Installing ADFS on Windows Server 2012 R2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I will be installing Active Directory Federation services on Windows Server 2012 r2 in order to complete the install you need a certificate to use with certificates services if you do not have certificates services installed on your network see our previous video on how to install an enterprise CA for use with Active Directory Federation services this will provide basic certificates services allowing you to get Active Directory Federation services running however in a production environment you will most likely deploy a more sophisticated certificate solution I will now change to my Windows Server 2012 r2 server and start the install of Active Directory Federation services to start the install first of all I will open server manager once server manager is open I will select the option add roles and features this will start the add roles and features wizard once past the welcome screen I will select the default option role-based or feature-based installation on the next screen I need to select the server that I want to install the Active Directory Federation services role on once I have selected the server and moved on in the wizard on the next screen I need to select the role Active Directory Federation services once selected I will move on to the select feature screen in this case I will not select any additional features and will move on to the next screen of the wizard the next screen is the welcome screen for the Active Directory Federation services part of the install once I skip past this screen I will get to the confirmed selection screen this screen will show me which roles and features are about to be installed in this case only the one role is being installed when I press install the Active Directory Federation services role will be installed which takes a minute or two to complete so I will pause the video and return shortly now that the install is complete the next step is to configure Active Directory Federation services the Active Directory Federation services wizard will ask for a certificate so I first need to obtain the certificate from my enterprise CA to do this I will right click the Start menu select run and enter in MMC the certificate admin tool does not appear in server manager so it needs to be accessed using MMC once running I need to select add/remove snap-in from the file menu and then select certificate from the list of available snap-ins once selected when I press add I will be prompted for the scope of certificates that I will want to look at in this case I will select the option for computer account as the server itself will require this certificate the next screen asks which computer you want to manage certificates on in this case I will accept the default option of the local computer and then complete the wizard and exit MMC if I expand down to the personal folder under certificates this will show all the certificates created for that server this is not the view that I want so the view needs to be changed to do this right-click personal and select options under the View submenu if this submenu does not appear refresh the personal folder as the option may not appear if a refresh has not been performed once options has been selected I next need to tick the option certificate purpose under organize View mode by once I press ok you will notice that the view has changed the certificate that I want to create needs to go under the folder server authentication to create a new certificate under server authentication right click server authentication and select request new certificate under the submenu all tasks once selected this will launch the certificate enrollment wizard once past the welcome screen the next screen will ask which enrollment policy you want to use in this case I've not created any additional enrollment policies so I will leave it on the default option of Active Directory enrollment policy what enrollment does is allows the server to obtain a certificate automatically from a certificate authority with no administrator interaction also the enrollment policies takes care of renewing the certificate or replacing it as required taking all the hard work out of the process for the administrator in this case I have used enrollment as it is a simple process to give Active Directory Federation services going for a better understanding of which certificate should be used and how they should be used see our certificate course once I press next I will be able to select a certificate from the templates available on the CA in the previous video I created this template ad FS SSL certificate if you need to do this please see our previous video on how to do so once the certificate is ticked all I need to do is press enroll and the server will obtain a certificate from the CA the good thing with enrollment is that it will also keep the certificate up-to-date renewing it and obtaining a new certificate if required once I press finish the certificate has been added to the local store so I can now close MMC the next step is to configure Active Directory Federation services which I will do by selecting the exclamation mark and then selecting the option configure the Federation service on this server which will launch the configuration wizard welcome screen notice the option create the first Federation server in a Federation server farm is selected in this case I do not have any existing Federation servers on the network so I will leave it on this option notice the second option add a Federation server to a Federation server farm if you have an existing Federation server on the network you can combine these Federation servers together to form a cluster when these servers are in a cluster they will work together meaning Federation services will be available even if one of the Federation servers would fail if