Finished
If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.
Export the AD FS 2.0 Configuration
Login to the AD FS 2.0 Server
Insert or mount the Windows Server 2012 R2 DVD into the server
Run PowerShell as Administrator
Navigate to \support\adfs on the Windows Server 2012 R2 DVD
Execute the Script
.\export-federationconfiguration.ps1 –path c:\adfs_export”
This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.
Export completed
Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server
Import the AD FS Configuration to AD FS 3.0
Login to the AD FS 3.0 Server
Open PowerShell as an Administrator
Navigate to \support\adfs on the Windows Server 2012 R2 DVD
Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration
.\import-federationconfiguration.ps1 –path C:\ADFS_Export
Import started
Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.
Imported successfully
Verify the Import in AD FS Management
Testing Single Sign-On
From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm
Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.
Test signing in
Once this is completed, then you can test logging into the Microsoft Office365 Portal.
Adding Redundancy and WAP Servers
Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.
Production Cut Over
When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Concepps Group