Installing ADFS 2.0 on Windows 2008 R 2

In this article, I will explain to install Active Directory Federation Services 2.0 (ADFS 2.0) on Windows 2008 R 2.

We need to download the ADFS 2.0 from the Microsoft site (http://technet.microsoft.com/en-us/evalcenter/ee476597.aspx). Once downloaded it, please place the setup on the server where you want to install ADFS 2.0.

According to Microsoft, Active Directory Federation Services 2.0 helps IT enable users to collaborate across organizational boundaries and easily access applications on-premises and in the cloud, while maintaining application security. Through a claims-based infrastructure, IT can enable a single sign-on experience for end-users to applications without requiring a separate account or password, whether applications are located in partner organizations or hosted in the cloud.

The first step to integrate with Office 365 is to install and configure Active Directory Federation Services 2.0. The federation helps to trust and share information between both directories.

·         The name of the domain to be federated has to exist in public domain e.g. contoso.co.in

·         This domain (contoso.co.in) must be validated in Office 365

Let's start work now

We’ll begin by verifying that the Active Directory users all have a User Principal Name (UPN) that matches the domain to be federated. In typical scenarios, an easy rule of thumb is to use the email address for the UPN. There are two methods verify the user account UPN settings. The first is through the GUI.

1. Logon to a Domain Controller using an account with administrative privileges.
2. Open Active Directory Users and Computers.
3. Navigate to a user, right-click and select Properties.
4. Click the Account tab; in the space next to the User Logon Name, verify the UPN suffix is correct. The UPN suffix will begin with @. Verify all users have the correct UPN configured.

 

The next step is to create a Security Token Service (STS) DNS record for Active Directory Federation Services.

 

• Logon to a DNS server 
• Open DNS Manager from Administrative Tools.
• Expand Forward Lookup Zones, then right-click the domain name to be federated.
• Click New Host (A or AAAA).
• In the Name field enter sts.
• For IP Address enter the externally accessible IP address assigned for Federation Services.

 

 

My Federation Service’s name is sts.domainname.co.in

 

It’s time to install Active Directory Federation Services 2.0.

Logon to the Windows Server 2008 R2 server where you’ll be installing AD FS 2.0 using an account with Domain Admin privileges.

• Open Windows Explorer, navigate to the folder where the file is stored, right-click the AdfsSetup.exe file, and click Run As Administrator.

The AD FS 2.0 Setup Wizard will start. Click Next

On the EULA screen, accept the License Agreement and press Next

The select the Federation Server and press Next


 

  

Press Next and it will also install the other required software 

 

 

Installing the ADFS 2.0 components

 

 

We have now completed the ADFS 2.0 installation successfully to achieve single sign-on and integrate local Active Directory accounts with Office 365 cloud-based services are complete.

Automatically disappear Outlook Anywhere / Exchange proxy settings in Outlook

Recently, I came across with an issue in one of my Client site where Exchange proxy settings in outlook for multiple users was disapparing automatically even after putting it manually.


After searching alot on the Bing/Google, did not find any answer.


Then I started to check the Exchange configuration for the users and found that there was a scheduler configured on the server which was responsilbe to disable the Outlook RPC over HTTP / Outlook Anywhere.


Below is the sample configuration of the scheduler reponsible to disable the Outlook RPC over HTTP / Outlook Anywhere for the users:



Set-CASMailbox -Identity tony@contoso.com -MAPIBlockOutlookRpcHttp:$true



So, the solution is to take the users out of the schedular and enable the Outlook RPC over HTTP / Outlook Anywhere for them using the following command:


Set-CASMailbox -Identity tony@contoso.com -MAPIBlockOutlookRpcHttp:$False





 

Exchange Server 2013 Preview Installation

Install the prerequisites for only Mailbox Server Role or combined Mailbox and Client Access server roles

1. Open Windows PowerShell.
2. Run the following command to load the Server Manager module.

Import-Module ServerManager

3. Run the following command to install the required Windows components.

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

You will have to restart the server after installing all the above required windows components.

