Install and Setup ADFS 2.0 on a Windows Server

ADFS, Blog, Information Technology, Microsoft, Servers, Software, Windows

Note: This guide assumes you have a Windows server, it is joined to a domain and you have an account that is part of the domain admins group.


 

First we need to install ADFS 2.0

  1. To install version 2.0, it first needs to be downloaded and installed. Click this link to download the installation file https://www.microsoft.com/en-au/download/details.aspx?id=10909
  2. Choose the type of installation file based on your OS (I am running Server 2008 R2 so I will choose RTW\W2K8R2\amd64\AdfsSetup.exe). Save the installation file to your Desktop
  3. Run the exe located on your desktop
  4. On the Welcome screen, click Next
  5. Accept the License Agreement.
  6. I will be setting this ADFS server as a Federation server so I will leave the default of Federation Server selected and I will click Next. Note: you would select Federation server proxy if you were running your ADFS server in something like a DMZ.
  7. Click Next on the prerequisite software screen. The install wizard will install these automatically if they are not already present on the system. If there are no errors, the software will be installed and the ADFS 2.0 management window will open

The next task is to create a certificate template to use with our SSL certificate

  1. The first thing you need to do is open the Server Manager (Start > Administrative Tools > Server Manager)
  2. Select Roles
  3. Click Add Roles
  4. Click Next to get past the Welcome Screen
  5. Check off Active Directory Certificate Services and click Next
    Select Roles
  6. Click Next to get past the Welcome Screen
  7. Click Next on the Role Services page
  8. Leave the default of Enterprise selected and click Next. Note: if Enterprise is not an option, you must log out of the server and log back in using an account that is a member of the Domain Administrators group.
  9. On the next page you need to decide between choosing a Root CA or a Subordinate CA. Select Root CA if you are OK with using a self-signed certificate for your ADFS instance. Select Subordinate CA if you would like to purchase a certificate from a 3rd party certificate authority. I will be using a self-signed certificate so I will select Root CA and click Next.
  10. Click Next on the Private Key page to create a new private key.
  11. Choose the type of cryptography you would like to use on the next page. I will leave the default of SHA1 with a 2048 bit key character length, but you can choose whatever you want. Then click Next
  12. Click Next on the CA Name page
  13. Choose how long you want the certificate to be valid. I will leave the default of 5 years set. Click Next
  14. Click Next on the Certificate Database page
  15. Click Install to finish and then close the wizard when complete
  16. Next open up the Certificate Authority (Start > Administrative Tools > Certificate Authority)
  17. Expand your server on the left column, right click Certificate Templates and click Manage
    manage
  18. Scroll down to the end of the list, right click Web Server and click Duplicate Template
    Duplicate Template
  19. Select Windows Server 2008 Enterprise and click OK. Note: you would select Windows Server 2003 only if you had 2003 servers on your network that needed to access the ADFS services.
  20. Give the template a name (ex: ADFS SSL Certificate)
  21. Next click on the Subject Name tab at the top.
  22. Click the Build from this Active Directory information radio button, select Common Name from the subject name format dropdown, uncheck User principal name (UPN) and check DNS name
    Template Properties
  23. In order for the ADFS server to obtain a certificate, it needs to have the correct permission set up to do so. To do this, select the Security tab at the top.
  24. To add the required permissions, click the Add
  25. Click the Object Types… button, check Computers on the newly opened window and click OK.
    Object Types
  26. Enter the name of the server that you previously installed ADFS on and click OK. The server will be added to the permission list.
  27. Next we need to set Enroll the allow permission for this particular server. Check Enroll and click OK
    Template Properties - Security
  28. Now we need to make this certificate template is available to be used to issue certificates. To do this, open up the Certificate Authority window again (Start > Administrative Tools > Certificate Authority)
  29. Right click the Certificate Templates icon in the left column, hover over New and click Certificate Template to Issue 
    Certificate Template to Issue
  30. Select the name of the template you made previously (in my example I made it ADFS SSL Certificate) and click OK.

The next task is to create a SSL certificate on the server that is compatible with ADFS

    1. Open up a management console window on your server (Start, type in mmc.exe and hit enter)
    2. Click file and click Add or Remove Snap-ins
    3. Highlight Certificates and click AddCertificates
    4. Select Computer Account and click Next and then click Finish
    5. Now that the options are configured, click OK
    6. On the Console window, click View and then select Options
      Options
    7. Select Certificate purpose and then click This will allow us to view the computer’s certificate by their purpose.
    8. In the Intended Purposes view, right click Server Authentication, hover over All Tasks and click Request New Certificate
      Request New Certificate
    9. Click Next on the welcome screen.
    10. Click Next on the Select Certificate Enrollment Policy
    11. Select the template you created before (ex: ADFS SSL Certificate) by checking it and clicking Enroll.
      Enroll
    12. Click Finish and close all of the open windows.

