1
00:00:04,220 --> 00:00:10,310
You can set up ADF's in a farm configuration with multiple servers for redundancy and either use the

2
00:00:10,310 --> 00:00:16,850
Windows internal database to store the ADF's data or configure ADF first to use SQL Server or a SQL

3
00:00:16,850 --> 00:00:17,660
Server farm.

4
00:00:18,530 --> 00:00:23,600
Some organisations want a simpler deployment though with only a single ADF's server.

5
00:00:23,660 --> 00:00:28,370
But they still want some assurance that the service could be restored quickly if there is any kind of

6
00:00:28,370 --> 00:00:28,880
problem.

7
00:00:29,750 --> 00:00:35,630
The ADF's Rapid Restore Tool provides a way to back up your ADF's data and restore this state of the

8
00:00:35,630 --> 00:00:37,790
server all using PowerShell commands.

9
00:00:38,690 --> 00:00:44,030
You can back up the data to a folder on the computer or on the network, or there is built in support

10
00:00:44,030 --> 00:00:48,050
to send the data to a blob storage container in an Azure storage account.

11
00:00:48,950 --> 00:00:54,220
This lets you restore your HDFC after a problem onto another server or even the same server.

12
00:00:54,230 --> 00:00:59,900
Or you can use the tool to create a copy of your production ADF's server and deploy it to another environment

13
00:00:59,900 --> 00:01:00,620
for testing.

14
00:01:01,490 --> 00:01:07,220
You can also use the tool to migrate from using the Windows internal database to using SQL Server and

15
00:01:07,220 --> 00:01:07,970
vice versa.

16
00:01:08,880 --> 00:01:12,120
The tool backs up the ad fs configuration database.

17
00:01:12,150 --> 00:01:13,770
All configuration files.

18
00:01:13,890 --> 00:01:19,500
The SSL certificate used by the service as well as any externally enrolled certificates like those used

19
00:01:19,500 --> 00:01:24,120
for token signing, decryption and communication with another ADF service.

20
00:01:24,360 --> 00:01:29,640
The automatically generated token signing and decrypting certificates and private keys that are stored

21
00:01:29,640 --> 00:01:31,640
in the container in Active Directory.

22
00:01:31,650 --> 00:01:38,430
And it also backs up the list of custom authentication provider's attribute stores and local claims

23
00:01:38,430 --> 00:01:43,500
provider trusts that are installed in order to run the PowerShell commands.

24
00:01:43,680 --> 00:01:47,640
The user needs to be at least a local admin on the ADF's server.

25
00:01:48,520 --> 00:01:54,160
If you plan to back up the dkim container in Active Directory that stores the token encrypting and signing

26
00:01:54,160 --> 00:01:59,410
certificates, you need to be a domain admin or pass in the ad fs service account credentials.

27
00:02:00,280 --> 00:02:05,620
If the ad FS service account is using a group managed service account as we are in our deployment,

28
00:02:05,830 --> 00:02:08,110
then the user needs to be a domain admin.

29
00:02:08,980 --> 00:02:10,630
Now let's see how to do this.

30
00:02:11,550 --> 00:02:16,350
I'm on the ADF's server and I've created a local folder here to store the backup.

31
00:02:17,240 --> 00:02:21,710
You should store the backup on a network share though, in case the server goes down.

32
00:02:21,800 --> 00:02:24,860
Or even better, store them in an Azure storage account.

33
00:02:25,760 --> 00:02:27,830
We'll just put them here for the demo.

34
00:02:28,670 --> 00:02:31,280
Let's open up a browser and download the tool.

35
00:02:32,190 --> 00:02:37,590
We can get it by going to the ADF's help website at ADF Shell Dot Microsoft.com.

36
00:02:38,460 --> 00:02:41,730
Let's open up offline tools and scroll down to the bottom.

37
00:02:42,570 --> 00:02:47,580
Click on ADF's Rapid Restore Tool and that brings us to the documentation.

38
00:02:48,450 --> 00:02:53,580
A little further down, there is a link to download the tool that brings us to the download center.

39
00:02:54,470 --> 00:02:57,170
Let's click download and get the Messi file.

40
00:02:58,070 --> 00:03:00,110
Once that downloads, I'll run it.

41
00:03:00,110 --> 00:03:02,420
And this is a standard click next to install.

42
00:03:02,540 --> 00:03:04,250
So we'll just go through this quickly.

43
00:03:05,120 --> 00:03:10,670
Okay, let's close this and let's go down to the start menu and open up PowerShell and I'll open it

44
00:03:10,670 --> 00:03:11,810
as an administrator.

45
00:03:12,680 --> 00:03:14,780
And let's just create some space here.

46
00:03:15,680 --> 00:03:20,150
Now, the first thing we need to do is import the module in the delta that was installed.

47
00:03:20,300 --> 00:03:26,870
So let's run import module in the path to the delta is in the program files x86 folder, ADF's Rapid

48
00:03:26,870 --> 00:03:30,320
Recreation tool, and the Delta has the same name as the folder.

