Step 1: Preinstallation Tasks
Applies To: Windows Server 2008
Before you install Active Directory Federation Services (AD FS), you set up the four primary virtual machine (VM) computers that you will use to evaluate the AD FS technology.
Preinstallation tasks include the following:
Configure computer operating systems and network settings
Install and configure AD DS
Administrative credentials
To perform all of the tasks in this step, log on to each of the four computers with the local Administrator account. To create accounts in Active Directory Domain Services (AD DS), log on with the Administrator account for the domain.
Configure computer operating systems and network settings
Use the following table to set up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static IP addresses, we recommend that you first:
Configure three new VMs with at least 512 megabytes (MB) of available memory.
Complete product activation for Windows XP or Windows Vista and Windows Server 2008 while each of your computers still has Internet connectivity.
Make sure that all of the clocks on each of the computers are set to the same time or within five minutes of each other. This is important to ensure that token times tamps are always valid.
| Computer name | AD FS client/server role | Operating system requirement | IPv4 settings | DNS settings |
|---|---|---|---|---|
adfsclient |
Client |
Windows XP with Service Pack 2 (SP2) or Windows Vista |
IP address: 192.168.1.1 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.3 Alternate: 192.168.1.4 |
adfsweb |
Web server |
Windows Server 2008 Standard, or Windows Server 2008 Enterprise |
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.4 |
adfsaccount |
Federation server and domain controller |
Windows Server 2008 Enterprise |
IP address: 192.168.1.3 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.3 |
adfsresource |
Federation server and domain controller |
Windows Server 2008 Enterprise |
IP address 192.168.1.4 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.4 |
Note
Be sure to set both the preferred and alternate Domain Name System (DNS) server settings on the client. If both types of values are not configured as specified, the AD FS scenario will not function.
Install and configure AD DS
This section includes the following procedures:
Install AD DS
Create accounts
Join test computers to the appropriate domains
Install AD DS
You can use the Add Roles Wizard to create two new Active Directory forests on both of the federation servers. When you type values into the wizard pages, use the company names and Active Directory domain names in the following table. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.
Important
Configure the IP addresses as specified in the previous table before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.
Note
As a security best practice, do not run domain controllers as both federation servers and domain controllers in a production environment.
| Computer name | Company name | Active Directory domain name (new forest) | DNS configuration |
|---|---|---|---|
adfsaccount |
A. Datum Corporation |
adatum.com |
Install DNS when you are prompted. |
adfsresource |
Trey Research |
treyresearch.net |
Install DNS when you are prompted. |
Note
In this guide, A. Datum represents the account partner organization and Trey Research represents the resource partner organization.
Create accounts
After you set up two forests, you start the Active Directory Users and Computers snap-in to create some accounts that you can use to test and verify federated access across both forests. Configure the values in the following table on the adfsaccount computer.
| Object to create | Name | User name | Action |
|---|---|---|---|
Security global group |
TreyClaimAppUsers |
Not applicable |
Not applicable |
User |
Alan Shen |
alansh (alansh acts as the federated user who will be accessing the claims-aware application.) |
Make alansh a member of the TreyClaimAppUsers global group |
Join test computers to the appropriate domains
Use the values in the following table to specify which computers are joined to which domain. Perform this operation on the adfsclient and adfsweb computers.
Note
You may have to disable the firewalls on both domain controllers before you can join the following computers to the appropriate domains.
| Computer name | Join to |
|---|---|
adfsclient |
adatum.com |
adfsweb |
treyresearch.net |