Category Archives: AD FS 2.0

Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.

 

Migration Paths

There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods. This method will only work if ADFS 2.0 is in a farm configuration. If you are not in a farm configuration, you must do a manual migration. See the links below.

http://technet.microsoft.com/en-us/library/dn486815.aspx

http://technet.microsoft.com/en-us/library/dn486787.aspx

 

Assumptions

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
  2. Add server to the local domain
  3. Export SSL certificate on AD FS 2.0 server (with private key)
  4. AD FS service account and password that was used to deploy AD FS 2.0
  5. Directory Sync is running

 

Import SSL Certificate

 

***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

 

I assume that you have exported the SSL certificate and this is the procedure on how to import it.

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Install AD FS Role on Windows Server 2012 R2

 

Login to the AD FS 3.0 Server

Open Server Manager

Click Local Server

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Active Directory Federation Services

Click Next

 

Click Next

 

Click Next

 

Click Install

Installation starts

 

Install completed. Don’t close and continue to the next step

 

 

Configure AD FS 3.0

 

Click Configure the federation service on this server

 

Select Create the first federation server in a federation farm

Click Next

 

Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.

Click Next

 

Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm

Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name

Click Next

 

Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions

Enter Password

Click Next

 

Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.

Click Next

 

Click Next

 

Click Configure

 

Configuration started

 

Configuration Finished

 

If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.

 

 

Export the AD FS 2.0 Configuration

 

Login to the AD FS 2.0 Server

Insert or mount the Windows Server 2012 R2 DVD into the server

Run PowerShell as Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Script

.\export-federationconfiguration.ps1 –path c:\adfs_export”

This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.

Export completed

Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server

Import the AD FS Configuration to AD FS 3.0

Login to the AD FS 3.0 Server

Open PowerShell as an Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration

.\import-federationconfiguration.ps1 –path C:\ADFS_Export

    

Import started

Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.

Imported successfully

Verify the Import in AD FS Management

Testing Single Sign-On

 

From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm

 

Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.

Test signing in

 

Once this is completed, then you can test logging into the Microsoft Office365 Portal.

 

Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.

 

Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Finding and Changing the Primary AD FS 2.0 Server in an AD FS 2.0 Farm with PowerShell

PowerShell can be used to quickly identify the primary server in an AD FS 2.0 farm. When you deploy AD FS 2.0 and setup with a default install, it will use Windows Internal Database (WID). In this setup the WID database on the Primary AD FS server is a read/write copy. All the Secondary AD FS server(s), in the farm, have a read only copy that is synchronizes from the Primary.

 

  • Run this command to view the role of the server and see who it’s synchronizing the database changes from.

    Get-ADFSSyncConfiguration

 

Command run on an AD FS Primary Server

 

Command run on an AD FS Secondary Server

 

 

In the event that you lose the Primary AD FS server in the farm, you can move the role to any Secondary Server in the same farm. This again is done through PowerShell with a simple command.

 

  • Run this PowerShell command on the Secondary AD FS server that you want to make Primary AD FS server.

    Set-AdfsSyncProperties -Role PrimaryComputer

And then

  • Run this command to view the current role. It should change to PrimaryComputer

    Get-ADFSSyncConfiguration

 

 

 

Now that the Primary role is moved you must update all the other Secondary servers, if you have more than two Secondary servers in the farm.

 

  • Run this PowerShell command on the other Secondary AD FS servers so that they now sync with the new AD FS Primary server

    Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName FQDN of ADFS Primary Server

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN