Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2014-04-05) Azure Active Directory Services – It’s Getting Cooler By The Day!

Posted by Jorge on 2014-04-05


Azure Active Directory has reached general availability. It is packed with very cool features for all the stuff you want, or need, to do in the cloud.

Azure Active Directory Premium is a service targeted at large enterprises and is available through volume licensing and/or an enterprise agreement. So if you are interested in a demo, a trial or purchasing, contact your Microsoft account rep (OR ME!). It is also available as part of our new Enterprise Mobility Suite (EMS) which includes Intune and Azure RMS as well. We are offering some incredible deals on EMS for the next 90 days so if you are considering purchasing subscriptions any of these services, now is a great time to act!

As always, we’d love to hear any feedback or suggestions you have. And for those of you with enterprise class identity needs, I hope you’ll find Azure AD Premium useful!

-

It is a combined offering for:

  • Directory Services
  • Federation Services
  • Rights Management Services
  • Multi-Factor AuthN
  • Identity Management
  • Monitoring and Reporting
  • and much more!

….in the cloud.

-

WOW!

-

Read more about it through the following links:

-

Have fun!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in App Access Management, Branding, Monitoring/Reporting, Multi-Factor AuthN, Rights Management, Self-Service Group Management, Self-Service Password Reset, Windows Azure Active Directory | Leave a Comment »

(2014-04-04) Domain Join through an RODC instead of an RWDC (Update 1)

Posted by Jorge on 2014-04-04


In the blog post (2009-01-01) Domain Join through an RODC instead of an RWDC I explained the so called read-only domain join against an RODC. In that blog post you will find a VBS script that helps you achieve that goal. Prior to the VBS script you see multiple ways of pre-creating the computer and having the password of the computer account replicate to the RODC.

-

In this blog post I provide a PowerShell script (don’t forget the execution policy on the server!) that performs the read-only domain join. You can get the PowerShell script through this link, or you can copy it from below.

