Step 1: Preinstallation Tasks
Applies To: Windows Server 2008 R2
Before you install Active Directory Federation Services (AD FS), you set up the four primary virtual machine (VM) computers that you will use to evaluate the AD FS technology.
Preinstallation tasks include the following:
Configure computer operating systems and network settings
Install and configure AD DS
Security Note |
---|
In a production environment, use the least privileged user account necessary to perform the required tasks. Because this guide is written for use in a test environment, in many procedures you are instructed to use the local and domain Administrator accounts to reduce the number of required steps. |
Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Administrative credentials
To perform all of the tasks in this step, log on to each of the four computers with the local Administrator account. To create accounts in Active Directory Domain Services (AD DS), log on with the Administrator account for the domain.
Configure computer operating systems and network settings
Use the following table to set up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static IP addresses, we recommend that you first:
- Configure three new VMs with at least 512 megabytes (MB) of available memory.
- Complete product activation for Windows 7 and Windows Server 2008 R2 while each of your computers still has Internet connectivity.
- Make sure that all of the clocks on each of the computers are set to the same time or within five minutes of each other. This is important to ensure that token time stamps are always valid.
Computer name | AD FS client/server role | Operating system requirement | IPv4 settings | DNS settings |
---|---|---|---|---|
adfsclient |
Client |
Windows 7 |
IP address: 192.168.1.1 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.3 Alternate: 192.168.1.4 |
adfsweb |
Web server |
Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise |
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.4 |
adfsaccount |
Federation server and domain controller |
Windows Server 2008 R2 Enterprise |
IP address: 192.168.1.3 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.3 |
adfsresource |
Federation server and domain controller |
Windows Server 2008 R2 Enterprise |
IP address: 192.168.1.4 Subnet mask: 255.255.255.0 |
Preferred: 192.168.1.4 |
Be sure to set both the preferred and alternate Domain Name System (DNS) server settings on the client. If both types of values are not configured as specified, the AD FS scenario will not function correctly.
Install and configure AD DS
This section includes the following procedures:
Install AD DS
Create accounts
Join test computers to the appropriate domains
Install AD DS
You can use the Add Roles Wizard to create two new AD DS forests on both of the federation servers. When you type values into the wizard pages, use the company names and AD DS domain names in the following table. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.
Important
Configure the IP addresses as specified in the previous table before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.
As a security best practice, do not run domain controllers as both federation servers and domain controllers in a production environment.
Computer name | Company name | AD DS domain name (new forest) | DNS configuration |
---|---|---|---|
adfsaccount |
A. Datum Corporation |
adatum.com |
Install DNS when you are prompted. |
adfsresource |
Trey Research |
treyresearch.net |
Install DNS when you are prompted. |
In this guide, A. Datum represents the account partner organization and Trey Research represents the resource partner organization.
Create accounts
After you set up two forests, you start the Active Directory Users and Computers snap-in to create some accounts that you can use to test and verify federated access across both forests. Configure the values in the following table on the adfsaccount computer.
Object to create | Name | User name | Action |
---|---|---|---|
Security global group |
TreyClaimAppUsers |
Not applicable |
Not applicable |
User |
Alan Shen |
alansh (alansh acts as the federated user who will be accessing the claims-aware application.) |
Make alansh a member of the TreyClaimAppUsers global group. |
Join test computers to the appropriate domains
Use the values in the following table to specify which computers are joined to which domain. Perform this operation on the adfsclient and adfsweb computers.
Note
You may have to disable the firewalls on both domain controllers before you can join the following computers to the appropriate domains.
Computer name | Join to |
---|---|
adfsclient |
adatum.com |
adfsweb |
treyresearch.net |