Share via

Step 1: Preinstallation Tasks

  • Article

Applies To: Windows Server 2008

Before you install Active Directory Federation Services (AD FS), you set up the four primary virtual machine (VM) computers that you will use to evaluate the AD FS technology.

Preinstallation tasks include the following:

  • Configure computer operating systems and network settings

  • Install and configure AD DS

Administrative credentials

To perform all of the tasks in this step, log on to each of the four computers with the local Administrator account. To create accounts in Active Directory Domain Services (AD DS), log on with the Administrator account for the domain.

Configure computer operating systems and network settings

Use the following table to set up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

Important

Before you configure your computers with static IP addresses, we recommend that you first:

  • Configure three new VMs with at least 512 megabytes (MB) of available memory.

  • Complete product activation for Windows XP or Windows Vista and Windows Server 2008 while each of your computers still has Internet connectivity.

  • Make sure that all of the clocks on each of the computers are set to the same time or within five minutes of each other. This is important to ensure that token times tamps are always valid.

Computer name AD FS client/server role Operating system requirement IPv4 settings DNS settings

adfsclient

Client

Windows XP with Service Pack 2 (SP2) or Windows Vista

IP address:

192.168.1.1

Subnet mask:

255.255.255.0

Preferred:

192.168.1.3

Alternate:

192.168.1.4

adfsweb

Web server

Windows Server 2008 Standard, or Windows Server 2008 Enterprise

IP address:

192.168.1.2

Subnet mask:

255.255.255.0

Preferred:

192.168.1.4

adfsaccount

Federation server and domain controller

Windows Server 2008 Enterprise

IP address:

192.168.1.3

Subnet mask:

255.255.255.0

Preferred:

192.168.1.3

adfsresource

Federation server and domain controller

Windows Server 2008 Enterprise

IP address

192.168.1.4

Subnet mask:

255.255.255.0

Preferred:

192.168.1.4

Note

Be sure to set both the preferred and alternate Domain Name System (DNS) server settings on the client. If both types of values are not configured as specified, the AD FS scenario will not function.

Install and configure AD DS

This section includes the following procedures:

  • Install AD DS

  • Create accounts

  • Join test computers to the appropriate domains

Install AD DS

You can use the Add Roles Wizard to create two new Active Directory forests on both of the federation servers. When you type values into the wizard pages, use the company names and Active Directory domain names in the following table. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.

Important

Configure the IP addresses as specified in the previous table before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.

Note

As a security best practice, do not run domain controllers as both federation servers and domain controllers in a production environment.

Computer name Company name Active Directory domain name (new forest) DNS configuration

adfsaccount

A. Datum Corporation

adatum.com

Install DNS when you are prompted.

adfsresource

Trey Research

treyresearch.net

Install DNS when you are prompted.

Note

In this guide, A. Datum represents the account partner organization and Trey Research represents the resource partner organization.

Create accounts

After you set up two forests, you start the Active Directory Users and Computers snap-in to create some accounts that you can use to test and verify federated access across both forests. Configure the values in the following table on the adfsaccount computer.

Object to create Name User name Action

Security global group

TreyClaimAppUsers

Not applicable

Not applicable

User

Alan Shen

alansh

(alansh acts as the federated user who will be accessing the claims-aware application.)

Make alansh a member of the TreyClaimAppUsers global group

Join test computers to the appropriate domains

Use the values in the following table to specify which computers are joined to which domain. Perform this operation on the adfsclient and adfsweb computers.

Note

You may have to disable the firewalls on both domain controllers before you can join the following computers to the appropriate domains.

Computer name Join to

adfsclient

adatum.com

adfsweb

treyresearch.net