Step-By-Step: Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On


AD FS 3.0, included in Windows Server 2012 R2, provides a great deal of advancement over is predecessor. There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one detailed below completes a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but this method is preferred as you can build the whole AD FS 3.0 solution, test the complete solution and then cut-over to it by updating DNS without user impact.

Prerequisites

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
     
  2. Add server to the local domain
     
  3. Export SSL certificate on AD FS 2.0 server (with private key)
     
  4. AD FS service account and password that was used to deploy AD FS 2.0
     
  5. Directory Sync is running

Step 1: Importing the SSL Certificate

NOTE:It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

NOTE:Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

  1. Open the Start Screen
     
    Migrating ADFS _002
     
  2. Type MMC
     
  3. Click the MMC app
     
    Migrating ADFS _004
     
  4. Once MMC opens, Click File > Add/Remove Snap-in
     
    Migrating ADFS _008
     
  5. Select Certificates > Click Add
     
  6. Select Computer Account
     
  7. Click Next
     
    Migrating ADFS _010
     
  8. Select Local Computer
     
  9. Click Finish
     
    Migrating ADFS _012
     
  10. Click OK
     
    Migrating ADFS _014 
     
  11. Expand Certificates > Personal
     
  12. Right Click Certificates
     
  13. Select Import
     
    Migrating ADFS _016 
     
  14. Select Local Machine and click Next 
     
    Migrating ADFS _018 
     
  15. Browse to the Exported Certificate and click Next 
     
    Migrating ADFS _020 
     
  16. Enter Password, select Mark the key as exportable, and  click Next
     
    Migrating ADFS _022 
     
  17. Place in the Personal certificate store and click Next 
     
    Migrating ADFS _024 
     
  18. Click Finish
     
    Migrating ADFS _026
     
  19. Click OK
     
    Migrating ADFS _028

Step 2: Install the AD FS Role on Windows Server 2012 R2

  1. Login to the AD FS 3.0 Server
     
  2. Open Server Manager an navigate to Local Server > Manage > Add Roles and Features
     
    Migrating ADFS _030 
     
  3. Click Next
     
    Migrating ADFS _032
     
  4. Click Next
     
    Migrating ADFS _034 
     
  5. Click Next
     
    Migrating ADFS _036 
     
  6. Select Active Directory Federation Services and click Next
     
    Migrating ADFS _38 
     
  7. Click Next
     
    Migrating ADFS _040 
     
  8. Click Next
     
    Migrating ADFS _042 
     
  9. Click Install
     
    Migrating ADFS _044 
     
  10. Install completes. Do not click Close. Continue to the next step
     
    Migrating ADFS _048
     

Step 3: Configure AD FS 3.0

  1. Click Configure the federation service on this server
     
    Migrating ADFS _050 
     
  2. Select Create the first federation server in a federation farm and Click Next
     
    Migrating ADFS _052 
     
  3. Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.
     
  4. Click Next
     
     
    Migrating ADFS _054
     
  5. Select the certificate that we imported in the previous step
     
    WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm
     
  6. Enter the Federation Service Display Name
     
    WARNING – This MUST match the AD FS 2.0 Farm Name
     
  7. Click Next
     
    Migrating ADFS _056 
     
  8. Specify the AD FS Service Account.
     
    WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions
     
  9. Enter Password and Click Next
     
    Migrating ADFS _058 
     
  10. Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm – and click Next
     
    Migrating ADFS _060 
     
  11. Click Next
     
    Migrating ADFS _062 
     
  12. Click Configure
     
    Migrating ADFS _064 
     
  13. Configuration started
     
    Migrating ADFS _066 
     
  14. Configuration Finished
     
    Migrating ADFS _068 
     
  15. If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.
     
    Migrating ADFS _070
     

Step 4: Export the AD FS 2.0 Configuration

  1. Login to the AD FS 2.0 Server
     
  2. Insert or mount the Windows Server 2012 R2 DVD into the server
     
  3. Run PowerShell as Administrator
     
    Migrating ADFS _072 
     
  4. Navigate to \support\adfs on the Windows Server 2012 R2 DVD
     
  5. Execute the Script
     
    .\export-federationconfiguration.ps1 –path c:\adfs_export”
     
    This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.
     
    Migrating ADFS _074 
     
  6. With the Export completed, copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server
     
    Migrating ADFS _076
     

Step 5: Import the AD FS Configuration to AD FS 3.0

  1. Login to the AD FS 3.0 Server
     
  2. Open PowerShell as an Administrator
     
    Migrating ADFS _078 
     
  3. Navigate to \support\adfs on the Windows Server 2012 R2 DVD
     
    Migrating ADFS _080 
     
  4. Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration
     
    .\import-federationconfiguration.ps1 –path C:\ADFS_Export
     
    Migrating ADFS _082 
     
  5. Once the import has started, take note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server
     
    Migrating ADFS _084 
     
  6. Once it has been imported successfully, verify the Import in AD FS Management
     
    Migrating ADFS _088
     

Step 6: Testing Single Sign-On

  1. From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm
     
    Migrating ADFS _090 
     
  2. Navigate to the IDP Initiated Sign-on page - https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.
     
  3. Test signing in
     
    Migrating ADFS _092 
     
  4. Once this is completed, then you can test logging into the Microsoft Office365 Portal.
     

Step 7: Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.
 

Step 8: Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

Comments (6)

  1. Mark says:

    Great article ! I ran into one stumbling block trying to get ADFS 3.0 installed on a Server 2012r2 DC with Windows Internal Database.. When setup tries to configure WID, the following error is generated. "Cannot start service MSSQL$MICROSOFT##WID on computer ‘.’."
    You have to edit your GPO for the DC to allow logon as service rights to "NT SERVICE\MSSQL$MICROSOFT##WID". Reboot the server and go to Server Manager. There should be a warning message you need to complete the ADFS setup. Run through the configuration again and the WID will install correctly. You can then import the config and complete the setup.

  2. ck67 says:

    very helpful post, thank you.
    1 question about certificate, is it ok not to replace token-signing & token-decrypting certificate on O365 with new ADFS server's self signed certs?

  3. Ad says:

    Great Write up.

    I have followed these instructions and everything seems to work fine.
    We are using a NLB and once configuring to the VIP it seems to fail. I'm assuming as it tries to auth with the current (OLD) ADFS server as the farm name is the same.
    Can I assume that once I cutover to the 3.0 servers (disable/remove the ADFS 2.0 servers AND proxies) it will be OK?

  4. Kay F says:

    When you said "There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm" what do you mean exactly? Which steps exactly should be skipped when setting up the second ADFS server? Do we skip the part about exporting and importing old cert? Do we export and import the old ADFS configuration?

  5. SachinTOM says:

    Excellent Article.. Helped me a lot !!!

  6. CharlesE says:

    Very very useful !
    Regarding wap server, we have just changed the NAT to target the new farm instead of editing DNS record because it allows a more easier/quick solution than DNS : changing NAT publication is done instantly, DNS not because of replication process and client cache feature...

Skip to main content