1
00:00:03,040 --> 00:00:06,340
Now let's install AD first 2019.

2
00:00:07,230 --> 00:00:13,920
I have a server 2019 environment created in Hyper-V and I'm on a domain joined Windows ten VM that has

3
00:00:13,920 --> 00:00:18,150
the remote server manager tools installed as well as the Windows Admin Center.

4
00:00:19,060 --> 00:00:21,760
I'm logged in with my domain administrator account.

5
00:00:21,850 --> 00:00:24,100
So let's open up the Windows Admin Center.

6
00:00:25,030 --> 00:00:30,100
This is a browser based app for managing Windows servers and other infrastructure, and it comes as

7
00:00:30,100 --> 00:00:32,020
part of your Windows Server licensing.

8
00:00:32,890 --> 00:00:37,900
There's already a connection to one machine in the environment, and that's the Windows ten VM that

9
00:00:37,900 --> 00:00:38,860
I'm on right now.

10
00:00:39,760 --> 00:00:42,460
So let's add a connection to the domain controller.

11
00:00:43,340 --> 00:00:46,370
We do this by clicking AD and Windows Server.

12
00:00:47,310 --> 00:00:50,640
From here we just enter the server name and then click Add.

13
00:00:51,510 --> 00:00:55,650
Now let's do the same thing and add the ADF's server as a connection.

14
00:00:56,520 --> 00:01:00,180
That server is called ADF 41 and let's add that as well.

15
00:01:01,080 --> 00:01:04,830
Now let's connect to the domain controller by selecting it in the list.

16
00:01:05,760 --> 00:01:08,700
That brings us to the overview page for the server.

17
00:01:09,630 --> 00:01:12,480
Let's scroll down the list and click on PowerShell.

18
00:01:13,400 --> 00:01:18,020
This creates a remote session to the server where we're authenticated with the account of the logged

19
00:01:18,020 --> 00:01:19,820
in user on my local machine.

20
00:01:20,690 --> 00:01:26,450
Let me just create some space and zoom in by holding down control and clicking the plus sign on my keyboard.

21
00:01:27,360 --> 00:01:32,280
The reason I'm on the domain controller first is that we're going to be creating a group managed service

22
00:01:32,280 --> 00:01:37,200
account to use as the identity for the ad fs service running on the ad FS server.

23
00:01:38,100 --> 00:01:43,020
But before you can create a group managed service account, you need to generate a route key for the

24
00:01:43,020 --> 00:01:46,710
key distribution service, and that's done on the domain controller.

25
00:01:47,630 --> 00:01:51,590
You only need to do this once in your environment to make it ready for use.

26
00:01:52,490 --> 00:01:58,370
The PowerShell command is at Cdw's root key, and by default, domain controllers will wait up to 10

27
00:01:58,370 --> 00:02:02,960
hours before allowing the creation of group managed service accounts using the root key.

28
00:02:03,830 --> 00:02:08,280
That so all the domain controllers have time to converge there and replication.

29
00:02:09,170 --> 00:02:14,540
So in a test environment, in order to use this right away, we'll add the parameter effective time

30
00:02:14,570 --> 00:02:19,670
and the value will be the current time using get date and we'll use the function add hours to subtract

31
00:02:19,670 --> 00:02:21,380
10 hours from the current time.

32
00:02:22,280 --> 00:02:25,790
So we're making this root key fully available for use right now.

33
00:02:26,690 --> 00:02:32,360
We're going to let the ADF's configuration wizard create the group managed service account that ADF

34
00:02:32,630 --> 00:02:33,380
will run as.

35
00:02:34,250 --> 00:02:39,680
But first we're going to add a DNS entry for the ESFS service that we're about to create.

36
00:02:40,580 --> 00:02:45,440
So let's open up server manager next and add the domain controller to the all servers list.

37
00:02:45,530 --> 00:02:48,230
And let's do the same thing for the ADF's server.

38
00:02:49,160 --> 00:02:51,560
From the tools menu, go to DNS.

39
00:02:52,520 --> 00:02:57,620
You may need to retarget the interface to the domain controller unless you've already done that.

40
00:02:58,490 --> 00:03:02,900
Now let's expand forward lookup zones and go to the company dot price zone.

41
00:03:03,770 --> 00:03:09,440
Here are the computers that are already registered on the domain and that includes the ad FS server.

42
00:03:10,390 --> 00:03:14,050
Because we're only installing a single ADF's server and not a farm.