-

Param( [string]$fqdnADdomain, # The FQDN Of the AD domain [string]$fqdnRODC, # The FQDN of the RODC to use [string]$computerAccountPWD # The password for the computer account ) Clear-Host Write-Host "*******************************************************************" -ForeGroundColor Yellow Write-Host "* --> Performing Read-Only Domain Join Against RODC <-- *" -ForeGroundColor Yellow Write-Host "* Written By: Jorge de Almeida Pinto [MVP-DS] *" -ForeGroundColor Yellow Write-Host "* http://jorgequestforknowledge.wordpress.com/ *" -ForeGroundColor Yellow Write-Host "*******************************************************************" -ForeGroundColor Yellow # Checking If All Parameters Are Available And Correct If (!($fqdnADdomain)) { Write-Host "" Write-Host "No FQDN Of An AD Domain Has Been Specified" -ForeGroundColor Red Write-Host "The FQDN Of An AD Domain Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } If (!($fqdnRODC)) { Write-Host "" Write-Host "No FQDN Of An RODC Has Been Specified" -ForeGroundColor Red Write-Host "The FQDN Of An RODC Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } If (!($computerAccountPWD)) { Write-Host "" Write-Host "No Computer Account Password Has Been Specified" -ForeGroundColor Red Write-Host "The Computer Account Password Specified During Pre-Creation Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } # Defining Required Constants Set-Variable JOIN_DOMAIN -option Constant -value 1 # Joins a computer to a domain. If this value is not specified, the join is a computer to a workgroup Set-Variable MACHINE_PASSWORD_PASSED -option Constant -value 128 # The machine, not the user, password passed. This option is only valid for unsecure joins Set-Variable NETSETUP_JOIN_READONLY -option Constant -value 2048 # Use an RODC to perform the domain join against # Cumulative Value To Use $readOnlyDomainJoinOption = $JOIN_DOMAIN + $MACHINE_PASSWORD_PASSED + $NETSETUP_JOIN_READONLY # Getting Info From The Local Computer $localComputerSystem = Get-WMIObject Win32_ComputerSystem $computerName = $localComputerSystem.Name # Present The Gathered Information Write-Host "" Write-Host "" Write-Host "Trying To Perform A Read-Only Domain Join Using The Following Information..." -ForeGroundColor Yellow Write-Host "" Write-Host "FQDN AD Domain............: "$fqdnADdomain -ForeGroundColor Yellow Write-Host "FQDN RODC.................: "$fqdnRODC -ForeGroundColor Yellow Write-Host "Computer Name.............: "$computerName -ForeGroundColor Yellow Write-Host "Computer Account Password.: "$computerAccountPWD -ForeGroundColor Yellow Write-Host "" # Performing The Read-Only Domain Join $errorCode = $localComputerSystem.JoinDomainOrWorkGroup($fqdnADdomain+"\"+$fqdnRODC,$computerAccountPWD,$null,$null,$readOnlyDomainJoinOption) # Error Handling # List of 'system error codes' (http://msdn.microsoft.com/en-us/library/ms681381.aspx) and # List of 'network management error codes' (http://msdn.microsoft.com/en-us/library/aa370674(VS.85).aspx) $errorDescription = switch ($($errorCode.ReturnValue)) { 0 {"SUCCESS: The Operation Completed Successfully."} 5 {"FAILURE: Access Is Denied."} 53 {"FAILURE: The Network Path Was Not Found."} 64 {"FAILURE: The Specified Network Name Is No Longer Available."} 87 {"FAILURE: The Parameter Is Incorrect."} 1326 {"FAILURE: Logon failure: Unknown Username Or Bad Password."} 1355 {"FAILURE: The Specified Domain Either Does Not Exist Or Could Not Be Contacted."} 2691 {"FAILURE: The Machine Is Already Joined To The Domain."} default {"FAILURE: Unknown Error!"} } If ($($errorCode.ReturnValue) -eq "0") { Write-Host "Domain Join Result Code...: "$($errorCode.ReturnValue) -ForeGroundColor Green Write-Host "Domain Join Result Text...: "$errorDescription -ForeGroundColor Green } Else { Write-Host "Domain Join Result Code...: "$($errorCode.ReturnValue) -ForeGroundColor Red Write-Host "Domain Join Result Text...: "$errorDescription -ForeGroundColor Red } # Finishing Up Write-Host "" Write-Host "REMARK:" -ForeGroundColor Cyan Write-Host "The Computer Account Password Will Be Reset Shortly After The Domain Join!" -ForeGroundColor Cyan Write-Host "" Write-Host "###### FINISHED ######" Write-Host "-----------------------------------------------------" If ($($errorCode.ReturnValue) -eq "0") { Write-Host "" Write-Host "!!! THE COMPUTER WILL REBOOT AUTOMATICALLY IN 2 MINUTES !!!" -ForeGroundColor Cyan Write-Host "" Write-Host "!!! TO STOP THE REBOOT USE THE COMMAND: SHUTDOWN /A !!!" -ForeGroundColor Cyan SHUTDOWN /R /T 120 }

-

Have fun!

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Domain Join, PowerShell, Read-Only Domain Controller, Tooling/Scripting | Leave a Comment »

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Posted by Jorge on 2014-04-02


The guys from AskPFE have written an interesting series of building an ADFS lab on W2K12 and then upgrade that to ADFS on W2K12R2 .

-

How to Build Your ADFS Lab on Server 2012 Part 1

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

How to Build Your ADFS Lab on Server 2012 Part 3: ADFS Proxy

How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2

-

With regards to migrating ADFS v2.x to ADFS v3.0, also have a look at (2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Migration, Proxy Service, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-03-27) Determining Users Configured With "Trusted For Delegation"

Posted by Jorge on 2014-03-27


You may need to be able to query AD and find all users accounts that have been configure with any of the three following delegation options:

  1. Trust This User For Delegation To Any Service (Kerberos Only) – A.K.A. "Open Delegation"
  2. Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol – A.K.A. "Constrained Delegation"
  3. Trust This User For Delegation To Specified Services Only – Use Kerberos Only – A.K.A. "Constrained Delegation"

-

[AD.1] Querying ALL Users with "Trusted For Delegation To Any Service (Kerberos Only)"

"Trusted For Delegation To Any Service (Kerberos Only)" translates to the "TRUSTED_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "524288".