you have used previous Active Directory Federation services on a previous version of Windows Server you will remember an option for standalone this option would allow a single Active Directory Federation server to be installed which could not be added to a farm later on this option has been removed in Windows Server 2012 r2 once I press next on this screen I will be asked which user I want to use to perform the configuration in this case I am logged in to the server using a domain administrator account so I will leave this user selected and move on on the next screen I need to select which SSL certificate I want to use you will notice in the drop down box is the certificate that I obtained earlier using enrollment I used enrollment as it is a simple way to get a certificate however you can also use the import option if you are given a certificate in a file at the bottom of the screen I need to enter in a user-friendly name for the Federation service this will be displayed to the end-user so choose a display name that is meaningful to the end-user once I move on to the next screen a service account needs to be created to run Active Directory Federation services with notice the warning message at the top of the screen when I press show more I can see the whole message this is telling me that a PowerShell command needs to be run to create a que des root key a managed service account is one in which Windows manages the creation and passwords for the service account rather than having the administrator have to worry about configuring a password for this account Windows does this for you in Windows Server 2012 in order for this to occur a root needs to be created and replicated to all domain controllers this root key is used to generate passwords by having the one root key this helps manage service accounts that are being used on multiple systems to have the same password this command runs in PowerShell but does require Active Directory tools to be installed on the server which are not installed on this server in order to run the PowerShell command I will navigate back to server manager and select the option all servers this will only show nydc1 which is a domain controller which I will right click on and select the option Windows PowerShell to launch an instance of Windows PowerShell on nydc1 once PowerShell has opened I can now run the command which should only take a couple of seconds to run once complete the KD s root key will be created on this domain controller this is an important fact to remember as this domain controller will need to replicate this information to the other domain controllers in the domain as a safety measure domain controllers will wait up to 10 hours from when the key is created to ensure that you are able to answer password related queries that relate to that key now that the key has been created I will exit out of here and go back to the configuration wizard the option create a group managed service account is grayed out so I will press the previous button and then the next button to refresh the screen notice now I can select the option create a group managed service account and I will enter in the name FSG MSA for Federation services group managed service account once the name is entered I will move on to the next screen on this screen the wizard will ask if you want to use the windows internal database or sequel server in this case I do not have a single server configured on my network so I will select the default option of Windows internal database and move on the next screen will allow the administrator to review what is going to happen in this case the windows internal database is not installed on this system so the wizard will also install this the next screen will perform a prerequisites check notice a warning message has appeared about the managed service account when a new KBS key is created 10 hours must pass before windows can start using it for managed service accounts for this reason the Active Federation service may fail to start until 10 hours have passed if you know that you are installing Active Directory Federation services in the future and we'll be using a group managed service account it is worth the time to run the PowerShell command in advance once I press the configure button the server will be configured to run Active Directory Federation services this process does take a minute or so to complete so I will pause the deal and return shortly once the configuration is complete notice that I get the same warning message telling me that KDE has just been created and 10 hours needs to elapse if you attempt to run the Active Directory Federation services before then the service may fail to start that's it the basics for Active Directory Federation services install and configuration is now complete in the upcoming videos I will look at how to use Active Directory Federation services so you can start deploying it in your organization I look forward to seeing you in those videos and thanks for watching
Info
Channel: itfreetraining
Views: 118,653
Rating: 4.8984771 out of 5
Keywords: Installing ADFS, ITFreeTraining
Id: tAQ2n-bJ6Vs
Channel Id: undefined
Length: 12min 10sec (730 seconds)
Published: Fri Jan 08 2016
Related Videos
Installing Enterprise CA for AD FS
itfreetraining
56K
AD FS Configuring a Relying Party Trust
itfreetraining
60K
AD FS Components
itfreetraining
55K
Installing Enterprise CA for AD FS on Windows Server 2012
itfreetraining
28K
Installing AD FS High Cost Training
itfreetraining
16K
5.2 Implementing Web Application Proxy in Windows Server 2016 (Step by Step guide)
NLB Solutions
66K
ADFS 2016
Brian Faris
3.5K
Claim Based Identity Systems
itfreetraining
60K
Microsoft PowerShell for Beginners - Video 1 Learn PowerShell
Shane Young
1.3M
Setup Domain Controller and Join Computers to Domain
Jobskillshare Community
163K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.