travis' brain dump

Archive for October, 2016

Installing ADFS to Server Core (2016)

by on Oct.03, 2016, under Tech Stuff

This post assumes you have already completed your installation of Windows Server 2016 and configured IP addressing, domain join, etc.
(* this can easily be accomplished by running ‘sconfig.cmd’ when you first login so it’s not worth a full post)

To get started, login as a domain administrator for the system and complete the following commands on the prompt presented:

– ‘powershell’
– ‘Install-WindowsFeature ADFS-Federation’

This should install all necessary feature related items for ADFS on the system.

Another key component will be your SSL cert. Whatever you will be using, preferably a certificate for or *, I recommend you export it out with private key in PFX format. Once completed, you’ll need to make sure you copy your certificate pfx out to the machine(s) and then execute the following:

– ‘certutil -importpfx <Path to certificate file>’

You can confirm your certificate installation and snag the thumbprint by executing the following:

– ‘dir cert:\LocalMachine\My’

If you’re setting up the first machine in a farm execute the following commands:

(this method uses a domain user/service account):
– ‘$ADFSCred = Get-Credential’ (input the credentials for your service account) 
– ‘Install-AdfsFarm -CertificateThumbprint:<thumbprint> -FederationServiceDisplayName:”Test Lab” – FederationServiceName:”” -ServiceAccountCredential $ADFSCred -OverwriteConfiguration’

(this method used a group managed service account (the $ is required): 
– ‘Install-AdfsFarm -CertificateThumbprint:<thumbprint> -FederationServiceDisplayName:”Test Lab” – FederationServiceName:”” -GroupServiceAccountIdentifier <DOMAIN>\<serviceaccount>$ -OverwriteConfiguration’

Additionally if you want to allow for logins using an email address as username, run the following:

– ‘Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests’

This should get the initial setup of ADFS running for you on the main machine. 

To add additional machines to the farm (up to four using WID) you install all features, SSL certificate, etc. however, instead of installing the farm, you will add a node. You will execute this from each member node you wish to add, assuming SERVER1 is the name of the initial ADFS instance you setup and you’re running this on SERVER2.

(this method uses a domain user/service account):
– ‘$ADFSCred = Get-Credential’ (input the service account credentials you listed above)

– ‘Add-AdfsFarmNode -ServiceAccountCredential $ADFSCred -PrimaryComputerName SERVER1 -CertificateThumbprint <thumprint> -OverwriteConfiguration’

(this method used a group managed service account (the $ is required): 
– ‘Add-AdfsFarmNode -GroupServiceAccountIdentifier <DOMAIN>\<serviceaccount>$ -PrimaryComputerName SERVER1 -CertificateThumbprint <thumprint> -OverwriteConfiguration’

You should see a success message. If you do not, you can troubleshoot by testing out the farm configuration with the following commands:

– ‘$ADFSCred = Get-Credential’ (input the service account credentials)
– ‘Test-AdfsFarmJoin -ServiceAccountCredential $ADFSCred -PrimaryComputerName SERVER1’
*** If you plan on migrating from 2012R2 to 2016, you will need to set your newly installed 2016 secondary as a primary. 

From  your secondary box, run the following command: 
Set-AdfsSyncProperties -Role PrimaryComputer

You can then run the following to check it’s role: 

If you have other secondary machines, make sure to update their configuration to point to the new primary: 
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN of ADFS Primary Server>

Once you’ve verified your new machine is running primary, you remove the old instances from the farm with Remove-ADFSFarmNode. 


Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!