Active Directory Federation Services Install


I am currently charged with deploying active directory federation services to our Server 2008 R2 domain.

When I read over the documentation I feel I am left with more questions then answers.  Does anyone have a much more simplified step by step type documentation that explains better how to deploy it.  I am not deploying any trust yet as that comes after FS is stood up.

I have added a couple virtual machines for the FS role (for a RMS cluster) and two DMZ proxy servers as well however the role itself being installed is clearly not enough to make it work.  My focus on this question is just standing it up and that alone. I am looking for something easy to understand, something so easy a caveman can do it? :)

Any help is greatly appreciated. On the horizon it looks like Office 365 is going to be one thing using federation services, I know we have a current need to use AD FS SAML for something called Jive.

Thanks again!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Do you have any HLB?
smyers051972Author Commented:
This is my first deployment please elaborate :)
AmitIT ArchitectCommented:
I am asking about Hardware load balancer. As you implemented 2 Proxy servers. What about ADFS internal server, did you create a farm? or? Standalone?

What about ID provisioning? Are you planning for ADLDS?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

smyers051972Author Commented:
ok so no hardware load balancer, what I didnt get was why two servers each since they are all vm's running under vmware in a cluster already but the boss said to do it that way any ways.

I created two ADFS servers, server1 I added the role and am stuck on the certificate portion currently.  Server2 is just sitting there right now, nothing has been done to it at all yet.

Proxy1 and Proxy2 have also been left un-touched right now.

As for AD LDS, it may be used in SAML for this Jive authentication, they use SAML/AD FS authentication to access their site.  It would essentially use our AD accounts to manage who is authorized to access their site.

Hope that helps you help me :)

Again this is my FIRST deployment.
smyers051972Author Commented:
When I look at this video I dont have the same certificate either: 

This is mind boggling, my focus though is just standing up the SSO services not to pair with anything yet.
AmitIT ArchitectCommented:
The purpose for 2 ADFS proxy and ADFS server is to have the high availability, which can be achieved using Load balancer.

I suggest you to hire a ADFS consultant as it is a complex task and require bit designing and implementation skills.
smyers051972Author Commented:
They will not let me do that, so I am seeking assistance something bulleted would help me, just to stand up the AD FS itself and talking to the proxies.
smyers051972Author Commented:
Ok just as a follow up what I am seeking is only a step by step understanding of AD FS.  I am not able to hire a consultant which is why I am here.

Any help is greatly appreciated, here is the example lay out for our AD FS install:

adfs1.domain.local  (1st Internal ad fs server)
adfs2.domain.local (2nd internal ad fs server for load balancing)

adfsdmzpxy1 (1st dmz proxy server)
adfsdmzpxy2 (2nd dmz proxy server for load balancing)

We do not have a hard ware load balancer, we would use rms clustering (I believe).

Thanks again and I appreciate any help.
smyers051972Author Commented:
Also this is the document I followed:

it seems incomplete. My tests dont seem to be working.
If you setting this up for Office 365, then here's the guide from MS.

Here's a portion of my notes from when I had to do this.
3)  ADFS install
a.      Install AD FS 2.0 (not from Server Manager > Roles, which is AD FS 1.0).  This will also add prerequisites (.Net Framework 3.5 SP1, IIS, Windows Identity Foundation).  Do not run the configuration wizard.
b.      Apply AD FS 2.0 Update Rollup 3.
c.      Install certificate into IIS default site.  Use a .pfx file with private key.
d.      Run AD FS configuration wizard.  Select option to create a farm.  The name for the federation service will need to have a DNS record created for it in internal records (and the same name used for external records to support the ADFS proxy), so use something that is externally accessible (i.e. a name that is/will be resolvable from the internet).

h.      Install AD FS 2.0 on proxy machine, performing steps a-d above.  When installing, you choose the role (federation server, or federation server proxy).  Also the configuration wizard is different depending on what role you chose.
To support the proxy in the DMZ, the firewall must allow inbound traffic on TCP port 443 to the proxy, TCP 443 from the proxy to the internal ADFS.  The proxy must also resolve the name of the federation service to the internal ADFS IP – if the DNS servers the proxy uses don’t have this information, use the HOSTS file.
4)      Create DNS record(s) for federation service
a.      In order to support federation server proxy, there must be a record in public DNS for internet clients to resolve.
b.      Internally, the record should resolve to the federation server (or virtual IP for the NLB cluster).

Can't really help you with any of the load-balancing stuff.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
smyers051972Author Commented:
@footech - Thanks to your documentation I got through most of it, question however, I have 2 servers in the farm, how do I set up the virtual IP for the redundant cluster, no HLB involved.  If you know how to lay this out to me let me know, I will be accepting your response above and can open a new question for you to answer this question too fully.

All I can speak to is NLB built-in to Windows, and even there my details are a little fuzzy.  It was pretty straight-forward to create the NLB cluster and it's virtual IP.  In DNS make sure you create/modify the A record (with the same name that you named your federation service during setup) so it points at that virtual IP.  That was all I had to do.
smyers051972Author Commented:
ok ill open a case.  I am still having issues with AD FS, which ill open a new issue for the one solution above helped me get it stood up... Thanks so much!!! 2x new issues coming your way keep an eye out :)
smyers051972Author Commented:
VERY helpful. Still having ad fs issues but this was to just get it stood up and this did do that job.

Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.