?
Solved

Windows 2012 R2 ADFS Farm

Posted on 2016-11-12
3
Medium Priority
?
151 Views
Last Modified: 2016-11-13
ADFS is already setup in our environment and we would like to add another server for redundancy. From what I have read you can use a gMSA service account or domain user. We are not running any Windows 2012 R2 DC's yet but is there any downsides of using the domain user account now then changing it later on.  Also but services in the farm will be able to sync their configs correct? We have a lot of claim rules and would had to recreate them. Some of my coworkers think this will only work with a gMSA which I believe to be incorrect?

https://msdn.microsoft.com/en-us/library/azure/dn528860.aspx
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 41885464
Its not mandatory to use GMSA account to setup 2012 R2 Adfs for any scenarios including setup Adfs for device registration / workplace join etc.
Adfs will work with standard service account as well
GMSA resolves normal service account issues like account lockout, forgotten password etc as its password is nothing but auto generated machine password and its update automatically without user intervention as opposed to standard service account

You can use GMSA as long as you have 2012 AD schema and at least one domain controller running on 2012 server version
https://technet.microsoft.com/en-us/library/jj128431(v=ws.11).aspx

You may use standard AD account as Adfs service account now and later on can change it to GMSA when you got 2012 / 2012 r2 domain controllers, you need to change below settings while changing Adfs service account

You need to change Adfs service account on primary adfs server 1st
Then change it on 2ndary Adfs servers one by one
Logon to Adfs proxy servers and ensure they are able to talk to Adfs server, if there are any issues, you can set below registry on those servers
Path: HKLM\Software\Microsoft\ADFS and navigate to ProxyConfigurationStatus and set its value to 1
This will allow to reconfigure Adfs proxy wizard and within minutes you will be back in business
https://blogs.technet.microsoft.com/rmilne/2015/04/20/adfs-2012-r2-web-application-proxy-re-establish-proxy-trust/

Apart from above no claim rules will break and all Adfs configuration including sync will be synced across all Adfs servers from primary to secondary if you using Windows Internal Database (WID) or across all primary Adfs servers if you use full SQL server as database where all Adfs servers act as primary
Changing service account won't delete any rules / change any Adfs configuration

Mahesh.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41885576
Thank you very much. Can you  send me a link to a document stat that a regular  domain user account can be used the changed to a gMsa later on. Also there are no issue sync the ADFS  services when using a domain user account correct?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 41885606
There is no link for that because in case if that is issue, then definitely MS would have provided link regarding precautionary measure
KB articles / hotfixes would be there in case any issues

Check below article
https://msdn.microsoft.com/en-us/library/azure/dn528860.aspx - it allows both service accounts and GMSA

Yes, there are no issues for Adfs sync process before or later changing service accounts as long as you do it on all servers starting from primary

Mahesh
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question