Wednesday, December 17, 2014

Office 365 - Hybrid Migration - Part 2: ADFS (installation and configuration of the role)

Let me clarify this from the start: I am using Windows Server 2012 R2 with ADFS version 3.0 and this makes a difference.

In previous versions of Windows Server / ADFS, we sometimes installed the role using the "Add Roles and Features" function within Windows Server and sometimes installed a downloaded version of ADFS.

With Windows Server 2012 R2, we will install ADFS as a role. At the time this blog post was composed, the version of ADFS that comes with Windows Server 2012 R2 was the latest version.

Preparation for ADFS does not require significant changes to Active Directory, unless you want to implement "Workplace Join" (I will not implement this feature here).  There is no extension to the schema, for example. You can see requirements for ADFS (and Workplace Join) in this Technet article:

AD FS Requirements

 Having provided that link to the official documentation, I'll sumarize some key points here:
  • ADFS servers must be domain members.
  • The domain functional level must be at Windows 2003 (native) at least.
  • As mentioned in the previous blog post, the name on the certificate should not be the name of the ADFS server itself (this can cause SPN problems).
  • We must create a service account for ADFS. It must have local administrator privileges on the ADFS server(s) but simple domain user status will suffice otherwise. Group managed service accounts can be used (optionally). In that case, there must be at least oneWindows 2012 R2 domain controller.

Here is the procedure for installing the ADFS role on Windows Server 2012 R2...

First, we must import a trusted SSL certificate for communications between ADFS servers and clients and for communications between partner ADFS servers. This was accomplished in the previous blogpost.

Second, we must create a server account. I will create a "traditional" service account using the Active Directory Administrative Center (ADAC):

Note: of course, we can use Active Directory Users and Computers to create the service account as well, or even Powershell. ADAC is simply one option among several.

You can name the account what you want. In my case, I opted for:

Full name = ADFS SvcAcct
SamAccount Name = adfs-svcacct

As for service accounts in general, we do not want the password to expire. We can check the "User cannot change password" option as well.

Once this is completed (and the SSL certificate imported as shown in the previous post), we can install the ADFS role.


First, open Server Manager and select the "Add Roles and Features" link:

Select "Role-based or feature-based" installation:

Select the destination server (in my case, ADFS-1.mynet.lan):

Select the ADFS role:

Simply click on "Next" for Features (there is nothing to add here):

Some information on ADFS is provided:

We confirm the roles to be installed - and click on"Install":

ADFS is installed:


We will now create the first federation (ADFS) server in our server farm:

Note: there is no longer a "stand-alone" option. We have to create a federation server in a federation server farm, even if we only have one federation server and never intend to add another.

We select the account we will use to configure ADFS (I will use the current user).

Note: the account must be a member of the domain administrators group at least.

At this step, we select the SSL certificate imported during the previous post (note that we could have imported it directly here), the Federation Service Name and the Display Name.

The first part of the federation name is typically sometime like...
  • adfs
  • fs
  • sts (that means "security token service").

The display name should identify your organization.

Next, we select the service account. We must make it a member of the local administrators group on the ADFS server but simple membership in the domain users group is enough otherwise.

Note: there is an error because it cannot be determined if gMSA is available. Since we are not using Group Managed Service Accounts, we can ignore this error.

After selecting the account, I enter the password for the account:

ADFS uses a database. We can either create a database on a remote SQL server or install a Windows Internal Database on the ADFS server itself. We'll use this second option:

Our choices are summarized on this page (below):

The configuration assistant verifies certain pre-requisites. If the verification is successful, we can click on "Configure":

If all goes well, we should see this message:

1 comment:

  1. For additional details, please refer to this article by Rhoderick Milne on Windows 2012 R2 and ADFS 3.0: