Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-11-27) Issues With Popup Screens In IE On The MIM Portal Server After Installing/Applying SP1

Posted by Jorge on 2016-11-27


After installing MIM 2016 with SP1 or applying the SP1 update package you may experience issues with popup windows in the MIM Portal. An example is when you for example get a popup window because you click on an MPR object.

-hen doing this remotely on another server, other than the server with the MIM Portal, you may experience the following, which is expected when using any browser.50

image

Figure 1: MIM Portal On A Remote Server With A Working Popup Window

However, doing exactly the same on the server running the MIM Portal, you may experience the following when using IE, which is NOT expected! It keeps loading, and loading, and loading….

image

Figure 2: MIM Portal On The MIM Portal Server With A Non-Working Popup Window

The solution for this problem is quite easy!

On the MIM Portal server, open Internet Explorer and then open its internet options. On the “General” tab click the “Settings” button. Then click the “View Files” button.

image

Figure 3: MIM Portal On The MIM Portal Server With A Non-Working Popup Window

After clicking the “View Files” button, a Windows Explorer window opens. Click in the files section somewhere, press {CTRL]+[A] and then press [DEL]. Close all the windows by either closing them or clicking [OK].

After doing this, popup windows with IE on the MIM Portal server should work OK again as expected!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Microsoft Identity Manager (MIM), Portal, Updates | Leave a Comment »

(2016-11-23) Microsoft Identity Manager (MIM) 2016 Service Pack 1 Packages

Posted by Jorge on 2016-11-23


Somewhere in September Microsoft released SP1 for MIM  2016 as you can read here. The first package was MIM 2016 with SP1 already included. If you wanted to install SP1 on your current deployment you had to uninstall first and reinstall with MIM 2016 with SP1 included where you would reuse all DBs. This procedure is described here. However, for some customers uninstalling everything and reinstalling it is a little bit too much. The impact and downtime is not acceptable. Because of that Microsoft has also released a SP1 update package that can be deployed on existing MIM 2016 deployments.

There is a subtle different of which you must be aware:

  • MIM 2016 with SP1: build 4.4.1237.0
  • SP1 update package: 4.4.1302.0

As you can see the builds are different! Please be aware you cannot apply the SP1 update package to a deployment already running MIM 2016 with SP1. You can only apply it when running MIM 2016 RTM.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), Updates, Updates, Updates, Updates, Updates, Updates | Leave a Comment »

(2016-11-20) Azure AD Connect v1.1.343.0 Has Been Released

Posted by Jorge on 2016-11-20


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.343.0

Released: 2016 November

New features:

  • N.A.

Fixed issues:

  • Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose password meets the level of complexity specified by the organization’s password policy.
  • Fixed an issue where join rules are not re-evaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you have two or more join rules whose join conditions are mutually exclusive.
  • Fixed an issue where inbound synchronization rules (from Azure AD) which do not contain join rules are not processed if they have lower precedence values than those containing join rules.

Improvements:

  • Added support for installing Azure AD Connect on Windows Server 2016 standard or better.
  • Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
  • Added support for managing AD FS 2016 using Azure AD Connect.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-11-16) New Replica Of ADLDS Fails When Functional Level Is Too High (Error 0x80072177)

Posted by Jorge on 2016-11-16


On one of my DCs I also have one instance of ADLDS running. As I have a second DC running, I wanted to also install an ADLDS replica instance of the configuration set running on the first DC. The servers are running W2K12R2 and the FFL of the configuration set is W2K12R2 (level 6).

I used a scripted installation of the replica instance and it ended up with the following error

image

Figure 1: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

To see if there would be any different or additional information I tried the manual setup, but it ended with the following error

image

Figure 2: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

Looking at the error it might even look like a permission error as it mentions not being able to create the NTDS Settings object. However, when you look at the ADLDS Instance Event Log of the existing ADLDS instance that is being used as the replication source, you will see that apparently the new ADLDS replica instance running W2K12R2 presents itself as a W2K8R2 server (level 4).

image

Figure 3: Error About OS Level Not Matching The Required Level Of The Configuration Set

This looks like a bug!