Import-Module ActiveDirectory Get-ADUser -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | %{$_.DistinguishedName}

-

[AD.2a] Querying ALL Users with "Trusted For Delegation To Specific Services – Any AuthN (At Least One Service Specified)"

"Trusted For Delegation To Specific Services – Any AuthN" translates to the "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "16777216".

Import-Module ActiveDirectory Get-ADUser -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}

-

[AD.2b] Querying ALL Users with "Trusted For Delegation To Specific Services – Any AuthN (No Service Specified, Empty List)"

"Trusted For Delegation To Specific Services – Any AuthN" translates to the "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "16777216".

Import-Module ActiveDirectory Get-ADUser -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(!(msDS-AllowedToDelegateTo=*)))" | %{$_.DistinguishedName}

REMARK: Some systems/applications/appliances may use this scenario to for any protocol and still use open delegation. One example is a Riverbed Steelhead Appliance which is able to optimize network traffic for different protocols. For the WHY I refer to the documentation of the systems/applications/appliances.

-

[AD.3a] Querying ALL Users with "Trusted For Delegation To Specific Services – Kerberos AuthN (At Least One Service Specified)"

"Trusted For Delegation To Specific Services – Kerberos AuthN" DOES NOT translates to any bit on the userAccountControl attribute.

Import-Module ActiveDirectory Get-ADUser -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(!(|(userAccountControl:1.2.840.113556.1.4.803:=524288)(userAccountControl:1.2.840.113556.1.4.803:=16777216)))(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}

-

[AD.3b] Querying ALL Users with "Trusted For Delegation To Specific Services – Kerberos AuthN (No Service Specified, Empty List)"

It is not possible to query this as "Trusted For Delegation To Specific Services" expects a list of at least one service for which delegation is allowed and in this case it does not translate to any bit on the userAccountControl attribute. Because of that it would return any computer account which basically is a false result!

-

REMARK: I used PowerShell here, but of course you can use the same LDAP filter with any other LDAP Querying tool such as ADFIND. Remember that you may need to amend the LDAP filter to target the correct object type!

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation, Kerberos AuthN, NTLM AuthN | Leave a Comment »

(2014-03-26) Determining Computers Configured With "Trusted For Delegation"

Posted by Jorge on 2014-03-26


You may need to be able to query AD and find all computer accounts that have been configure with any of the three following delegation options:

  1. Trust This User For Delegation To Any Service (Kerberos Only) – A.K.A. "Open Delegation"
  2. Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol – A.K.A. "Constrained Delegation"
  3. Trust This User For Delegation To Specified Services Only – Use Kerberos Only – A.K.A. "Constrained Delegation"

-

[AD.1] Querying ALL Computers with "Trusted For Delegation To Any Service (Kerberos Only)"

"Trusted For Delegation To Any Service (Kerberos Only)" translates to the "TRUSTED_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "524288".

Import-Module ActiveDirectory Get-ADComputer -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | %{$_.DistinguishedName}

-

[AD.2a] Querying ALL Computers with "Trusted For Delegation To Specific Services – Any AuthN (At Least One Service Specified)"

"Trusted For Delegation To Specific Services – Any AuthN" translates to the "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "16777216".

Import-Module ActiveDirectory Get-ADComputer -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}

-

[AD.2b] Querying ALL Computers with "Trusted For Delegation To Specific Services – Any AuthN (No Service Specified, Empty List)"

"Trusted For Delegation To Specific Services – Any AuthN" translates to the "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" bit on the userAccountControl attribute, which in its turn translates to decimal value "16777216".

