Prepare your network infrastructure for federation servers

Applies To: Azure, Office 365, Power BI, Windows Intune

The following checklist includes the preparation tasks that you must perform in order to deploy a federation server farm.

Note

• Complete the tasks in these checklists in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
  
  
• Unless otherwise noted, to complete all of the tasks using the procedures in this section you must first be logged into the computers as a member of the Administrators group, or have been delegated equivalent permissions.
  
  

Checklist: Prepare your network infrastructure for federation servers

Deployment task	Links to topics in this section	Completed
1. Join the computers that will become federation servers to a domain where Active Directory users will be authenticated. Note You can ignore this step if you will use existing domain controllers as federation servers.
2. Create and configure a new NLB cluster DNS name or use an existing NLB cluster in the corporate network that will be used by the new federation server farm. Then add the federation server computers to the NLB cluster. If you are using Windows Server technology for your current NLB hosts, choose the appropriate link to the right based on your operating system version. Note This step is optional in a test deployment of this SSO solution with a single AD FS federation server.	To create and configure NLB clusters on Windows Server 2003 and Windows Server 2003 R2, see Checklist: Enabling and configuring Network Load Balancing. To create and configure NLB clusters on Windows Server 2008, see Creating Network Load Balancing Clusters. To create and configure NLB clusters on Windows Server 2008 R2, see Creating Network Load Balancing Clusters.
3. Create a new resource record for the cluster DNS name in the corporate network DNS that points the FQDN name of the NLB cluster to its cluster IP address.	Add a resource record to the corporate DNS for the cluster DNS name configured on the corporate NLB host
4. Import the server authentication certificate to the Default Web Site for each federation server in the farm. Note Installing this certificate on the Default Web Site is a requirement before you can use the AD FS Federation Server Configuration Wizard.	Import a Server Authentication Certificate to the Default Web Site
5. Create and configure a dedicated service account in Active Directory where the federation server farm will reside and configure each federation server in the farm to use this account.	Manually Configure a Service Account for a Federation Server Farm

Join the computer to a domain

For AD FS to function, each computer that functions as a federation server must be joined to a domain. Federation server proxies may be joined to a domain, but it is not a requirement.

If you want to use AD FS in Windows Server 2012 R2, your Active Directory domain must run either of the following:

• Windows Server

• Windows Server 2008 R2

• Windows Server 2012

• Windows Server 2012 R2

To join the computer to a domain

1. On the computer that you want to join to a domain, click Start, click Control Panel, and then double-click System.

2. Under Computer name, domain, and workgroup settings, click Change settings.

3. On the Computer Name tab, click Change.

4. Under Member of, click Domain, type the name of the domain that this computer will join, and then click OK.

5. Click OK, and then restart the computer.

Add a resource record to the corporate DNS for the cluster DNS name configured on the corporate NLB host

For clients on the corporate network to successfully access the Federation Service, a host (A) resource record must first be created in the corporate Domain Name System (DNS) that resolves the cluster DNS name of the Federation Service (for example, fs.fabrikam.com) to the cluster IP address in the corporate network (for example, 172.16.1.3). You can use the following procedure to add a host (A) resource record to the corporate DNS for the NLB cluster.

To add a resource record to corporate DNS for the cluster DNS name configured on the corporate NLB host

1. On a DNS server for the corporate network, open the DNS snap-in.

2. In the console tree, right-click the applicable forward lookup zone (for example, fabrikam.com), and then click New Host (A or AAAA).

3. In Name, type only the computer name of the federation server or federation server cluster; for example, for the fully qualified domain name (FQDN) fs.fabrikam.com, type fs.

4. In IP address, type the IP address for the federation server or federation server cluster; for example, 172.16.1.3.

5. Click Add Host.

   Important

   It is assumed that you are using a DNS server, running Windows 2000 Server, Windows Server 2003, or Windows Server 2008 with the DNS Server service, to control the DNS zone.

Import a server authentication certificate to the Default Web Site

After you obtain a server authentication certificate from a certification authority (CA), you must manually install that certificate on the Default Web Site for each federation server in your farm.

Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte. For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.

Note

The subject name of this server authentication certificate must match the FQDN of the cluster DNS name (for example, fs.fabrikam.com) you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed, you must install IIS first in order to complete this task. When installing IIS for the first time, we recommend that you use the default feature options when prompted during the installation of the server role.

To import a server authentication certificate to the Default Web Site

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the console tree, click ComputerName.

3. In the center pane, double-click Server Certificates.

4. In the Actions pane, click Import.

5. In the Import Certificate dialog box, click the … button.

6. Browse to the location of the pfx certificate file, highlight it, and then click Open.

7. Type a password for the certificate, and then click OK.

Create a dedicated service account for the federation server farm

To configure a federation server farm environment in AD FS, you must create and configure a dedicated service account in Active Directory where the farm will reside. This dedicated service account is necessary to ensure that all resources required by the AD FS farm are granted access to each of the federation servers in the farm.

You then configure each federation server in the farm to use this same service account. For example, if the service account that was created was fabrikam\ADFS2SVC, each computer that you configure for the federation server role and that will participate in the same farm must specify fabrikam\ADFS2SVC at this step in the Federation Server Configuration Wizard for the farm to be operational.

Note

You have to perform the tasks in this procedure only one time for the entire federation server farm. Later, when you create a federation server by using the AD FS Federation Server Configuration Wizard, you must specify this same account on the Service Account wizard page on each federation server in the farm.

To create a dedicated service account for the federation server farm

1. Create a dedicated user/service account in the Active Directory forest you will use in your organization.

2. Edit the user account properties, and select the Password never expires check box. This action ensures that this service account's function is not interrupted as a result of domain password change requirements.

   Note

   • If you need to change your password for the service account on a regular basis, see Configuring Advanced Options for AD FS 2.0.
     
     
   • Using the Network Service account for this dedicated account will result in random failures when access is attempted through Integrated Windows authentication, as a result of Kerberos tickets not validating from one server to another.
     
     

Next step

Now that you have reviewed the requirements for deploying AD FS, the next step is to complete the tasks in either of the following checklists depending on what version of AD FS you want to use:

• Checklist: Deploy your federation server farm on Windows Server 2012 R2

• Checklist: Deploy your federation server farm on legacy versions of Windows Server

See Also

Concepts

Checklist: Use AD FS to implement and manage single sign-on