Edit

Prepare to migrate a SQL Server farm

  • Article

To prepare to migrate AD FS 2.0 federation servers that belong to a SQL Server farm to Windows Server 2012, you must export and back up the AD FS configuration data from these servers.

To export the AD FS configuration data, perform the following tasks:

Step 1: Export service settings

To export service settings, perform the following procedure:

To export service settings

  1. Record the certificate subject name and thumbprint value of the SSL certificate used by the federation service. To find the SSL certificate, open the Internet Information Services (IIS) management console, select Default Web Site in the left pane, click Bindings… in the Action pane, find and select the https binding, click Edit, and then click View.

Note

Optionally, you can also export the SSL) certificate and its private key to a .pfx file. For more information, see Export the Private Key Portion of a Server Authentication Certificate.

This step is optional because this certificate is stored in the local computer Personal certificates store and will be preserved in the operating system upgrade.

  1. Export any other token-signing, token-encryption, or service-communications certificates and keys that are not internally generated by AD FS.

You can view all certificates that are in use by AD FS on your server by using Windows PowerShell. Open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. Then run the following command to view all certificates that are in use on your server PSH:>Get-ADFSCertificate. The output of this command includes StoreLocation and StoreName values that specify the store location of each certificate.

Note

Optionally, you can then use the guidance in Export the Private Key Portion of a Server Authentication Certificate to export each certificate and its private key to a .pfx file. This step is optional, because all external certificates are preserved during the operating system upgrade.

  1. Back up the application configuration file. Among other settings, this file contains the policy database connection string.

To back up the application configuration file, you must manually copy the %programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file to a secure location on a backup server.

Note

Record the SQL Server connection string after “policystore connectionstring=” in the following file: %programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config. You need this string when you restore the original AD FS configuration on the federation server.

  1. Record the identity of the AD FS 2.0 federation service account and the password of this account.

To find the identity value, examine the Log On As column of AD FS 2.0 Windows Service in the Services console and manually record the value.

Step 2: Back up custom attribute stores

You can find information about custom attribute stores in use by AD FS by using Windows PowerShell. Open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. Then run the following command to find information about the custom attribute stores: PSH:>Get-ADFSAttributeStore. The steps to upgrade or migrate custom attribute stores vary.

Step 3: Back up webpage customizations

To back up any webpage customizations, copy the AD FS webpages and the web.config file from the directory that is mapped to the virtual path “/adfs/ls” in IIS. By default, it is in the %systemdrive%\inetpub\adfs\ls directory.

Next Steps

Prepare to Migrate the AD FS 2.0 Federation Server Prepare to Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 2.0 Federation Server Migrate the AD FS 2.0 Federation Server Proxy Migrate the AD FS 1.1 Web Agents