4.       After you've installed the operating system roles and features, install the following software in the order shown:

a)      Microsoft .NET Framework 4.5

b)      Windows Management Framework 3.0

c)       Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

d)      Knowledge Base article KB974405 (Windows Identity Foundation)

e)      Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)

f)       Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)

5.       For Exchange 2013 Preview, you must also do the following in the order shown:

a.       Uninstall Microsoft Visual C++ 11 Beta Redistributable (x64)   This task must be done after you've installed UCMA, but before you run Exchange 2013 Preview Setup. To uninstall Microsoft Visual C++ 11 Beta Redistributable (x64), do the following:

                                            I.            Open Control Panel > Programs and Features.

                                          II.            Select Visual C++ 11 Beta Redistributable (x64) - 11.0.50531 and then click Uninstall.

                                        III.            In Microsoft Visual C++ 11 Beta setup, click Uninstall.

                                        IV.            When Microsoft Visual C++ 11 Beta is uninstalled, click Close.

b.      Register ASP.NET with .NET Framework 4.5 in IIS   This task must be done after you've completed the process described earlier in “Uninstall Microsoft Visual C++ 11 Beta Redistributable (x64)”, but before you run Exchange 2013 Preview Setup. To register ASP.NET with .NET Framework 4.5 in IIS, do the following:

i.         Open a Windows Command Prompt.

2. Run the following command.

%SystemDrive%\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -ir –enable

3. Run the following command to restart the IIS services.

IISReset

6.       After you've installed the software listed above, complete the following steps to install the Remote Tools Administration Pack. After you've installed the Remote Tools Administration Pack you'll be able to use the computer to prepare Active Directory.

a)      Open Windows PowerShell.

b)      On a Windows Server 2008 R2 SP1 computer, run the following command.

Add-WindowsFeature RSAT-ADDS

Preparation of Active Directory

Please run the below commands to prepare the Active Directory to introduce Exchange 2013 preview:

1. setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

 2. setup /PrepareAD /OrganizationName:<organization name> /IAcceptExchangeServerLicenseTerms

 Now run one of the following:

• Run setup /PrepareDomain /IAcceptExchangeServerLicenseTerms to prepare the local domain. You don't need to run this in the domain where you ran Step 2. Running setup /PrepareAD prepares the local domain;

• Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain;

• Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.

 

Installation of Exchange 2013 Client Access Server Role using the Setup Wizard

1.       Start Exchange 2013 Preview Setup by double-clicking Setup.exe

2.       On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013 Preview. Click next to continue

On the Copying File page, Setup copies files required for setup. When Setup is finished copying files and is ready to begin, click next;

 

 

The Introduction page begins the process of installing Exchange. Click next to continue;

  

Click on the “I accept the terms in the license agreement” and press Next button

 

It is being installed in test environment therefore we can select the option “NO” and press Next

  

This screen shows the required software is installed. We need to press Next buttion.

Select the Mailbox role and Client Access role and press Next

Select the installation where you want to install exchange binaries and press Next

If you're installing the Mailbox role, on the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future.Click next to continue;

If you're installing the Client Access server role, on the Configure Client Access Server external domain page, click This Client Access server will be Internet-facing if the Client Access server you're installing will be accessible from the Internet. Then, enter a domain name to use to configure your Client Access servers. If the Client Access server won't be Internet-facing, you can click next without configuring a domain name. Click next to continue;

On the Customer Experience Improvement Program page, choose the appropriate option for your organization, and then click next to continue;

On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If all readiness checks have completed successfully, click next to install Exchange 2013 Preview;

On the Completion page, click Finish and Restart the computer after Exchange 2013 Preview has completed;

Exchange Administration Center

The Exchange Administration Center (EAC) is the web-based management console in Microsoft Exchange Server 2013 Preview that allows for ease of use and is optimized for on-premises, online, or hybrid Exchange deployments. The EAC replaces the Exchange Management Console (EMC) and the Exchange Control Panel (ECP), which were the two interfaces that were used to manage Exchange Server 2010.
One of the advantages of having the web-based EAC is that you can partition access from the Internet/Intranet from within the ECP IIS virtual directory to allow or disallow management features. This allows you to permit or deny access to users trying to access the EAC from the Internet outside of your organizational environment, while still allowing access to an end-user’s Outlook Web App Options.

Upgrade your Active Directory from Windows 2003 to Windows 2008

Upgrade the Active Directory schema from Windows 2003 to Windows 2008

Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server that is later than the latest version that is running in your current environment. In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.

When you run Adprep.exe, various operations will be performed to prepare the domain for the newer version of Windows Server that will run on your domain controllers. Some of the operations include:

·         Upgrade the Active Directory schema

·         Upgrade security descriptors

·         Upgrade access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

·         Creating new objects, as needed

·         Creating new containers, as needed

Running Adprep.exe

To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. Some commands must be run on specific domain controllers, as indicated in the table. The remaining sections in this topic contain more details about each command.

Command	Domain controller	Number of times to run the command
adprep /forestprep	Must be run on the schema operations master for the forest.	Once for the entire forest
adprep /domainprep	Must be run on the infrastructure operations master for the domain.	Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain. Note Domains where you will not add a new domain controller will be affected by adprep /forestprep, but they do not require you to run adprep /domainprep.
adprep /domainprep /gpprep	Must be run on the infrastructure operations master for the domain. If you already ran the /gpprep parameter for Windows Server 2003, you do not have to run it again for Windows Server 2008 or Windows Server 2008 R2.	Once in each domain within the forest
adprep /rodcprep Note This command is optional. Run it only if you want to install a read-only domain controller (RODC).	Can be run from any computer. This command performs operations remotely. For the operations to complete successfully, the domain naming operations master for the forest and the infrastructure operations master for each application directory partition and each domain partition must be accessible. If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2.	Once for the entire forest

Note

If you plan to add an RODC to the forest, you can run adprep /rodcprep right after you run adprep /forestprep and then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.

If you are not sure which computer holds the operations master (also known as flexible single master operations or FSMO) role that you need, type the following command at a command prompt on a computer on which you have Netdom.exe installed, and then press ENTER:

netdom query FSMO

Preparing to run adprep /forestprep

1.       Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

2.       If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).

3.       Antivirus software can sometimes interfere with this command. You may want to temporarily disable the antivirus service from running on the Schema Master until the process has been completed.

Start your upgrade process

Detail of My existing LAB setup

Operating System: Windows 2003 with SP 2

Computer Name: DC-Win-2003

Domain Name: LABTEST.in

FSMO Role Owner and Global Catalog Server

1.       Login to your Domain Controller on the server you are upgrading. First we are going to prepare the Domain Controller Database for upgrade.

2.       Go ahead and insert the Server 2008 CD in your CD/DVD-ROM drive.

3.       Open command prompt and change the drive to your CD/DVD-ROM drive

When in Command Prompt, type in cd\ and hit Enter

Now enter the driver letter (d: and hit enter) pointing to your CD/DVD-ROM drive. On the D Drive, type DIR to list the content of the CD/DVD.

Now go to folder (D:\Sources\adprep) that contains the adprep.exe command.

On the D drive, type in cd sources\adprep and hit enter. This will take you to adprep folder

To verify that the content of the adprep folder, type in dir and hit Enter.

The first command you should type is adprep /forestprep, then hit Enter.

Once the adprep /forestprep process is finished you are going to see the information as shown below.

Preparing to run adprep /domainprep

To ensure that the adprep /domainprep command runs successfully, complete these steps before you run the command on the infrastructure operations master role holder in each domain:

1. Make sure that the schema updates that adprep /forestprep performs replicated throughout the forest or that they at least replicated to the infrastructure master for the domain where you plan to run adprep /domainprep. For more information, see Verifying that adprep /forestprep completed successfully.
2. Make sure that you can log on to the infrastructure master with an account that is a member of the Domain Admins group.
3. Verify that the domain functional level is at least Windows 2000 native.

Raising the domain functional level to Windows 200 native or higher

Open the Active Directory Users and Computers

Select the domain LABTEST.in and right click on it. Click on the “Raise Domain Functional Level”

It is my LAB environment and not having any Windows 200 domain controller therefore raising to Windows Server 2003. Scroll the button just below the “select an available domain functional level” to list the available levels. You need to select the desired one and click on Raise.

Once you click the raise button, it asks for the final confirmation, hit on OK button

Once you are finished with the above steps, it gives you the confirmation that domain functional level has been raised successfully.

Running adprep /domainprep

When you are completed the above steps to run adprep /domainprep, insert the Windows Server operating system DVD into the DVD drive of the infrastructure master. Then, change directories to the folder that contains Adprep.exe and run the command as mentioned above.

Running adprep /domainprep /gpprep

If you ran the version of the adprep /domainprep command that is included in Windows Server 2008 or Windows Server 2008 R2, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on Group Policy objects (GPOs) in the SYSVOL shared folder. The additional ACEs give enterprise domain controllers read access permissions on GPOs. These permissions are required to support Resultant Set of Policy (RSOP) functionality for site-based policy.

Running adprep /domainprep /gpprep can create a lot of replication traffic because every GPO is updated. Therefore, you might want to run this command during off-peak hours to minimize the impact of the additional replication.

If you run adprep /domainprep /gpprep before you run adprep /domainprep, Adprep.exe runs both commands sequentially. First, it performs the /domainprep operations, and then it performs the /gpprep operations

 

Now you have to wait till the changes replicate throughout the forest before preparing any domains for a domain controller that runs Windows Server 2008. Once replication is completed then you are finally ready for the upgrade.

Adding Windows 2008 machine into domain

I have prepared my new virtual machine with below detail and joined into domain.

Operating System: Windows 2008 with SP 1 installed

Computer Name: DC-EXCH-2013

Domain Name: LABTEST.in

After joining the server in domain, we need to restart the server.

It is my LAB environment therefore disabling the IPv6 on the member server.

 

Now insert your Server 2008 CD is in the CD/DVD-ROM drive. Open the Run menu and type in dcpromo and hit enter

Active Directory Domain Services (AD DS) binaries will start installing.

Once AD DS binaries have been installed successfully, the AD DS installation wizard will open. Click on the check box “Use advanced mode installation” and hit Next.

 

Click Next on the Operating System Compatibility window

You are promoting a member server into Additional Domain Controller therefore select the Radio button “Existing forest” and “Add an domain controller to an existing domain” and hit next

 

Type in the Domain here and you have option to use the “Alternate credentials” to promote the server to Additional Domain Controller and hit enter

Select the domain in which you are going to install additional domain controller and hit enter.

Select the AD site in which you want to install additional domain controller. In our test LAB setup we have only default AD site available therefore we will choose the default site and hit enter

 

The Additional Domain Controller will also work as DNS server and Global Catalog therefore leave the default settings and hit enter

Press Yes on the DNS Server Delegation window

 

Select the replication method this additional domain controller will choose to update.

 

Select the source domain controller for replication partner. We have only One domain controller in our LAB environment therefore we will go with default settings and hit enter.

 

You can change AD DS database, Log files and SYSVOl default location to other than default. Here we are going with the default one and hit enter

 

Enter the AD DS restore password and hit enter

On the Summary page, we have option to review all the settings that we applied to promote the server as additional domain controller and hit Next

The AD DS services is being configured

Once the AD DS configuration is completed you can see the completion wizard Press Finish and restart the server.

Moving FSMO Roles on to Additional Domain Controller

To list the current owner of FSMO role

Open the command prompt and type ntdsutil and hit enter

 

Once you are in NTDSUTIL menu, type roles and hit enter

Now you in FSMO maintenance mode, type in connections to connect to domain and server

In connections menu, type in connect to domain LABTEST.in (connect to domain <your domain name>)

You are now connected to your domain LABTEST.in

Type in the connect to server DC-EXCH-2013 and hit enter (the server name where you want to transfer FSMO roles)

Once you are done with connections, type in quit to return to FSMO maintenance menu

On the FSMO maintenance menu, type transfer PDC and hit enter. It will prompt you to confirm the transfer, please hit yes to continue

Once you are done with above step, FSMO maintenance gives you confirmation that PDC is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)

On the FSMO maintenance menu, type transfer RID Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue

Once you are done with above step, FSMO maintenance gives you confirmation that RID Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)

On the FSMO maintenance menu, type transfer Infrastructure Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue

Once you are done with above step, FSMO maintenance gives you confirmation that Infrastructure Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)

On the FSMO maintenance menu, type transfer Naming Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue

Once you are done with above step, FSMO maintenance gives you confirmation that Naming Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)

On the FSMO maintenance menu, type transfer Schema Master and hit enter. It will prompt you to confirm the transfer, please hit yes to continue

Once you are done with above step, FSMO maintenance gives you confirmation that Schema Master is now transferred to your connected server (.i.e. connect to server DC-EXCH-2013)

You are now done with FSMO transfer successfully, type in the quit two times to exit from NTDSUTIL command.

 

Verify that FSMO has been transferred successfully, type in the NETDOM /Query FSMO and hit enter.

You have successfully transferred all the FSMO roles from the server DC-WIN-2003 to the server DC-Exch-2013.

(Note: - It is being done in my LAB environment however can be referred to upgrade the production environment.)