43
00:03:14,230 --> 00:03:18,760
We're going to point the ADF's service URL to that single ADF server.

44
00:03:19,710 --> 00:03:22,460
So let's right click and create a new A record.

45
00:03:23,300 --> 00:03:26,480
It will use the same parent domain of company dot pri.

46
00:03:26,570 --> 00:03:32,140
So I just need to type that's and the IP address will be the IP address of the ad FS server.

47
00:03:33,040 --> 00:03:38,350
Remember, if we had a farm, we could point this to the load balancer virtual IP address.

48
00:03:39,250 --> 00:03:44,440
Now let's go back to the Windows Admin Center and let's click the dropdown for Server Manager and click

49
00:03:44,440 --> 00:03:47,030
on Server Manager to return to the home page.

50
00:03:47,950 --> 00:03:51,040
Now let's start configuring the ad FS server.

51
00:03:51,970 --> 00:03:57,340
Let's scroll down to roles and features and in the list on the right, select Active Directory Federation

52
00:03:57,340 --> 00:03:58,000
Services.

53
00:03:58,900 --> 00:04:01,030
Now let's click install at the top.

54
00:04:01,890 --> 00:04:04,440
I'll speed things up a bit while this installs.

55
00:04:05,340 --> 00:04:11,670
Now, before we can configure ADF's on this server, we need to import the certificate we created earlier

56
00:04:11,670 --> 00:04:14,100
that will be used by the ADF service.

57
00:04:14,970 --> 00:04:19,410
We copied that certificate over to the ADF RFS server in the previous clip.

58
00:04:20,250 --> 00:04:22,650
We'll import the certificate using PowerShell.

59
00:04:22,800 --> 00:04:28,050
So scroll up to the PowerShell menu item and let's create some space on the screen and zoom in a bit

60
00:04:28,950 --> 00:04:31,980
now because the private key is protected with a password.

61
00:04:31,980 --> 00:04:35,040
We need to get a reference to that password as a credential.

62
00:04:35,190 --> 00:04:37,230
So I'll type this command, get credential.

63
00:04:38,130 --> 00:04:39,630
The username doesn't matter.

64
00:04:39,660 --> 00:04:41,670
It's just the password that we need.

65
00:04:42,570 --> 00:04:46,860
This prompts me for the password used to export the certificate, so I'll enter that.

66
00:04:47,760 --> 00:04:53,460
Now let's run the command import certificate and the file path is the shared folder I created on the

67
00:04:53,460 --> 00:04:57,670
sea drive and copied the certificate file into the search store.

68
00:04:57,690 --> 00:05:00,480
Location is the local machine personal folder.

69
00:05:01,390 --> 00:05:07,780
The password is the variable we just set up and the property we want to use is password and let's add

70
00:05:07,780 --> 00:05:10,360
this parameter exportable so we can export the key.

71
00:05:10,360 --> 00:05:16,090
Later when we do a backup of the ADF's settings using a utility, I'll show you later in this module.

72
00:05:17,010 --> 00:05:17,600
Okay.

73
00:05:17,640 --> 00:05:20,130
The certificate was successfully imported.

74
00:05:21,030 --> 00:05:24,750
Let's go to server manager and there's a notification at the top.

75
00:05:25,640 --> 00:05:30,140
There's a link here to configure the federation service on the ADF's server.

76
00:05:31,050 --> 00:05:32,130
Let's click that.

77
00:05:33,030 --> 00:05:38,610
Leave the default to create the first Federation server in a Federation server form and click next.

78
00:05:39,510 --> 00:05:44,910
We need domain administrator permissions to perform the configuration, so lets enter the credentials

79
00:05:44,910 --> 00:05:46,860
of an account that has those permissions.

80
00:05:47,760 --> 00:05:50,250
Now we specify the service properties.

81
00:05:51,180 --> 00:05:56,460
First, let's select the certificate we just imported to the local machine personal store, and that

82
00:05:56,460 --> 00:05:58,440
fills in the Federation service name.

83
00:05:59,310 --> 00:06:01,050
You can change it if you need to.

84
00:06:01,080 --> 00:06:08,250
For example, if you selected a wild card certificate as the SSL certificate, now we give the service

85
00:06:08,250 --> 00:06:12,450
a display name when we have forms based authentication enabled.

86
00:06:12,480 --> 00:06:15,720
This name will show up on the HDFC Login page.