 

The next task will be to configure ADFS

  1. Open up ADFS management (Start > Administrative tools > AD FS 2.0 Management)
  2. On the ADFS 2.0 management window, click ADFS 2.0 Federation Server Configuration WizardWizard
  3. Leave the default of Create a new Federation Service selected and click Next
  4. On the Select Deployment Type page, select Stand-alone federation server and click Next
  5. Make sure your SSL certificate is selected on the Federation Service Name page and click Next
  6. Click Next on the summary screen and wait for the wizard to complete.
  7. One the wizard is finished, click Close. Now ADFS is installed and ready to be used.

 

Add SAN storage to Microsoft Failover Cluster Fileserver

Blog, Information Technology, Servers

This post assumes that you already created a failover cluster between at least two servers and have already created the file server role.

Note: In my example I am adding 2 disks, one 10 GB and the other 5 GB at the same time.

After you are done creating the volume on your SAN,  we need to connect to it on our two servers via the iSCSI initiator. Open the iSCSI initiator on both servers by clicking Start > All Programs > Administrative Tools > iSCSI initiator. Find the volume you created on the SAN and connect to it.

So, now that we have presented the new disk to all nodes of the cluster, we see the newly connected disk in the Disk Manager set to offline.

Offline

The next step is to bring our new disk online. This only needs to be done on one of the servers in the cluster. It does not matter which server. In Disk Manager, right click the new disk and select “Online”.

Set Disk Online

Now we want to create the new volume as a “New Simple Volume”. Right click the disk and select “New Simple Volume…”

New Simple Volume

Got through the “New Simple Volume Wizard” like you normally would when you are formatting a disk (disk letter, file system, volume label etc.) and click finish. Now your disk manager should show your newly create drives.

New Disks

Now open the Failover Cluster Manager and select “Storage”. In the top right corner select “Add a disk”.

Add Disk

Check your new disks and click “OK”.

Add Disk 2

Now we have to add the available storage to our file server. In the Failover Cluster Manager, expand services and applications and select your file server service.

Select Service

On the right hand side of the service under Actions, click “Add Storage”. Check off the new drives and click “OK”.

Add Disk to Service

And that is it.

Server 2008 R2 Failover Clustering

Blog, Information Technology, Servers

One of the neat things about Windows Server 2008 R2 Enterprise is the ability to cluster servers together so that if one server were to fail, the other could pick up the load without the user ever knowing. This makes it so that your company has little downtime when disaster strikes or for scheduled maintenance. Some of the services that failover clustering provides are DHCP Server, File Server, Print Server or a Virtual Machine.

To test out the failover cluster I first made 2 volumes in the Dell EqualLogic PS4000 SAN(Storage Area Network.) One volume is the Quorum disk and the other is the actual volume we wish to store data on. The quorum, in a failover cluster environment, is designed to handle a scenario when there is a problem with communication between the set of cluster nodes so that two servers do not try to simultaneously try to write to the same disk at the same time. If two servers were writing to the same disk at the same time it would result in disk corruption. By having this concept of quorum, the cluster will force the cluster service to stop in one of the subsets of nodes to ensure that there is only one true owner of a particular resource group.

Next, I opened up the iSCSI Initiator in Server 2008 R2 and connected the two volumes on both of my servers.

After creating a new volume in disk management, I opened the Failover Cluster Manager. From there I right clicked “Failover Cluster Manager” and clicked “Create a Cluster.” I went through the setup, added the two servers, made sure they were on the same domain and made sure they passed the validation test. I actually ran into a problem when running the validation. It seems that having both of these 2008 R2 servers on a Windows Server 2003 domain will not pass the validation. I only had 2 servers running server 2008 so I had to make one of the servers run active directory, DHCP and DNS server roles. After I set that up I added the other server to the new test domain and voila, it validated!

The next step I had to do was add the two volumes to the cluster by clicking storage in the left-hand column and right clicking “Add a Disk.”

Once the drives were set up I was able to add a service to the cluster. Right click “Services and Applications” in the left-hand column and selecting “Configure a Service or Application.” I selected “File Server” and the drive I wanted to use. I then gave the service an IP and a Client Access Name.

Now I can configure all the servers that need access to this volume by mapping a network drive and entering the client access name I gave the service before. Now if I need to upgrade RAM or install updates on one of the nodes I can without disrupting any of the machines. No longer will I have to wait until Sunday or late at night (when most users are not using the servers) to update/ upgrade machines.

This service is such a great utility for systems administrators. I can’t wait to dive more into its capabilities.