Export (0) Print
Expand All
11 out of 14 rated this helpful - Rate this topic

Step 1: Preinstallation Tasks

Updated: January 8, 2009

Applies To: Windows Server 2008 R2

Before you install Active Directory Federation Services (AD FS), you set up the four primary virtual machine (VM) computers that you will use to evaluate the AD FS technology.

Preinstallation tasks include the following:

securitySecurity Note
In a production environment, use the least privileged user account necessary to perform the required tasks. Because this guide is written for use in a test environment, in many procedures you are instructed to use the local and domain Administrator accounts to reduce the number of required steps.

Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

Administrative credentials

To perform all of the tasks in this step, log on to each of the four computers with the local Administrator account. To create accounts in Active Directory Domain Services (AD DS), log on with the Administrator account for the domain.

Use the following table to set up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

ImportantImportant
Before you configure your computers with static IP addresses, we recommend that you first:

  • Configure three new VMs with at least 512 megabytes (MB) of available memory.

  • Complete product activation for Windows 7 and Windows Server 2008 R2 while each of your computers still has Internet connectivity.

  • Make sure that all of the clocks on each of the computers are set to the same time or within five minutes of each other. This is important to ensure that token time stamps are always valid.

 

Computer name AD FS client/server role Operating system requirement IPv4 settings DNS settings

adfsclient

Client

Windows 7

IP address:

192.168.1.1

Subnet mask:

255.255.255.0

Preferred:

192.168.1.3

Alternate:

192.168.1.4

adfsweb

Web server

Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise

IP address:

192.168.1.2

Subnet mask:

255.255.255.0

Preferred:

192.168.1.4

adfsaccount

Federation server and domain controller

Windows Server 2008 R2 Enterprise

IP address:

192.168.1.3

Subnet mask:

255.255.255.0

Preferred:

192.168.1.3

adfsresource

Federation server and domain controller

Windows Server 2008 R2 Enterprise

IP address:

192.168.1.4

Subnet mask:

255.255.255.0

Preferred:

192.168.1.4

Be sure to set both the preferred and alternate Domain Name System (DNS) server settings on the client. If both types of values are not configured as specified, the AD FS scenario will not function correctly.

This section includes the following procedures:

You can use the Add Roles Wizard to create two new AD DS forests on both of the federation servers. When you type values into the wizard pages, use the company names and AD DS domain names in the following table. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.

ImportantImportant
Configure the IP addresses as specified in the previous table before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.

As a security best practice, do not run domain controllers as both federation servers and domain controllers in a production environment.

 

Computer name Company name AD DS domain name (new forest) DNS configuration

adfsaccount

A. Datum Corporation

adatum.com

Install DNS when you are prompted.

adfsresource

Trey Research

treyresearch.net

Install DNS when you are prompted.

In this guide, A. Datum represents the account partner organization and Trey Research represents the resource partner organization.

After you set up two forests, you start the Active Directory Users and Computers snap-in to create some accounts that you can use to test and verify federated access across both forests. Configure the values in the following table on the adfsaccount computer.

 

Object to create Name User name Action

Security global group

TreyClaimAppUsers

Not applicable

Not applicable

User

Alan Shen

alansh

(alansh acts as the federated user who will be accessing the claims-aware application.)

Make alansh a member of the TreyClaimAppUsers global group.

Use the values in the following table to specify which computers are joined to which domain. Perform this operation on the adfsclient and adfsweb computers.

noteNote
You may have to disable the firewalls on both domain controllers before you can join the following computers to the appropriate domains.

 

Computer name Join to

adfsclient

adatum.com

adfsweb

treyresearch.net

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.