Import-Module ActiveDirectory Get-ADComputer -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(!(msDS-AllowedToDelegateTo=*)))" | %{$_.DistinguishedName}

REMARK: Some systems/applications/appliances may use this scenario to for any protocol and still use open delegation. One example is a Riverbed Steelhead Appliance which is able to optimize network traffic for different protocols. For the WHY I refer to the documentation of the systems/applications/appliances.

-

[AD.3a] Querying ALL Computers with "Trusted For Delegation To Specific Services – Kerberos AuthN (At Least One Service Specified)"

"Trusted For Delegation To Specific Services – Kerberos AuthN" DOES NOT translates to any bit on the userAccountControl attribute.

Import-Module ActiveDirectory Get-ADComputer -Server "<FQDN of DC>" -SearchBase "<DN of Domain NC>" -LdapFilter "(&(!(|(userAccountControl:1.2.840.113556.1.4.803:=524288)(userAccountControl:1.2.840.113556.1.4.803:=16777216)))(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}

-

[AD.3b] Querying ALL Computers with "Trusted For Delegation To Specific Services – Kerberos AuthN (No Service Specified, Empty List)"

It is not possible to query this as "Trusted For Delegation To Specific Services" expects a list of at least one service for which delegation is allowed and in this case it does not translate to any bit on the userAccountControl attribute. Because of that it would return any computer account which basically is a false result!

-

REMARK: I used PowerShell here, but of course you can use the same LDAP filter with any other LDAP Querying tool such as ADFIND. Remember that you may need to amend the LDAP filter to target the correct object type!

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Kerberos AuthN, NTLM AuthN | Leave a Comment »

(2014-03-25) An Account With "Trusted For Delegation" – What Are The Risks?

Posted by Jorge on 2014-03-25


Sometimes when implementing some system/application/appliance that needs a service account, that service account may need to be configured with "Trusted For Delegation". The latter has three flavors as shown in figure 1 below.

Figure 1: The Delegation TAB After Configuring A Service Principal Name

-

As you can see in figure 1, you have 4 options you can configure, being:

  1. Trust This User For Delegation To Any Service (Kerberos Only) – A.K.A. "Open Delegation"
  2. Trust This User For Delegation To Specified Services Only – Use Kerberos Only – A.K.A. "Constrained Delegation"
  3. Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol – A.K.A. "Constrained Delegation"
  4. Do Not Trusted This User For Delegation – (this is obvious, isn’t it?!)

-

Now, you may wonder: "what are the risks?". Keep reading! Smile

-

An AD user account or computer account with such powers is worthless on its own. You need to have a system/application/appliance using such an account that is being targeted by end users and that is providing some kind of service.

With regards to the system/application/appliance that has that account configured you are fully trusting the code of the system/application/appliance to act on a user’s behalf for any OR specific services it is performing delegation for. With that in mind you should also think about how likely is it for the system/application/appliance to be "misused" during an attack? As risk mitigations you can think of measures such as physical access controls (secure rooms) and network access controls (firewalls) access controls, but also having the latest patches/hotfixes applied that are recommended by the vendor.
It also comes down to the question if you trust the administrators and/or vendor of the system/application/appliance to not misuse those high privileges. Having trusted administrators with the correct delegation of control supported (pro-active measure) with the correct auditing measures (re-active measure) helps to "secure" the system/application/appliance in a proactive and re-active way.

In addition, if even possible AND after testing, you may be able to configure the following user rights for the service account on different Windows systems to mitigate risks:
(
User Rights)

  • Deny Access To This Computer From The Network
  • Deny Log On As A Batch Job
  • Deny Log On As A Service
  • Deny Log On Locally
  • Deny Log On Through Terminal Services

-

Again in addition, you can configure the account with a very secure password and if needed/possible use the (at least) four-eyes principle to make sure nobody ever knows the complete password but just part of it.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation, Kerberos AuthN, NTLM AuthN | Leave a Comment »

(2014-03-24) ADFS v3.0 In W2K12R2 And Related Features In Summary With Details

Posted by Jorge on 2014-03-24


Mylo has written a number of blog posts focusing on his first impressions regarding ADFS v3.0 in W2K12R2 and related features (e.g. Workplace Join, Device Registration, Web Application Proxy, etc). The blog posts are a perfect summary with lots of interesting details. Wow, my compliments!

