Ad Fs Deployment.docx
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ad Fs Deployment.docx as PDF for free.
More details
- Words: 546
- Pages: 9
How to install ADFS on Windows server 2016
In this guide we will go through ADFS installation on windows server 2016. Before we install ADFS we have to obtain ADFS certificate. You can use certificate mmc to create new certificate request. You have to put all SAN entries which you are going to use in certificate and ADFS. Once you have certificate, import that ADFS server and make sure you have private key for that certificate. After certificate import follow below steps to install ADFS role on windows server 2016. Windows Server 2012 domain controllers (DC) and later versions require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of creation, to allow all domain controllers to converge their Active Directory replication before allowing the creation of a gMSA. The 10 hours is a safety measure to prevent password generation from occurring before all the domain controllers in the environment can answer the gMSA requests. If you try to use a gMSA too soon, the key might not have been replicated to all the Windows Server 2012 domain controllers and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. gMSA password retrieval failures can also occur when using domain controllers with limited replication schedules or if there is a replication issue.
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key. If you don’t want run below:Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Install ADFS role:Login on Windows server 2016 and open server manager. Under server manager click on add roles and feature. Under Server roles select ADFS role. Click on next and don’t select anything on features page. Click next and Close it.
Configuring ADFS: After installation click on Configure the federation service on this server. If you are installing first ADFS server then select first option. If you are installing additional ADFS server then select second option. In second page you have to provide domain administrator account. On third page select certificate which you imported and make sure that ADFS service name is correctly showing based on certificate SAN name. Put ADFS display name (Usually it will be your company name which will show on ADFS login page to end users). On next page choose a group managed account for ADFS. On next page select database store where you want to store ADFS configuration database. It can be WID or SQL. I choose WID in this case. On next page click on configure and configuration will began. It will take some time in completion.
If you see a warning for set spn for the specified service account then run below to set spn . Here server name will be your adfs farm name. setspn -a host/<server name> <service account> For e.g setspn -a host/adfs.testlab.com gmsa_adfs
Using powershell to install ADFS:-
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
Install-AdfsFarm ` -CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" ` -FederationServiceDisplayName:"Testlab ADFS" ` -FederationServiceName:"ADFS.testlab.local" ` -GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$"
Using powershell to addd additional ADFS farm node:-
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
Add-AdfsFarmNode ` -CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" ` -GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$" ` -PrimaryComputerName:"adfs1.testlab.local"
In this guide we will go through ADFS installation on windows server 2016. Before we install ADFS we have to obtain ADFS certificate. You can use certificate mmc to create new certificate request. You have to put all SAN entries which you are going to use in certificate and ADFS. Once you have certificate, import that ADFS server and make sure you have private key for that certificate. After certificate import follow below steps to install ADFS role on windows server 2016. Windows Server 2012 domain controllers (DC) and later versions require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of creation, to allow all domain controllers to converge their Active Directory replication before allowing the creation of a gMSA. The 10 hours is a safety measure to prevent password generation from occurring before all the domain controllers in the environment can answer the gMSA requests. If you try to use a gMSA too soon, the key might not have been replicated to all the Windows Server 2012 domain controllers and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. gMSA password retrieval failures can also occur when using domain controllers with limited replication schedules or if there is a replication issue.
The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys from the new root key. If you don’t want run below:Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Install ADFS role:Login on Windows server 2016 and open server manager. Under server manager click on add roles and feature. Under Server roles select ADFS role. Click on next and don’t select anything on features page. Click next and Close it.
Configuring ADFS: After installation click on Configure the federation service on this server. If you are installing first ADFS server then select first option. If you are installing additional ADFS server then select second option. In second page you have to provide domain administrator account. On third page select certificate which you imported and make sure that ADFS service name is correctly showing based on certificate SAN name. Put ADFS display name (Usually it will be your company name which will show on ADFS login page to end users). On next page choose a group managed account for ADFS. On next page select database store where you want to store ADFS configuration database. It can be WID or SQL. I choose WID in this case. On next page click on configure and configuration will began. It will take some time in completion.
If you see a warning for set spn for the specified service account then run below to set spn . Here server name will be your adfs farm name. setspn -a host/<server name> <service account> For e.g setspn -a host/adfs.testlab.com gmsa_adfs
Using powershell to install ADFS:-
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
Install-AdfsFarm ` -CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" ` -FederationServiceDisplayName:"Testlab ADFS" ` -FederationServiceName:"ADFS.testlab.local" ` -GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$"
Using powershell to addd additional ADFS farm node:-
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
Add-AdfsFarmNode ` -CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" ` -GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$" ` -PrimaryComputerName:"adfs1.testlab.local"
Related Documents
Ad Fs Deployment.docx
December 2019 16
Fs
June 2020 17
Fs
May 2020 16
Fs
June 2020 23
Fs
November 2019 41
Fs
April 2020 18More Documents from ""
Industry-reference-architecture-template-k-12-education-guide.pdf
December 2019 12
[smtebooks.com] Foundations Of Blockchain 1st Edition.pdf
December 2019 39
Ad Fs Deployment.docx
December 2019 16
Begin-code-python.pdf
December 2019 24
Basic Mandarin L1-l5.docx
May 2020 37