The solution (make sure to provide the ADLDS host and Ldap port!):

  • View the current level of the Configuration Set

Get-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -SearchBase $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -SearchScope Base -Filter * -Properties "msDS-Behavior-Version" | FL

  • Lower the Configuration Set Level to level 4

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=4}

  • Add the new replica instance

image

Figure 4: Installing The New ADLDS Replica Instance While The Level Is Set To 4

  • If you try to increase the Configuration Set Level to level 6 again, you will see….

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=6}

image

Figure 5: Error When Trying To Increase The Level Again After Installing The New ADLDS Replica Instance

UPDATE 2016-12-03: This issue does not exist in Windows Server 2016 where you will be able to increase the configuration set level to level 7

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Lightweight Directory Services (ADLDS), Functional Level | Leave a Comment »

(2016-10-16) Azure AD PowerShell v2.0 CMDlets Are In Public Preview

Posted by Jorge on 2016-10-16


Since a few days the new Azure AD PowerShell v2.0 CMDlets are in public preview!

Eventually the new Azure AD CMDlets will replace the existing MSOLINE CMDlets. So, if you have tasks, scripts, whatever running that use the old CMDlets, make sure to start transitioning to the new CMDlets! Did you know you require at least PowerShell v5.0 to use this new PowerShell module? Well, you do know and you can get PowerShell v5.0 from here!

Assuming your server has internet connectivity, execute (also see the PowerShell Gallery: http://www.powershellgallery.com/packages/AzureADPreview):

Install-Module -Name AzureADPreview

One of the key features of the new module is a close alignment of the PowerShell functionality with the Graph API capabilities. We are also moving towards a faster and more agile release process for new or updated functionality of these CMDlets. The new PowerShell CMDlets already provide more functionality in several areas, most notably for Modern Authentication and MFA (nice!), and includes new management capabilities for Applications and Certificate Authority through PowerShell. For a full list of all available CMDlets and how to use them, see the Azure AD PowerShell reference documentation.

The PowerShell module has changed from MSONLINE to AZUREADPREVIEW. With GA, probably it will be called AZUREAD. The part in the noun of the PowerShell CMDlet has changed from MSOL to AzureAD. So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser. The parameters for the new CMDlets sometimes changed as well. As CMDlets are in close alignment with the Graph API functionality, the names of objects and parameters are as close as possible to what is used in Graph API. An overview of Azure AD Graph API functionality can be found here: Getting started with Graph API

New functionality in Azure AD PowerShell

  • Using the -SearchString parameter. This parameter allows you to search for data in your directory based on a matching string value. The SearchString search scope for users currently covers the attributes “City”, “Country”, “Department”, “DisplayName”, “JobTitle”, “Mail”, “mailNickName”, “State”, and “UserPrincipalName. This is similar to an ANR (Ambigious Name Resolution) Search in ADDS.

  • Managing Token Lifetime policy settings. You can now manage Token Lifetime settings in your directory and that will support operations on Policy, ServicePrincipalPolicy and PolicyAppliedObject objects. More information and examples for this functionality can be found here.

  • Managing Certificate Authority using Powershell for Azure AD. New CMDlets have been made available. For that see this

  • Managing Applications, Application Extension Properties, Application Owners and Application Key Credentials in Azure AD using PowerShell. New CMDlets have been made available. For that see this

More Information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in PowerShell, Windows Azure Active Directory | Leave a Comment »

(2016-10-15) Azure AD Domain Services Has Reached GA

Posted by Jorge on 2016-10-15


Since a few days Azure AD Domain Services is Generally Available!

There are quite a few enhancements and features since the service first went into preview late last year.