87
00:06:16,620 --> 00:06:17,850
Now click next.

88
00:06:18,780 --> 00:06:23,550
Here we can select an existing service account for the ADF's service to run under.

89
00:06:24,460 --> 00:06:28,630
Or we can let the wizard create a new group managed service account for us.

90
00:06:29,560 --> 00:06:30,580
Let's do that.

91
00:06:31,520 --> 00:06:34,400
I'll just give the service account the name for Ansar.

92
00:06:34,490 --> 00:06:35,600
And let's click next.

93
00:06:36,530 --> 00:06:42,020
Here we choose whether we want to create a database on this server for storing configuration information.

94
00:06:42,890 --> 00:06:49,310
ADF's can use the Windows internal database or you can specify a SQL Server somewhere on the network.

95
00:06:50,150 --> 00:06:56,660
With the Windows internal database, ADF will replicate the data to each federation server in the farm.

96
00:06:57,530 --> 00:07:03,350
But if you use a SQL Server, you have benefits like support for a larger number of trust relationships,

97
00:07:03,470 --> 00:07:09,530
support for token replay detection and typical SQL Server features like database mirroring, failover

98
00:07:09,530 --> 00:07:12,320
clustering, reporting, and the management tools.

99
00:07:13,250 --> 00:07:14,780
For this test environment.

100
00:07:14,780 --> 00:07:17,150
The Windows internal database is fine.

101
00:07:17,240 --> 00:07:18,470
So let's click next.

102
00:07:19,370 --> 00:07:24,740
Now we get a summary of the changes and we can generate a PowerShell script at this point to automate

103
00:07:24,740 --> 00:07:26,810
the installation on additional servers.

104
00:07:27,710 --> 00:07:28,760
Let's click next.

105
00:07:28,940 --> 00:07:31,250
And there are some prerequisite checks running.

106
00:07:32,120 --> 00:07:36,890
There's just this warning about the root key we just created, but that just has to do with it being

107
00:07:36,890 --> 00:07:38,040
created recently.

108
00:07:38,060 --> 00:07:38,990
So that's fine.

109
00:07:39,860 --> 00:07:42,380
Let's go ahead and configure add FS.

110
00:07:43,340 --> 00:07:47,270
I'm going to speed things up a bit because this takes about a minute to complete.

111
00:07:48,200 --> 00:07:48,710
Okay.

112
00:07:48,740 --> 00:07:49,880
Now let's close this.

113
00:07:50,060 --> 00:07:52,580
And we need to restart the ADF's server.

114
00:07:53,530 --> 00:07:58,900
Since we're already inside Server Manager, I'll click on all servers and right click on the Add First

115
00:07:58,900 --> 00:08:02,530
Server and let's restart the server and I'll speed this up as well.

116
00:08:03,430 --> 00:08:06,580
The next thing we need to do is to test the installation.

117
00:08:07,450 --> 00:08:13,360
The easiest way to do that is to enable the ID initiated sign on page for the ad fs service.

118
00:08:14,290 --> 00:08:16,690
For that, we need to run some PowerShell.

119
00:08:17,560 --> 00:08:23,230
Now let's run the commands, set its properties, and the parameter we want to use is enable it initiated

120
00:08:23,230 --> 00:08:25,960
sign on page and set that value to true.

121
00:08:26,830 --> 00:08:29,770
There's no errors, so it completed successfully.

122
00:08:30,640 --> 00:08:36,240
Now we can test the installation by navigating to the page that just got enabled and that's HTTPS.

123
00:08:36,310 --> 00:08:39,670
The name of the ADF's service, which is AD Start Company Dot.

124
00:08:40,270 --> 00:08:45,880
And then the path to the sign on page is slash ad slash a less slash ad initiated signature dot FTM.

125
00:08:46,720 --> 00:08:51,370
Let's zoom back out a bit here and let's click sign in by default.

126
00:08:51,490 --> 00:08:56,890
Windows Authentication is enabled as the default authentication method for the Internet, and we haven't

127
00:08:56,890 --> 00:09:00,280
added the service URL to the Internet sites for the browser yet.

128
00:09:00,400 --> 00:09:05,860
So we get this pop up to enter our Windows credentials and now it says we're signed in.

129
00:09:06,700 --> 00:09:12,880
We've successfully installed a fresh copy of ADF's in this Windows Server 2019 environment.

130
00:09:13,780 --> 00:09:18,130
Next, let's look at updating an existing 2016 environment.