49
00:03:31,190 --> 00:03:33,920
Now let's run the command back up the FS.

50
00:03:34,840 --> 00:03:38,920
The storage type will be file system, but we could back this up to Azure.

51
00:03:39,800 --> 00:03:42,950
The storage path will be the local folder I created.

52
00:03:43,820 --> 00:03:49,130
The encryption password is just a string, so I'll just use this and you can add a backup comment and

53
00:03:49,130 --> 00:03:50,900
I'll show you how that's used shortly.

54
00:03:51,770 --> 00:03:55,610
And finally there is an optional switch to back up the DXM.

55
00:03:56,510 --> 00:04:01,370
This is a container and Active Directory I mentioned that contains the token signing and decrypting

56
00:04:01,370 --> 00:04:04,520
certificates generated during ad fs install.

57
00:04:05,420 --> 00:04:07,430
Because I'm running this for the first time.

58
00:04:07,580 --> 00:04:12,710
PowerShell is installing the ad tools on this computer, and then the backup command is running.

59
00:04:13,550 --> 00:04:16,490
It says successfully backed up ad fs node.

60
00:04:17,360 --> 00:04:21,950
Let's just go over to the local folder and here is the backup that was created.

61
00:04:22,870 --> 00:04:26,080
You can see it has a date and time stamp in the folder name.

62
00:04:26,980 --> 00:04:28,870
There are XML documents.

63
00:04:29,760 --> 00:04:35,010
The live file is the Active Directory container and the service certificate is backed up also.

64
00:04:35,850 --> 00:04:40,890
Now let's actually run this command again to create another backup and let's just change the backup

65
00:04:40,890 --> 00:04:41,420
comment.

66
00:04:42,320 --> 00:04:46,820
The configuration is backed up again and let's go back to the folder and navigate up.

67
00:04:47,750 --> 00:04:49,970
So now there are two folders created.

68
00:04:50,840 --> 00:04:55,880
Next, let's restore one of these configurations that's done with the command, restore the FS.

69
00:04:56,000 --> 00:04:57,740
The storage type is file system.

70
00:04:57,860 --> 00:05:01,250
The path is the master folder that contains all our backups.

71
00:05:02,150 --> 00:05:05,600
Notice that we don't have to scope this to a particular backup.

72
00:05:06,490 --> 00:05:11,740
We need to enter a decryption password, so I'll make sure that's the same password we used to encrypt

73
00:05:11,740 --> 00:05:17,260
the contents and we want to restore the dkim container in Active Directory.

74
00:05:18,100 --> 00:05:20,410
And now we get the option to choose a backup.

75
00:05:20,650 --> 00:05:23,350
This is where the backup comments are really helpful.

76
00:05:24,220 --> 00:05:27,940
You can choose your backup based on some description rather than just a date.

77
00:05:29,230 --> 00:05:32,680
So I'll choose the initial install by typing the ID number.

78
00:05:33,630 --> 00:05:36,930
I'm actually going to slow this down so you can see what's happening.

79
00:05:37,020 --> 00:05:42,570
It says validating backed up files and decrypting them, then copying over relevant certificates.

80
00:05:43,470 --> 00:05:46,530
Next, it's adding the ADF's role to the server.

81
00:05:46,620 --> 00:05:49,050
But we already have that installed on the server.

82
00:05:49,980 --> 00:05:55,770
Now it's installing and configuring the ADF's firm, importing data into the ADF's database.

83
00:05:55,950 --> 00:06:00,660
Copying over configuration file and finally going over some minor details.

84
00:06:01,540 --> 00:06:05,500
And the message says we've successfully restored the ADF's node.

85
00:06:06,400 --> 00:06:12,460
Let's go to server manager and up to tools and open up the ADF's management console and the service

86
00:06:12,460 --> 00:06:13,030
is running.

87
00:06:13,900 --> 00:06:20,620
In this module you've got an overview of ADF, PFS and learned about the new features in ADF's 2019.

88
00:06:21,550 --> 00:06:26,560
I went through the configuration of my lab environment and then you learned about the different certificates

89
00:06:26,560 --> 00:06:28,090
used by ADF's.

90
00:06:29,050 --> 00:06:35,920
Next we installed ADF's into a fresh Windows Server 2019 environment and then you learned how to upgrade

91
00:06:35,920 --> 00:06:39,550
from earlier versions of ADF's and you saw that in the demo.

92
00:06:40,420 --> 00:06:45,160
Next we talked about the ADF's Help website and the tools and utilities there.

93
00:06:46,030 --> 00:06:51,130
And then you saw the Diagnostics Analyzer tool and the Ad FS Rapid Restore Tool.

94
00:06:52,010 --> 00:06:57,230
In the next module, we're going to dig into claims based authentication and how the claims engine in

95
00:06:57,230 --> 00:06:58,490
ad fs works.