  • Support for secure LDAP: You can access your managed domain using LDAPS (secure LDAP), including over the internet.
  • Custom OU support: Users in the ‘AAD DC Administrators’ delegated group can create and administer a custom organizational unit on your managed domain.
  • Configure managed DNS for your domain: Users in the ‘AAD DC Administrators’ delegated group can administer DNS on your managed domain using Windows Server DNS administration tools.
  • Domain join for Linux: We’ve worked with RedHat to document how you can join a RedHat Linux VM to your managed domain.
  • New and improved synchronization with your Azure AD tenant: We have re-designed the synchronization between your Azure AD tenant and your managed domain. For existing domains, this new improved synchronization has been rolled out automatically in a phased manner.
  • The ‘password does not expire’ attribute: Some accounts had the ‘password-does-not-expire’ attribute set on them, for example, service accounts. The password policy was being enforced for these accounts in managed domains, resulting in their passwords expiring. Passwords for such accounts will not expire.
  • Incorrect group display name for accounts created in Azure AD: The samAccountName attribute for groups created in Azure AD was not being set correctly in the managed domain. These were being set to GUIDs instead of valid samAccountName.
  • SID history sync: The on-premises primary user and group SIDs will now be synchronized to your managed domain and set as the SidHistory attribute on corresponding users and groups. This cool feature helps you lift-and-shift your workloads to Azure without having to worry about re-ACLing them.
  • Virtual network peering: The Azure networking team recently announced GA for virtual network peering. This awesome feature makes it easy to connect Domain Services to other virtual networks. You can connect a classic virtual network in which your managed domain is available to workloads deployed in resource manager virtual networks using network peering.

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Domain Services (DCaaS), Windows Azure Active Directory | Leave a Comment »

(2016-10-14) Windows Server 2016 Now Available On MSDN

Posted by Jorge on 2016-10-14


Microsoft released Windows Server 2016 about three weeks ago. Read about it here.

Yesterday Microsoft also made the Windows Server 2016 ISOs available on MSDN. Use this link to get to those ISOs. You do need to have an account for MSDN and you need to eligible to be able to download the ISOs.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Windows Server | Leave a Comment »

(2016-10-13) Namespace Already Defined As The Target Namespace For Another File In The Policy Store

Posted by Jorge on 2016-10-13


My AD is running W2K12R2 DCs with the corresponding ADMX/ADML files. While preparing it for an updated Windows 10 client (Version 1607, OS build 14393.22) (this was installed ages ago and updated to the latest and greatest using Windows Update), I also decided to update the policy definitions on the central policy store. So I copied the files in the folder “C:\Windows\PolicyDefinitions” on the updated Windows 10 computer to the folder representing the central policy store on a DC (<Drive>:\<folder>\domain\Policies\PolicyDefinitions). SYSVOL replication should take care of the rest.

Now after starting the GPMC and targeting any of the GPOs you have for either viewing or editing

…and clicking on the Settings tab followed by clicking the “Show All”, you may see something similar to the following

image

Figure 1: Error Message About An Already Defined Namespace In Some Other ADMX File

…or opening a GPO, you may see something similar to the following

image

Figure 2: Error Message About An Already Defined Namespace In Some Other ADMX File

image

Figure 3: Error Message About An Already Defined Namespace In Some Other ADMX File

Looking at my Windows 10 client, its PolicyDefinitions folder contained the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • Microsoft-Windows-Geolocation-WLPAdm.admx (en-US folder contained Microsoft-Windows-Geolocation-WLPAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)

After this I also checked my Windows Server 2016 TP5 machine and its PolicyDefinitions folder contained the following files

Looking at my Windows 10 client, its PolicyDefinitions folder contained the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)

My W2K12R2 DC had initially the following files in the central policy store:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • WinStoreUI.admx (en-US folder contained WinStoreUI.adml)

After copying the files from the Windows 10 client to the central policy store on the W2K12R2 DC it ended up with the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • Microsoft-Windows-Geolocation-WLPAdm.admx (en-US folder contained Microsoft-Windows-Geolocation-WLPAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)
  • WinStoreUI.admx (en-US folder contained WinStoreUI.adml)

Looking at the end result of the files, it explained the error messages in Figure 1, 2 and 3.

The solution to this one in my case:

  • Using Notepad++, I compared “LocationProviderAdm.admx” and “Microsoft-Windows-Geolocation-WLPAdm.admx” and found no differences
    • I deleted:
      • Microsoft-Windows-Geolocation-WLPAdm.admx
      • en-US\Microsoft-Windows-Geolocation-WLPAdm.adml
  • Using Notepad++, I compared “WindowsStore.admx” and “WinStoreUI.admx” and found differences
    • I deleted:
      • WinStoreUI.admx (this file was older and contained less data than the other file)
      • en-US\WinStoreUI.adml

You can also read more about this in the following KB article MS-KBQ3077013 – "’Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined" error when you edit a policy in Windows

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | Leave a Comment »

(2016-10-09) How To Clear A Value (NULLing It) From An Attribute On An Object In The FIM/MIM Portal?

