Next steps for completing your AD FS installation
Updated: June 21, 2013
Applies To: Windows Server 2012 R2
This topic covers additional steps to configure AD FS after you install the first federation server, including:
Opening the ADFS Management Snap-in
Configuring Name Resolution for AD FS Services
Adding nodes to the farm
Adding a Web Application Proxy
Enabling Device Registration Service
For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.
Opening the ADFS Management Snap-in
The ADFS Management Snap-in is used to configure AD FS settings, including Relying Party Trusts, Multifactor authentication, and multifactor access control. To open AD FS Management, in Server Manager, click Tools, and then click AD FS Management.
Configuring Name Resolution for AD FS Services
In order for AD FS to function, clients must be able to resolve the federation service name, such as fs.contoso.com, to the correct IP address: either the IP address of a federation server or farm (for clients on the internal corporate network), or to the IP address of a web application proxy or proxy farm (for external clients).
The steps in this section describe how to configure DNS to resolve the federation service name and how to validate name resolution.
Create A or AAAA (Host) records for the Federation Service Name
After you install a federation server or farm, and after you install a Web Application Proxy server or farm, create A Host records so DNS clients can locate the servers by their friendly names.
If you deploy only one AD FS server, create a record that points to the IP address of the federation server. If you deploy a federation server farm, create a record that points to the IP address of a load balancer for the federation server farm.
If you deploy only one AD FS server, create an A record that points to the name of the federation server. If you deploy a federation server farm, create an A record that points to the IP address of a load balancer for the federation server farm. The same holds true if you deploy a Web Application Proxy server or farm – create an A record that points to the IP address of the Web Application Proxy server or to the external IP address of the load balancer for the Web Application Proxy server farm.
To create an A or AAAA (Host) record for the AD FS federation service name
Log on to a DNS server using an account that has permission to create resource records in the DNS zone, such as DNS administrator or if you have deployed Active Directory-integrated DNS, a Domain Admin.
In Server Manager, click Tools, and then click DNS.
Expand the name of the DNS server, expand Forward Lookup Zones, right-click the name of the zone (for example, contoso.com) where you want to create the record, and click New Host (A or AAAA).
In Name, type the single-label name of the AD FS services. For example, if the service is named FS.contoso.com, type FS1.
In IP address, type the IP address for the federation server or load balancer, for example, 192.168.1.4.
Click Add Host.
Create CNAME record for the Device Registration Service
A CNAME record is required in order to enable name resolution for the Device Registration Service (DRS). A CNAME record is used as an alias for another type of record in DNS. The CNAME record helps DNS clients query for a service by its friendly name rather than by the fully qualified domain name of the host. The CNAME record for the DRS should use enterpriseregistration for the alias name and point to the name of the Host A or AAAA record created above for the federation service.
To create a CNAME record for DRS
Log on to a DNS server using an account that has permission to create resource records in the DNS zone, such as DNS administrator or if you have deployed Active Directory-integrated DNS, a Domain Admin.
In Server Manager, click Tools, and then click DNS.
Expand the name of the DNS server, expand Forward Lookup Zones, right-click the name of the zone (for example, contoso.com) where you want to create the record, and click New Alias (CNAME).
Under Alias name:, type enterpriseregistration.
Under Fully qualified domain name (FQDN) for target host:, type the FQDN of the Host A or AAAA record that you created for the federation server or service. For example, type fs.contoso.com.
Click OK.
Verify federation service name resolution
After you create the DNS records, at a standard command line, type ipconfig /flushdns to clear the DNS cache on each server and client. Then validate name resolution for the federation service and the IP address by using the following procedure.
To verify federation service name resolution
Open a browser window and in the address bar, type the federation service name, and then append it with federationmetadata/2007-06/federationmetadata.xml to browse to the federation service metadata endpoint. For example:
https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xmlYou should see the federation server metadata. If you have not imported the root CA certificate of your SSL certificate into the local computer trusted root certificates store on your client computer, you may see an SSL error or warning.
You can also browse to the AD FS sign-in page (your federation service name appended with adfs/ls/idpinitiatedsignon.htm. For example:
https://fs.contoso.com/adfs/ls/idpinitiatedsignon.htmThis displays the AD FS sign-in page where you can sign in with domain administrator credentials.
Important
Make sure to configure your browser settings to trust the federation server role by adding your federation service name (for example, https://fs.contoso.com) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.
Adding nodes to the farm
You can add nodes to the AD FS farm by installing AD FS on additional servers in the domain. Adding nodes to the farm provides redundancy and fault tolerance to the AD FS deployment, and allows for load balancing client service requests.
To add nodes to an existing farm, choose Add a federation server to a federation server farm on the Welcome page of the Active Directory Federation Services Configuration Wizard, or use the Add-AdfsFarmNode Windows PowerShell cmdlet.
After you add nodes to a farm, you should install a load balancer such as Network Load Balancing in Windows Server and create a Host record that maps the name of the load balancer to its IP address.
For more information about adding nodes to the farm, see How to deploy AD FS in Windows Server 2012 R2.
Adding a Web Application Proxy
The Web Application Proxy can provide access to web applications from extranet clients using AD FS claims-based authentication or Windows Integrated Authentication. The Web Application Proxy can be used in conjunction with Active Directory workplace join, multifactor authentication, or multifactor access control in order to enable more flexible and manageable resource access by users and devices outside of a company firewall.
For more information about adding a Web Application Proxy, see How to deploy AD FS in Windows Server 2012 R2.
For a feature overview and more information about installing and configuring Web Application proxy, see the following topics:
Plan connecting to apps and services
Configure connecting to apps and services
Enabling Device Registration Service
To enable the Device Registration Service in the local forest, the following prerequisites must be met:
The Active Directory schema must be at Windows Server® 2012 R2 level.
You need to run Windows PowerShell cmdlets as a member of the Enterprise Admins group in order to enable DRS.
The group managed service account that was specified for the AD FS configuration must be specified for the value of the –ServiceAccountName parameter in the format domain\account_name.
For specific information about how to enable DRS after deploying AD FS in a forest, see How to deploy AD FS in Windows Server 2012 R2.
For a feature overview and more information about installing and configuring DRS, see the following topics:
Walkthrough: Configure Device Registration Service