1. Preparing Systems for AD FS
Systems that are planned for the federation
server role should be fully patched and joined to the domain before AD
FS installation. Systems that are planned for the federation server
proxy role should be patched and then connected to a DMZ subnet as a
workgroup member. If multiple servers will be
used for resiliency, the load-balancing configuration should also be
completed before AD FS installation on both federation server and
federation server proxy systems. Although any load-balancing solution
can be used with AD FS, this section provides guidelines for the
configuration of Windows NLB for use with AD FS, since this is a very
common solution.
Following are some guidelines regarding the installation of NLB in preparation for AD FS:
• The NLB feature is integrated with
both the Standard and Enterprise Editions of Windows Server 2008 and
Windows Server 2008 R2; therefore, it simply needs to be installed from
the list of available Windows features, and typically Standard Edition
is fine for this purpose.
• Two network adapters are typically
recommended for each NLB node, although this is not required. The
second adapter allows for one adapter to be dedicated for NLB
functions, while the other adapter can be used for other network
functions.
• NLB is not supported for use with DHCP; therefore, a static IP address must be applied to a system before NLB is installed.
• A cluster IP address must be selected
as the virtual IP that is shared by every member of the NLB cluster.
The IP address must be unique within the environment, and will be used
to receive traffic destined for the federation service.
• The cluster operation mode can be
specified as either unicast or multicast. While either mode can work,
multicast is often recommended when NLB is installed on virtual
machines, because it tends to reduce the complexity involved in
ensuring that traffic flows properly through the virtualization
environment.
• The default port rules configuration
specifies load balancing for all ports. For a federation server
cluster, the default port rule can be modified to configure load
balancing for only ports 80 and 443, because these are the only ports
that will be used by the federation service. For a federation server
proxy cluster, only port 443 is required.
An additional requirement before running the
AD FS Configuration Wizard is the installation of the SSL certificate
that will be used as the Server Authentication Certificate. The
certificate must be purchased from a public CA that is trusted by all
the client systems that will be connecting to AD FS, and must use the
federation service FQDN as the subject name. After the certificate is
installed into the local certificate store on a federation server
system, it must then be applied to the Default Web Site within IIS.
After the certificate has been applied to the Default Web Site, it will
automatically be discovered by the AD FS 2.0 Federation Server
Configuration Wizard.
Tip
If a Lync hybrid deployment is planned, the subject name of the server authentication certificate will instead need to be sts.<SIPdomain>, where <SIPdomain> is the DNS domain that will be split across the Lync Online and Lync on-premise deployments.
2. Preparing the Network for AD FS
After the NLB cluster has been created,
several DNS records need to be manually created, and several firewall
ports might need to be opened, depending on whether AD FS will be
available externally.
If a dedicated service account will
be used for AD FS, as required for a multiple-server deployment, the
account must be created before the initial configuration of AD FS. The
service account does not require any particular rights to the AD
domain; however, it must be a member of the local Administrators group
on each federation server.
3. Installing AD FS Software
The AD FS 2.0 software can be downloaded from
the Microsoft download site, and is used for both the federation server
and the federation server proxy systems. Installation of the AD FS 2.0
software can be performed either via the setup wizard or via the
command line. Use the following procedure to install the AD FS 2.0
software using the setup wizard:
1. Log on to the server using an account with local administrator rights.
2. Use Windows Explorer to navigate to the location where the AD FS 2.0 installation file was saved, and double-click on the AdfsSetup.exe setup file.
3. At the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
4. At the End User
License Agreement page, read the license terms; then, if you agree to
the license terms, select the I Accept the Terms in the License
Agreement check box, and click Next.
5. At the Server Role
page, select the role that this system will be used for, either
Federation Server or Federation Server Proxy. Click Next.
6. At the Install Prerequisite Software page, click Next to begin the software installation.
7. After all software
prerequisites have been installed, the Completed the AD FS 2.0 Setup
Wizard page appears. Verify that the Restart Now check box is selected,
and then click Finish to restart the computer and complete the
installation.
After the system is back online, the
Federation Server Configuration Wizard automatically starts, as
described in the next section. The latest hotfixes for AD FS should
also be downloaded and installed at this point. Similar to other
Microsoft products, update rollups are periodically released to
consolidate a number of individual hotfixes into one installation
package. The most recent update rollup for AD FS 2.0 should be
installed on each system.
4. Configuring the First Federation Server in the Farm
By default, when a system restarts after
being targeted as a federation server during the AD FS 2.0 software
installation, the AD FS 2.0 Federation Server Configuration Wizard
automatically starts. The wizard can then be used to configure the
first federation server in a farm, using the following procedure:
1. At the Welcome page, verify that Create a New Federation Service is selected, and then click Next.
2. At the Select Stand-Alone or Farm Deployment page, select New Federation Server Farm, and then click Next.
3. At the Specify the
Federation Service Name page, verify that the SSL certificate displayed
matches the name of the certificate that was previously imported into
the Default Web Site in IIS. If the certificate displayed is incorrect,
select the appropriate certificate from the SSL certificate list.
4. At the Specify a
Service Account page, click Browse. In the Browse dialog box, locate
the domain account that will be used as the dedicated service account
for the federation server farm, and then click OK. Enter the password
for this account, confirm it, and click Next.
5. At the Ready to
Apply Settings page, review the details. If the settings appear
correct, click Next to begin configuring the AD FS instance with these
settings.
6. At the
Configuration Results page, review the results. After all the
configuration steps have completed, click Close to exit the wizard and
complete the configuration.
Tip
After the configuration of the first
federation server is complete, the AD FS 2.0 Management snap-in
automatically opens and a message appears, indicating that the
configuration is incomplete and that a trusted relying party should be
added. This message can safely be disregarded, since the relying party
trust for Lync Online/Office 365 will be added during a later step.
