In Part 2 we will continue configuring the Identity server starting with installing the Active Directory Domain Services role.
Active Directory Domain Services
Begin by opening the Server Manager panel if it is not already. Click on Manage -> Add Roles and Features.
Continue through the wizard until you get to the role selection window and select the Active Directory Domain Services role shown below.
Add the additional features that automatically pop up and click “Next”. Continue clicking next until you reach the “Install” page, select the “Restart the Destination server automatically if required” check box, and click “Install”.
Before continuing configure your Identity Server with a static IPv4 address, and disable IPv6. Since I am on a local network, my static IP is an internal IP only, but this is sufficient for this tutorial.
DNS Server and Domain Controller
The next things we are going to do are to, promote the identity server to a domain controller, install the DNS Server role onto the identity server, and to create a forest on the DNS Server with forward and reverse lookup zones for our local domain that we will be using for this tutorial. This next step is one good reason to use Virtual Machines if you are performing these configurations strictly as a learning exercise since you would have to have a dedicated domain if the machines were not on a private network.
Start by clicking the notification icon that has appeared since ADDS was added, shown below.
Next click the “Promote this server to a domain controller” link in the notifications drop down.
In the wizard that comes up select the “Add a new forest” radio button shown below. Then type in the domain that you will be using.
Click next, then select the forest functional levels you want. I leave these at Server 2012 since I don’t plan on interacting with older DNS servers. Then enter a password for the DSRM, I use the admin password for this so it’s easy to remember for the demo but you will likely want a unique password for a production system.
Click “Next”. You will be warned about DNS Delegation options. For this demo on a local network this is not important, for a production environment, creating this delegation should be your next step.
Click OK and Next. Then on the next page click Install. Wait till the installation has finished to proceed.
Once the Identity server has completed it will then be a Domain Controller for martialdeveloper.local, and have the DNS Server role installed and integrated with Active Directory for the domain we created.
Application server IIS
While you are waiting for the Identity server to finish this installation you can start installing IIS on the Application server. Refer back to Part 1 of this series of articles if you forgot how to do this.
Configure Active Directory
We will continue by creating Organizational Units in Active Directory. We will be doing this in PowerShell. Please see Stefan Severin’s blog in the references section for the source of these commands. I am very happy to have found them on his blog!
Start by running Powershell ISE in administrative mode, and setting the execution policy to RemoteSigned.
Now run the following script to set the Organizational Units. Making sure to replace the first line with one appropriate for the domain you are using.
$domain = "dc=martialdeveloper,dc=local"; $ouAdmin = "ou=Adfs Administration"; $ouServiceAccounts = "ou=Service Accounts"; $ldapConnection = [ADSI] "LDAP://$domain"; $newAdminOu = $ldapConnection.Create("OrganizationalUnit", $ouAdmin); $newAdminOu.SetInfo(); Set-ADOrganizationalUnit "$ouAdmin,$domain" -ProtectedFromAccidentalDeletion $True; $ouAdminPath = [ADSI]($newAdminOu.path) $newAccountOu = $ouAdminPath.Create("OrganizationalUnit", $ouServiceAccounts); $newAccountOu.SetInfo(); Set-ADOrganizationalUnit "$ouServiceAccounts,$ouAdmin,$domain" -ProtectedFromAccidentalDeletion $True;
Now create the service account for the ADFS farm. Make sure to enter your domain specifics on line 4. Also, since this is a domain controller the strong password requirements are enabled, so get creative unless you want to have to recreate the account a few times when it fails on the password strength.
$dnsRoot = (Get-ADDomain).dnsroot $pwd = read-host "Enter strong password" -AsSecureString $upn = "SVC-ADFS" + "@" + $dnsRoot New-ADUser –Name "SVC-ADFS" –SamAccountName SVC-ADFS –DisplayName SVC-ADFS -Description "Service account for ADFS farm" -userprincipalname $upn -Path "OU=Service Accounts,OU=ADFS Administration,DC=martialdeveloper,DC=local" –Enabled $true –ChangePasswordAtLogon $False -PasswordNeverExpires $true -AccountPassword $pwd
Configure the SPN (Service Principle Name) for the ADFS service account. Making sure to remember to replace the hostname, and domain information for your environment.
setspn -S host/WIN-924FNOTSB0B.martialdeveloper.local martialdeveloper.local\svc-adfs
Now we install the ADFS Feature onto our identity server machine.
We now have ADFS installed, our domain is configured, and we have Active Directory setup. When we continue in Part 3, we will begin by configuring our security certificates for ADFS and IIS.
As always, please have a look at my references for further information on the topics discussed above.