IT tutorials
 
Applications Server
 

Microsoft Lync Server 2013 : Lync Online and Hybrid Deployments - AD FS Deployment for SSO (part 1) - Configuring the First Federation Server in the Farm

11/28/2013 2:42:52 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Preparing Systems for AD FS

Systems that are planned for the federation server role should be fully patched and joined to the domain before AD FS installation. Systems that are planned for the federation server proxy role should be patched and then connected to a DMZ subnet as a workgroup member. If multiple servers will be used for resiliency, the load-balancing configuration should also be completed before AD FS installation on both federation server and federation server proxy systems. Although any load-balancing solution can be used with AD FS, this section provides guidelines for the configuration of Windows NLB for use with AD FS, since this is a very common solution.

Following are some guidelines regarding the installation of NLB in preparation for AD FS:

• The NLB feature is integrated with both the Standard and Enterprise Editions of Windows Server 2008 and Windows Server 2008 R2; therefore, it simply needs to be installed from the list of available Windows features, and typically Standard Edition is fine for this purpose.

• Two network adapters are typically recommended for each NLB node, although this is not required. The second adapter allows for one adapter to be dedicated for NLB functions, while the other adapter can be used for other network functions.

• NLB is not supported for use with DHCP; therefore, a static IP address must be applied to a system before NLB is installed.

• A cluster IP address must be selected as the virtual IP that is shared by every member of the NLB cluster. The IP address must be unique within the environment, and will be used to receive traffic destined for the federation service.

• The cluster operation mode can be specified as either unicast or multicast. While either mode can work, multicast is often recommended when NLB is installed on virtual machines, because it tends to reduce the complexity involved in ensuring that traffic flows properly through the virtualization environment.

• The default port rules configuration specifies load balancing for all ports. For a federation server cluster, the default port rule can be modified to configure load balancing for only ports 80 and 443, because these are the only ports that will be used by the federation service. For a federation server proxy cluster, only port 443 is required.

An additional requirement before running the AD FS Configuration Wizard is the installation of the SSL certificate that will be used as the Server Authentication Certificate. The certificate must be purchased from a public CA that is trusted by all the client systems that will be connecting to AD FS, and must use the federation service FQDN as the subject name. After the certificate is installed into the local certificate store on a federation server system, it must then be applied to the Default Web Site within IIS. After the certificate has been applied to the Default Web Site, it will automatically be discovered by the AD FS 2.0 Federation Server Configuration Wizard.


Tip

If a Lync hybrid deployment is planned, the subject name of the server authentication certificate will instead need to be sts.<SIPdomain>, where <SIPdomain> is the DNS domain that will be split across the Lync Online and Lync on-premise deployments.

2. Preparing the Network for AD FS

After the NLB cluster has been created, several DNS records need to be manually created, and several firewall ports might need to be opened, depending on whether AD FS will be available externally.

If a dedicated service account will be used for AD FS, as required for a multiple-server deployment, the account must be created before the initial configuration of AD FS. The service account does not require any particular rights to the AD domain; however, it must be a member of the local Administrators group on each federation server.

3. Installing AD FS Software

The AD FS 2.0 software can be downloaded from the Microsoft download site, and is used for both the federation server and the federation server proxy systems. Installation of the AD FS 2.0 software can be performed either via the setup wizard or via the command line. Use the following procedure to install the AD FS 2.0 software using the setup wizard:

1. Log on to the server using an account with local administrator rights.

2. Use Windows Explorer to navigate to the location where the AD FS 2.0 installation file was saved, and double-click on the AdfsSetup.exe setup file.

3. At the Welcome to the AD FS 2.0 Setup Wizard page, click Next.

4. At the End User License Agreement page, read the license terms; then, if you agree to the license terms, select the I Accept the Terms in the License Agreement check box, and click Next.

5. At the Server Role page, select the role that this system will be used for, either Federation Server or Federation Server Proxy. Click Next.

6. At the Install Prerequisite Software page, click Next to begin the software installation.

7. After all software prerequisites have been installed, the Completed the AD FS 2.0 Setup Wizard page appears. Verify that the Restart Now check box is selected, and then click Finish to restart the computer and complete the installation.

After the system is back online, the Federation Server Configuration Wizard automatically starts, as described in the next section. The latest hotfixes for AD FS should also be downloaded and installed at this point. Similar to other Microsoft products, update rollups are periodically released to consolidate a number of individual hotfixes into one installation package. The most recent update rollup for AD FS 2.0 should be installed on each system.

4. Configuring the First Federation Server in the Farm

By default, when a system restarts after being targeted as a federation server during the AD FS 2.0 software installation, the AD FS 2.0 Federation Server Configuration Wizard automatically starts. The wizard can then be used to configure the first federation server in a farm, using the following procedure:

1. At the Welcome page, verify that Create a New Federation Service is selected, and then click Next.

2. At the Select Stand-Alone or Farm Deployment page, select New Federation Server Farm, and then click Next.

3. At the Specify the Federation Service Name page, verify that the SSL certificate displayed matches the name of the certificate that was previously imported into the Default Web Site in IIS. If the certificate displayed is incorrect, select the appropriate certificate from the SSL certificate list.

4. At the Specify a Service Account page, click Browse. In the Browse dialog box, locate the domain account that will be used as the dedicated service account for the federation server farm, and then click OK. Enter the password for this account, confirm it, and click Next.

5. At the Ready to Apply Settings page, review the details. If the settings appear correct, click Next to begin configuring the AD FS instance with these settings.

6. At the Configuration Results page, review the results. After all the configuration steps have completed, click Close to exit the wizard and complete the configuration.


Tip

After the configuration of the first federation server is complete, the AD FS 2.0 Management snap-in automatically opens and a message appears, indicating that the configuration is incomplete and that a trusted relying party should be added. This message can safely be disregarded, since the relying party trust for Lync Online/Office 365 will be added during a later step.

 
Others
 
- Sharepoint 2013 : Managing and Configuring Communities
- Sharepoint 2013 : Managing and Configuring My Sites (part 4) - SkyDrive Pro
- Sharepoint 2013 : Managing and Configuring My Sites (part 3) - Configuring My Sites - Managing Social Tags and Notes, Manage Following
- Sharepoint 2013 : Managing and Configuring My Sites (part 2) - Configuring My Sites - Enabling the Activity Feed Job
- Sharepoint 2013 : Managing and Configuring My Sites (part 1) - Configuring My Sites - My Site Host Site Collection, Setting Up My Sites
- Exchange Server 2013 : Building an Available Messaging System (part 3) - INTERSITE REPLICATION BANDWIDTH
- Exchange Server 2013 : Building an Available Messaging System (part 2) - Exchange Hybrid Deployment, Database Availability Group Planning
- Exchange Server 2013 : Building an Available Messaging System (part 1) - Transport, Namespace Planning
- Sharepoint 2013 : Managing and Configuring Profile Synchronization (part 9) - Audiences - Audience Targeting Rules and Logic, Targeting Content to Audiences
- Sharepoint 2013 : Managing and Configuring Profile Synchronization (part 8) - Audiences - Configuring Audiences
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
Facebook
 
Technology FAQ
- IIS Web site works in all browsers except Safari on Mac
- notification
- alternative current in to a pc
- parse url in JavaScript
- Dual WAN on a Fortigate 60
- Should Sys Admins (Domain Admins) also have user accounts?
- DR solution for data warehouse
- C# Creating Plugins
- SCCM 2007 collection by OU not showing all pc's
- Email account got spoofed?
programming4us programming4us