Archive for October, 2016
Installing ADFS to Server Core (2016)
by Travis on Oct.03, 2016, under Tech Stuff
This post assumes you have already completed your installation of Windows Server 2016 and configured IP addressing, domain join, etc.
(* this can easily be accomplished by running ‘sconfig.cmd’ when you first login so it’s not worth a full post)
To get started, login as a domain administrator for the system and complete the following commands on the prompt presented:
– ‘powershell’
– ‘Install-WindowsFeature ADFS-Federation’
This should install all necessary feature related items for ADFS on the system.
Another key component will be your SSL cert. Whatever you will be using, preferably a certificate for adfs.yourdomain.com or *.yourdomain.com, I recommend you export it out with private key in PFX format. Once completed, you’ll need to make sure you copy your certificate pfx out to the machine(s) and then execute the following:
– ‘certutil -importpfx <Path to certificate file>’
You can confirm your certificate installation and snag the thumbprint by executing the following:
– ‘dir cert:\LocalMachine\My’
If you’re setting up the first machine in a farm execute the following commands:
(this method uses a domain user/service account):
– ‘$ADFSCred = Get-Credential’ (input the credentials for your service account)
– ‘Install-AdfsFarm -CertificateThumbprint:<thumbprint> -FederationServiceDisplayName:”Test Lab” – FederationServiceName:”adfs.testlab.com” -ServiceAccountCredential $ADFSCred -OverwriteConfiguration’
(this method used a group managed service account (the $ is required):
– ‘Install-AdfsFarm -CertificateThumbprint:<thumbprint> -FederationServiceDisplayName:”Test Lab” – FederationServiceName:”adfs.testlab.com” -GroupServiceAccountIdentifier <DOMAIN>\<serviceaccount>$ -OverwriteConfiguration’
Additionally if you want to allow for logins using an email address as username, run the following:
– ‘Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests domain.com’
This should get the initial setup of ADFS running for you on the main machine.
To add additional machines to the farm (up to four using WID) you install all features, SSL certificate, etc. however, instead of installing the farm, you will add a node. You will execute this from each member node you wish to add, assuming SERVER1 is the name of the initial ADFS instance you setup and you’re running this on SERVER2.
(this method uses a domain user/service account):
– ‘$ADFSCred = Get-Credential’ (input the service account credentials you listed above)
– ‘Add-AdfsFarmNode -ServiceAccountCredential $ADFSCred -PrimaryComputerName SERVER1 -CertificateThumbprint <thumprint> -OverwriteConfiguration’
(this method used a group managed service account (the $ is required):
– ‘Add-AdfsFarmNode -GroupServiceAccountIdentifier <DOMAIN>\<serviceaccount>$ -PrimaryComputerName SERVER1 -CertificateThumbprint <thumprint> -OverwriteConfiguration’
You should see a success message. If you do not, you can troubleshoot by testing out the farm configuration with the following commands:
– ‘$ADFSCred = Get-Credential’ (input the service account credentials)
– ‘Test-AdfsFarmJoin -ServiceAccountCredential $ADFSCred -PrimaryComputerName SERVER1’
*** If you plan on migrating from 2012R2 to 2016, you will need to set your newly installed 2016 secondary as a primary.
From your secondary box, run the following command:
Set-AdfsSyncProperties -Role PrimaryComputer
You can then run the following to check it’s role:
Get-ADFSSyncProperties
If you have other secondary machines, make sure to update their configuration to point to the new primary:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN of ADFS Primary Server>
Once you’ve verified your new machine is running primary, you remove the old instances from the farm with Remove-ADFSFarmNode.