Posted by Jorge on 2016-10-09


It might be the case you want to flow a NULL value into some attribute, or in other words clearing an attribute value, when meeting some condition.

In the sync rules a "Null()" function exists, which might give you the idea that it flows a NULL value. Au contraire, mon ami! The "Null()" function basically means "do nothing". One of the examples of using that function is in combination with the "IIF()" function. The "IIF()" function translates into "If…Then…Else". Sometimes, you just want to have "If…Then" and you do not care about the “Else”, and that’s when you use the "Null()" function when using the “IIF()” function.

For example:

IIF(Eq(X,"1"),Y,Null()) ==> Z

means…..

If X=1 then Z=Y

So, how do you clear a value in the FIM/MIM Portal? It is not possible by default, therefore you need a custom workflow activity to do that for you.

On codeplex you will find Soren Granfeldt’s "FIM 2010 Granfeldt Workflow Activity Library". This Activity Library is a collection of generic custom workflows for use with FIM 2010 R1/R2 and MIM 2016. The purpose of this collection of workflow activities is to have activities that can solve the most common tasks in a traditional FIM installation – in one library.

As you can read in the documentation, it now supports an activity to clear an attribute value from the specified attribute. However, when downloading the activity, the old activity that does support this is still targeted for download. A workaround for this is to use the Code Run activity.

After adding the “Code Run” activity to the workflow:

  • Enter something in the “Title” field explaining what it does
  • In the “References (DLL’s)” field enter: System.dll
  • No need to specify anything in the “Parameters” field
  • In the “Code” field specify the following code:

using System;
public class FIMDynamicClass
{
            public static object FIMDynamicFunction()
            {
                    return null;
            }
}

  • In the “Destination” field specify the targeted attribute for which its value must be cleared using the format: [//Target/<Attribute>] where <Attribute> is replaced with the attribute you need to be cleared

image

Figure 1: Clearing An Attribute Using The Code Run Activity In Soren Granfeldt’s "FIM 2010 Granfeldt Workflow Activity Library"

You can also use the MIM WAL activity to do the same which is available on Github. The MIMWAL is a Workflow Activity Library (WAL) solution for configuring complex Workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution.

After adding the “Update Resources” activity to the workflow:

  • Enter something in the “Activity Display Name” field explaining what it does
  • No need to use the advanced features of the activity
  • In the “Value Exprssion” field specify 2 quotes ""
  • In the “Target” field specify the targeted attribute for which its value must be cleared using the format: [//Target/<Attribute>] where <Attribute> is replaced with the attribute you need to be cleared
  • Make sure to check “Allow Null”

image

Figure 2: Clearing An Attribute Using The Update Resources Activity In The MIMWAL (MIM Workflow Activity Library)

Have fun!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Activities, Forefront Identity Manager (FIM) Portal, Workflow | Leave a Comment »

(2016-10-05) Exporting And Importing ADFS Configuration For Cloning Or Recovery Purposes

Posted by Jorge on 2016-10-05


Microsoft has released a tool to export and import the complete ADFS configuration to/from a file on either the local file system or in Azure.

With this tool the assumption is made your complete ADFS farm is dead and the only thing you got is a backup or the exported configuration, OR you want to rebuild ADFS farm in another environment. As it mandatory to encrypt the backup/export, make sure to store the password in a safe and controlled accessible location. You don’t want to end up with a backup/export and not knowing the password anymore to decrypt it! When you want to rebuild the ADFS farm in another environment (e.g. production environment to test environment), please be very careful where that backup/export ends up. Remember it contains all the certificates in used by the ADFS farm, and especially the Token Signing certificate and the Token Encryption certificate are very important.

With the backup, it exports everything in the ADFS configuration database. The ADFS configuration is stored in the files “config.xml”, “db.xml”, “installParams.xml” and “metadata.xml”. Except for that last file, the other files are encrypted with the password specified during the backup/export.