-

First Impressions – AD FS and Windows Server 2012 R2 – Part I

First Impressions – AD FS and Windows Server 2012 R2 – Part II

First Impressions – AD FS and Windows Server 2012 R2 – Part III (to be published by Mylo)

-

In addition to this Ramiro Calderon has written great blog posts focusing on MFA in ADFS v3.0. Again, my compliments!

Under the hood tour on Multi-Factor Authentication in ADFS – Part 1: Policy

Under the hood tour on Multi-Factor Authentication in ADFS – Part 2: MFA aware Relying Parties

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Device Registration, Security Token Service (STS), Web Application Proxy, Workplace Join | Leave a Comment »

(2014-03-21) GALSync, DIRSync And SSO With Office 365 Blog Posts From MSResource.NET

Posted by Jorge on 2014-03-21


Paul Williams from MSResource.net has done an excellent job on writing about several topics regarding FIM and ADFS related to Office 365. Find those interesting blog posts below

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in DirSync, DirSync, Forefront Identity Manager (FIM) Sync, GAL Sync, Office 365, SSO, Windows Azure Active Directory | Leave a Comment »

(2014-03-19) Top 6 (Independent) Microsoft Active Directory Integration Experts To Follow Now

Posted by Jorge on 2014-03-19


The guys from OneLogin have written a blog post about the 6 independent Microsoft AD Integration Experts to follow.

-

active-directory-experts

Figure 1: Independent Microsoft AD Experts

-

In any particular order:

  • Brian Desmond
  • Sean Deuby
  • Joe Richards
  • Mark Parris
  • John Policelli
  • et moi (Jorge de Almeida Pinto)

-

For more details see the following blog post: Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow Now

-

So how can you follow me?:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff, IT News, MVP | Leave a Comment »

(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

Posted by Jorge on 2014-03-19


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know, when using WID, which ADFS STS instance is the primary federation server or any other federation server? Keep reading to find out how to determine that!

-

How To Find The Primary Federation Server When Using WID?

The concept of a primary federation server and secondary federation servers only exists when leveraging WID. When using SQL all federation servers are equal. In the case of WID, the primary federation server has a read/write copy of the ADFS configuration database.

-

The primary federation server is always created when you use the ADFS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.

image_thumb[13]

Figure 1: ADFS Leveraging WID – The ADFS MMC On The Primary Federation Server

-

image_thumb[15]

Figure 2: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is The Primary Federation Server

-

The secondary federation servers store a read-only copy of the ADFS configuration database from the primary federation server. Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals (5 minutes) to check whether data has changed. It is also possible to force synchronization. The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment. If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. However, no new changes can be made to the Federation Service until the primary federation server has been brought back online OR you have nominated an existing secondary federation server as the new primary federation server.

image_thumb[11]

Figure 3: ADFS Leveraging WID – The ADFS MMC On Any Secondary Federation Server

-

image_thumb[19]

Figure 4: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is NOT The Primary Federation Server

-

How to transfer the primary computer role to another ADFS STS when using WID?

Unfortunately, it is not like the olf NT4 PDC/BDC model that by moving the primary computer role to another ADFS STS, the other ADFS STSes become aware of that.

  • On the ADFS STS becoming the new primary computer execute: Set-AdfsSyncProperties -Role PrimaryComputer
  • On all other ADFS STS execute: Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN new ADFS STS With Primary Computer Role>

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, Security Token Service (STS) | Leave a Comment »

 
%d bloggers like this: