1
00:00:06,710 --> 00:00:15,110
Although you deploy it first to support SSA and decrease administrative overhead, you might need to

2
00:00:15,110 --> 00:00:20,180
perform management tasks periodically after you're deployed first.

3
00:00:21,390 --> 00:00:25,260
This lesson describes two of the most common tasks.

4
00:00:25,740 --> 00:00:35,430
The first task is managing and managing the certificate lifecycle to prevent issues that are caused

5
00:00:35,430 --> 00:00:38,280
by certificate expiration.

6
00:00:38,490 --> 00:00:46,290
The self signed self generated certificate that either first generates support or automatic rollover,

7
00:00:46,590 --> 00:00:50,520
which are in use at first certificates once a year.

8
00:00:50,760 --> 00:00:52,680
Without manual intervention.

9
00:00:53,490 --> 00:00:59,190
Automatic certificate rollover is the first process that.

10
00:01:00,460 --> 00:01:05,830
Generate two new tokens signing certificates every year.

11
00:01:06,430 --> 00:01:17,830
If Office 365 is not updated with a new token sign and certificate, no user can sign in and use Office

12
00:01:17,830 --> 00:01:18,910
3625.

13
00:01:19,660 --> 00:01:25,720
Because this certificate signs all assertions from the Federation server.

14
00:01:26,650 --> 00:01:34,540
If an internal API is used to issue the token sign and certificate, it first does not provide automatic

15
00:01:34,540 --> 00:01:44,140
certificate rollover and you must therefore manually renew the certificates and update them in your

16
00:01:44,140 --> 00:01:44,560
office.

17
00:01:44,560 --> 00:01:45,980
365 Data.

18
00:01:47,550 --> 00:01:55,650
You can use the ADF management console to view certificate expiration dates for the service communications

19
00:01:56,130 --> 00:01:59,580
token decrypting and token sign and certificates.

20
00:02:00,430 --> 00:02:01,270
In the console.

21
00:02:01,270 --> 00:02:05,650
Three Expand service and then click certificates.

22
00:02:06,190 --> 00:02:14,050
You also can use the Azure Added Module for Windows PowerShell to view certificate details.

23
00:02:14,290 --> 00:02:20,530
When you use the Windows PowerShell coming, let get a defense certificate.

24
00:02:21,550 --> 00:02:29,500
If you prefer to use other automatic certificate rollover for managing their lifecycle of your certificates,

25
00:02:30,070 --> 00:02:34,150
you need to enable the feature in the first.

26
00:02:35,140 --> 00:02:45,520
And then install the awful 36254 duration metadata update automation installation tool to enable this

27
00:02:45,520 --> 00:02:52,660
feature in a first by using the third aided first properties Windows PowerShell command let.

28
00:02:53,900 --> 00:03:03,090
After installing the tool, you can use the update MSO for duration domain Windows PowerShell Command

29
00:03:03,090 --> 00:03:13,160
Glad to update the Office 365 service automatically when the first token sign and certificate renews

30
00:03:13,160 --> 00:03:13,850
annually.

31
00:03:14,600 --> 00:03:20,960
You should run this tool as a daily scheduled task on the ADF server.

32
00:03:21,710 --> 00:03:31,130
If you do not do this, you must monitor token Simon's certificate renewal manually on the ADF server.

33
00:03:31,820 --> 00:03:39,230
You should draw the update tools group schedule task only on the ADF server and if a duration server

34
00:03:39,230 --> 00:03:39,620
for.

35
00:03:41,770 --> 00:03:47,500
Another task is changing the primary and secondary and first federation servers.

36
00:03:48,490 --> 00:03:57,610
If you use WIOD as a defense data store, you can change the primary and secondary federation servers

37
00:03:57,880 --> 00:04:02,650
if you use that as a module for Windows PowerShell.

38
00:04:03,630 --> 00:04:09,690
This method allows you to change the database for all certain for the.

39
00:04:10,940 --> 00:04:14,300
At first server and then change the roll.

40
00:04:14,990 --> 00:04:22,010
For example, if you want to change the Primary Federation server at first server one to a secondary

41
00:04:22,010 --> 00:04:28,010
federation server, the first server to use the following procedure.

42
00:04:28,490 --> 00:04:36,530
First, identify the secondary federation server in the first server to that will become the Primary

43
00:04:36,530 --> 00:04:37,730
Federation server.

44
00:04:38,330 --> 00:04:47,330
Second, on the Secondary Federation server, a different server to the Microsoft is or a module for

45
00:04:47,330 --> 00:04:54,540
a Windows PowerShell prompt to have the following command to learn presenter you have to type the at

46
00:04:54,770 --> 00:04:59,810
first sync properties distro primary computer.

47
00:05:00,900 --> 00:05:10,530
And the third step on the Primary Federation server, the first server, one of the Microsoft Azure

48
00:05:10,530 --> 00:05:18,210
ad module, Windows PowerShell prompt, you have to type the following set of the first sync properties

49
00:05:18,210 --> 00:05:19,110
distro.

50
00:05:19,530 --> 00:05:21,900
Secondary computer disk.

51
00:05:21,990 --> 00:05:25,890
Primary computer idea first server to.

52
00:05:27,580 --> 00:05:36,310
The Primary Federation server becomes a secondary federation server as a read on the W database, and

53
00:05:36,370 --> 00:05:45,280
the Secondary Federation server becomes the Primary Federation server with a re derived WIOD database

54
00:05:45,280 --> 00:05:51,640
from which all the secondary federation servers retrieve their database corpus.

55
00:05:52,610 --> 00:05:59,930
Please know that switching to first aid first saw federation serve a rule does not apply you.

56
00:06:00,230 --> 00:06:06,050
If you use SQL Server as the first configuration data base store.

57
00:06:06,740 --> 00:06:15,170
This is because only the first Federation servers have a read write access to the sequel server database.