Udostępnij za pośrednictwem


Restore your AD FS farm the easy way!

Howdy folks!

Today, I wanted to talk about a new way to easily backup and restore your ADFS farm. As you know, ADFS usage continues to grow actively connecting users to their on-premises applications (such as SharePoint, Skype for Business Servers) as well as connecting them to Office 365 and other Azure AD applications. In fact, ADFS is the #1 federation provider connecting users to Azure AD and signs-in  over 42.2 million unique users to Azure AD every week and growing. That’s a whopping number!

Well, as we talked to customers we saw a few needs from our customers and this shaped our approach and design for the “AD FS Rapid Restore Tool”. These were:

  • While we’ve always been upfront to our customers to run in a High Availability environment (at least 2 ADFS servers and 2 WAP servers), we see customers using just a single ADFS server and a single WAP server. Note that we see some of our competitors “tout” a simpler solution but conveniently avoid talking about high availability requirements and bury it fairly deep in their documentation. Recently we saw cosmic karma hit one of our customers which took them some time to restore login functionality to Office 365. So, we really wanted to enable our customers to restore login functionality in a shorter time. Note that we still recommend customers to run in a HA configuration as you can then be in a zero-impact situation even if a server goes down.
  • For most mid to large organizations, IT admins always want a quick way to go back in case there is some ‘catastrophe’ due to a configuration change gone wrong. The rapid restore tool enables this use case as well.
  • Larger IT organizations typically tend to minimize risk by mimicking their production environment in a parallel setup and validate any change prior to rolling it into production. We do this in our own IT organization in Microsoft as well (we have 2 ADFS farms handling millions of login transactions per day). The Rapid Restore tool enables this use case as well where it easy to take a “snapshot” of the existing ADFS farm configuration and clone it to a new machine that is isolated, perform configuration changes and validate them (let's say by using a HOSTS file or private DNS server).

Well, now you understand our motivation for releasing this tool, you can get started by downloading it from this link.

For detailed documentation, see our TechNet documentation here.

What cool features do we have for this release?

The tool supports the following capabilities:

  • Supports ADFS 2012R2 and ADFS 2016 (does not support ADFS 2.0 or ADFS 2012)
  • Supports both SQL and WID configurations of ADFS
  • Supports both self-generated token signing certificates (the default configuration in ADFS) or custom token signing certificates. In the case of custom token signing certificates, we will attempt to export these as well if it exportable. If they are not exportable, then you have to install these on the target machine prior to the restore process.
  • Supports export and restore of SSL certificates if the certificate is exportable. Otherwise, you will have to install these on the target machine prior to the restore process.
  • Supports storage of the exported backup in a networked folder or better still offers support to store in Azure storage.
  • All exported backups are strongly encrypted using the password provided.
  • Backups can be done on-demand or can be integrated within a scheduled task on the machine
  • Any custom attribute stores, additional authentication providers (for MFA) or local claims provider trusts (ADFS 2016 feature) are also backed up and restored.
  • All page customizations are backed up and restored.

How does it work?

It’s super simple.

#1. Get Ready

Download the tool from this link and install in on your ADFS server. If you are running using a WID configuration (default), then run this on your primary ADFS server.

From an elevated PowerShell windows, run

 import-module ADFSRapidRecreationTool.dll

#2. Create a backup

The command for it is

 Backup-ADFS -StorageType "FileSystem" -StoragePath "C:\Users\administrator\testExport\" -EncryptionPassword "password" -BackupComment "Clean Install of ADFS (FS)" -BackupDKM

In this case, we are opting to store it on local disk. We are encrypting the content by using “password” as the pass phrase. Simple huh! As I mentioned above, you can automate and run this periodically by including this as a scheduled task on your ADFS server.

#3. Restore from backup

First you need to have a machine handy. We also need to be domain joined prior to restoring the backup.

Then run the following command

 Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password"

That’s it!

There are more examples and knobs that are describe on our TechNet documentation. Check it out and give us feedback.

Related Links

That concludes my post. As always, we are open to getting feedback. Feel free to post a comment or tweet me (@MrADFS).

Thanks

//Sam (Twitter: @MrADFS)

Comments

  • Anonymous
    September 20, 2016
    The comment has been removed
    • Anonymous
      September 20, 2016
      After restarting the backup completed successfully.
      • Anonymous
        September 22, 2016
        @Shawn, glad it worked out the next time. Let us know if you see more issues. Thanks!
  • Anonymous
    November 08, 2016
    PS C:\Windows> C:\Scripts\backup.ps1Backup-ADFS : No ADFS SSL Certificates Found.At C:\Scripts\backup.ps1:5 char:1+ Backup-ADFS -StorageType "FileSystem" -StoragePath "C:\BackupADFS" -EncryptionP ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Backup-ADFS], Exception + FullyQualifiedErrorId : System.Exception,Microsoft.ADFSRapidRecreationTool.BackupADFSI get the following error when running the backup of ADFS. Any ideas?
    • Anonymous
      November 17, 2016
      The tool seems to think that you don't have an SSL certificate for ADFS on the machine or the account used cannot access it. Can you check this?
  • Anonymous
    May 16, 2017
    Sam, Great blog! would this tool be run on all the ADFS nodes? or should it be run on just one server, and then add the rest of the servers to the Farm ?
    • Anonymous
      July 10, 2017
      Just one server.