It also exports all ADFS related certificates and corresponding private keys from the local machine certificate store if those private keys are exportable. To find out which certificates to export to a PFX file, the tool looks in ADFS to find all the primary and secondary configured certificates for the service communication certificate, the token signing certificate and the token encryption certificate. It also looks which certificate is configured for the binding “<FQDN Federation Service>:443” as the SSL certificate (viewable with NET HTTP SHOW SSLCERT). The SSL certificate is stored in the file “SSLCert-<Thumbprint>.pfx”. The primary and secondary certificates for the service communication certificate, the token signing certificate and the token encryption certificate are exported to a file “OtherCert-<Thumbprint>.pfx”. All PFX files are protected with the password specified during the backup/export.

image

Figure 1: Backup/Export Created By The ADFS Rapid Creation Tool

As mentioned earlier, main use of the tool is to either recreate a dead ADFS farm or clone an ADFS farm in another environment. When using the tool during backup, it backups everything in ADFS.When using the tool during restore, it restored everything in from the export. It is not possible to select individual components from the backup and only restore those. Maybe in a next version. In theory it would be possible to also restore one or more ADFS configuration components after an admin mistake (e.g. deletion of one or more RP trusts). However if the backup/export used to restore a missing component still contains that missing component but is outdated you will restore that missing component, but it will also bring your ADFS farm back in time.

In a WID based ADFS farm I restored the backup/export that was created on the primary ADFS server on that primary ADFS server. The other secondary WID based ADFS servers were still running happily with no issues. After the backup you may still need to install software/DLLs to support any configured MFA provider or attribute store. This is especially important when cloning the ADFS farm. After that you need to start the ADFS service on the primary ADFS server. After restarting the ADFS service on the other already existing secondary ADFS servers, those secondary ADFS servers started to  replicate again from the primary ADFS server. Although I did not test it, I assume it would have a similar behavior when using a SQL based ADFS farm. Please be aware I did not check everything, and I do not know if this is a supported scenario or not. My advise is to not use this to restore individual components. To restore individual components (e.g. CP and/or RP trusts) use PowerShell scripting (see future blog post)

Now, let’s install this tool. After executing the MSI, the following screen is displayed

image

Figure 2: Welcome Screen

image

Figure 3: License Agreement Screen

The default installation folder by default is “C:\Program Files (x86)\ADFS Rapid Recreation Tool\”

image

Figure 4: Installation Folder And Who Will Be Using The Tool Screen

image

Figure 5: Install Confirmation Screen

image

Figure 6: Install Completed Screen

Afterwards to load the module execute the following command:

Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"

To find out all the available CMDlets, execute the following command:

Get-Command -Module ADFSRapidRecreationTool

image

Figure 7: Importing PowerShell Module And Listing All Available CMDlets

For example, to create a backup/export to some folder on the file system, execute the following command, and make sure to replace the values with your own values:

Backup-ADFS -StorageType FileSystem -BackupComment "2016-10-02 16:30:00" -StoragePath "C:\ADFS-Support\Config-Export\2016-10-02_16.30.00_FedSvcConfig_MSFT-Tool" -EncryptionPassword ‘Pa$$w0rd’

image

Figure 8: Creating A Backup/Export To The File System

For example, to restore a backup/export from some folder on the file system, execute the following command, and make sure to replace the values with your own values:

Restore-ADFS -StorageType FileSystem -StoragePath "C:\ADFS-Support\Config-Export\2016-10-02_16.30.00_FedSvcConfig_MSFT-Tool" -DecryptionPassword ‘Pa$$w0rd’

image

Figure 9: Restoring A Backup/Export From The File System – Entering The Credentials Of The ADFS Service Account

image

Figure 10: Restoring A Backup/Export From The File System

After the restore the ADFS service is not running! Also pay attention to the text file mentioned

image

Figure 11: Text File With Additional Steps To Execute Before Starting The ADFS Service

After installing the additional software or placing the DLLs on the ADFS folder to support additional MFA providers or attribute stores, restart the ADFS service

Also have a look a the following links for additional information and the download location of the tool:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Export/Import | Leave a Comment »

 
%d bloggers like this: