AD FS 2.0 聯盟伺服器移轉到 Windows Server 2012 R2 上 AD FSMigrate the AD FS 2.0 federation server to AD FS on Windows Server 2012 R2

若要移轉屬於單一節點 AD FS 發電廠、WIF 陣列或 Windows Server 2012 R2 SQL Server 陣列 AD FS 聯盟伺服器,您必須執行下列工作:To migrate an AD FS federation server that belongs to a single-node AD FS farm, a WIF farm, or a SQL Server farm to Windows Server 2012 R2, you must perform the following tasks:

  1. 匯出和備份 AD FS 設定資料Export and backup the AD FS configuration data

  2. 建立 Windows Server 2012 R2 聯盟伺服器陣列Create a Windows Server 2012 R2 federation server farm

  3. 匯入 Windows Server 2012 R2 AD FS 發電廠原始設定資料Import the original configuration data into the Windows Server 2012 R2 AD FS farm

匯出和備份 AD FS 設定資料Export and backup the AD FS configuration data

若要匯出 AD FS 設定,請執行下列程序:To export the AD FS configuration settings, perform the following procedures:

若要匯出服務設定To export service settings

  1. 請確定您擁有的存取權下列憑證及私密金鑰.pfx 檔案中:Make sure that you have access to the following certificates and their private keys in a .pfx file:

    • 由您想要移轉聯盟伺服器陣列 SSL 憑證The SSL certificate that is used by the federation server farm that you want to migrate

    • (如果有不同的 SSL 憑證)服務通訊憑證,可供您想要移轉聯盟伺服器陣列The service communication certificate (if it is different from the SSL certificate) that is used by the federation server farm that you want to migrate

    • 所有協力廠商權杖簽署或預付碼-加密解密憑證可供您想要移轉聯盟伺服器陣列All third-party party token-signing or token-encryption/decryption certificates that are used by the federation server farm that you want to migrate

若要尋找 SSL 憑證,開放網際網路服務 (IIS) 管理主控台中,選取預設網站在左窗格中,按一下 [繫結...To find the SSL certificate, open the Internet Information Services (IIS) management console, Select Default Web Site in the left pane, click Bindings… 動作窗格中,尋找並選取 https 繫結,按一下 [編輯,然後按一下 [檢視in the Action pane, find and select the https binding, click Edit, and then click View.

您必須匯出同盟服務和.pfx 檔案其私密金鑰使用 SSL 憑證。You must export the SSL certificate used by the federation service and its private key to a .pfx file. 如需詳細資訊,請查看匯出私人鍵部分伺服器驗證憑證的For more information, see Export the Private Key Portion of a Server Authentication Certificate.

注意

如果您要部署的裝置登記服務 AD FS 您執行 Windows Server 2012 R2 的一部分,您必須取得新的 SSL 憑證。If you plan to deploy the Device Registration Service as part of running your AD FS in Windows Server 2012 R2, you must obtain a new SSL cert. 如需詳細資訊,請查看註冊 AD FS SSL 憑證設定聯盟伺服器裝置登記服務與For more information, see Enroll an SSL Certificate for AD FS and Configure a federation server with Device Registration Service.

若要檢視權杖登入,權杖解密及所使用的服務通訊憑證,請執行下列 Windows PowerShell 命令來建立檔案中使用的所有的憑證清單:To view the token signing, token decryption and service communication certificates that are used, run the following Windows PowerShell command to create a list of all certificates in use in a file:

Get-ADFSCertificate | Out-File “.\certificates.txt”  
  1. AD FS 同盟服務屬性,例如同盟服務名稱、同盟服務顯示名稱,並聯盟伺服器識別碼匯出檔案。Export AD FS federation service properties, such as the federation service name, federation service display name, and federation server identifier to a file.

若要匯出同盟服務屬性,開放 Windows PowerShell 並執行下列命令:To export federation service properties, open Windows PowerShell and run the following command:

Get-ADFSProperties | Out-File “.\properties.txt”`.  

輸出檔案將會包含重要設定下列值:The output file will contain the following important configuration values:

聯盟服務屬性名稱 Get-ADFSProperties 報告Federation Service Property name as reported by Get-ADFSProperties AD FS 管理主控台中同盟服務屬性名稱Federation Service Property name in AD FS management console
主機HostName 聯盟服務名稱Federation Service name
識別碼Identifier 聯盟服務識別碼Federation Service identifier
顯示名稱DisplayName 聯盟服務顯示名稱Federation Service display name
  1. 備份應用程式的設定檔。Back up the application configuration file. 在其他設定,此檔案包含原則資料庫連接字串。Among other settings, this file contains the policy database connection string.

若要備份應用程式的設定檔,您必須手動複製%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config檔案備份伺服器在安全的位置。To back up the application configuration file, you must manually copy the %programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file to a secure location on a backup server.

注意

請記下資料庫連接字串此檔案中位於後立即」policystore 連接字串 =」。Make note of the database connection string in this file, located immediately after “policystore connectionstring=”. 如果連接字串指定 SQL Server 資料庫還原原始 AD FS 伺服器上的設定聯盟時需要值。If the connection string specifies a SQL Server database, the value is needed when restoring the original AD FS configuration on the federation server.

以下是 WID 連接字串的範例:“Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True"The following is an example of a WID connection string: “Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True". 以下是 SQL Server 連接字串的範例:"Data Source=databasehostname;Integrated Security=True"The following is an example of a SQL Server connection string: "Data Source=databasehostname;Integrated Security=True".

  1. 記錄 AD FS 同盟服務 account 的身分,這 account 的密碼。Record the identity of the AD FS federation service account and the password of this account.

若要尋找的身分值,請檢查登入身分欄的AD FS 2.0 Windows 服務服務主機,並手動記錄這個值。To find the identity value, examine the Log On As column of AD FS 2.0 Windows Service in the Services console and manually record this value.

注意

獨立同盟服務,可建帳號網路的服務。For a stand-alone federation service, the built-in NETWORK SERVICE account is used. 若是如此,您不需要有密碼。In this case, you do not need to have a password.

  1. 檔案匯出讓 AD FS 端點的清單。Export the list of enabled AD FS endpoints to a file.

若要這樣做,請打開 Windows PowerShell 並執行下列命令:To do this, open Windows PowerShell and run the following command:

Get-ADFSEndpoint | Out-File “.\endpoints.txt”`.  
  1. 匯出檔案的任何自訂宣告描述。Export any custom claim descriptions to a file.

若要這樣做,請打開 Windows PowerShell 並執行下列命令:To do this, open Windows PowerShell and run the following command:

Get-ADFSClaimDescription | Out-File “.\claimtypes.txt”`.  
  1. 如果您有自訂設定,例如 useRelayStateForIdpInitiatedSignOn web.config 檔案中的設定,請確定您備份的參考 web.config。If you have custom settings such as useRelayStateForIdpInitiatedSignOn configured in the web.config file, ensure you back up the web.config file for reference. 您可以從 [對應至 virtual 路徑 directory 複製檔案「日 adfs 日 ls]在。You can copy the file from the directory that is mapped to the virtual path “/adfs/ls” in IIS. 根據預設,這是在%systemdrive%\inetpub\adfs\ls directory。By default, it is in the %systemdrive%\inetpub\adfs\ls directory.

若要匯出宣告提供者信任且信賴信任To export claims provider trusts and relying party trusts

  1. 若要匯出 AD FS 宣告信任提供者和廠商信任做為基礎,您必須登入以系統管理員身分 (但不為網域系統管理員) 到您聯盟伺服器,並執行下列 Windows PowerShell 指令碼是位於媒體日 server_support 日 adfs資料夾的 Windows Server 2012 R2 安裝光碟:export-federationconfiguration.ps1To export AD FS claims provider trusts and relying party trusts, you must log in as Administrator (however, not as the Domain Administrator) onto your federation server and run the following Windows PowerShell script that is located in the media/server_support/adfs folder of the Windows Server 2012 R2 installation CD: export-federationconfiguration.ps1.

重要

匯出指令碼的參數下列動作:The export script takes the following parameters:

  • Export-FederationConfiguration.ps1-Path < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-CertificatePassword < securestring\ >]Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-CertificatePassword <securestring>]

    • Export-FederationConfiguration.ps1-路徑 < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-CertificatePassword < securestring\ >] [-RelyingPartyTrustIdentifier < 字串 [>] [-ClaimsProviderTrustIdentifier < 字串 [] >]Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-CertificatePassword <securestring>] [-RelyingPartyTrustIdentifier <string[]>] [-ClaimsProviderTrustIdentifier <string[]>]
    • Export-FederationConfiguration.ps1-路徑 < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-CertificatePassword < securestring\ >] [-RelyingPartyTrustName < 字串 [>] [-ClaimsProviderTrustName < 字串 [] >]Export-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-CertificatePassword <securestring>] [-RelyingPartyTrustName <string[]>] [-ClaimsProviderTrustName <string[]>]

    -RelyingPartyTrustIdentifier < 字串 [> -cmdlet 只有匯出可以其識別碼詳列於字串陣列廠商信任。-RelyingPartyTrustIdentifier <string[]> - the cmdlet only exports relying party trusts whose identifiers are specified in the string array. 預設值是匯出皆信賴的派對信任。The default is to export NONE of the relying party trusts. 如果未 RelyingPartyTrustIdentifier、ClaimsProviderTrustIdentifier、RelyingPartyTrustName,以及 ClaimsProviderTrustName 指定,指令碼將匯出所有信賴信任並宣告信任提供者。If none of RelyingPartyTrustIdentifier, ClaimsProviderTrustIdentifier, RelyingPartyTrustName, and ClaimsProviderTrustName is specified, the script will export all relying party trusts and claims provider trusts.

    -ClaimsProviderTrustIdentifier < 字串 [> -cmdlet 只會匯出宣告其識別碼字串陣列中指定的提供者信任。-ClaimsProviderTrustIdentifier <string[]> - the cmdlet only exports claims provider trusts whose identifiers are specified in the string array. 匯出宣告提供者信任皆為預設值。The default is to export NONE of the claims provider trusts.

    -RelyingPartyTrustName < 字串 [> -cmdlet 只有匯出可以廠商信任字串陣列中指定的名稱。-RelyingPartyTrustName <string[]> - the cmdlet only exports relying party trusts whose names are specified in the string array. 預設值是匯出皆信賴的派對信任。The default is to export NONE of the relying party trusts.

    -ClaimsProviderTrustName < 字串 [> -cmdlet 只會匯出宣告其名稱的字串陣列中所指定的提供者信任。-ClaimsProviderTrustName <string[]> - the cmdlet only exports claims provider trusts whose names are specified in the string array. 匯出宣告提供者信任皆為預設值。The default is to export NONE of the claims provider trusts.

    -Path < string\ > -資料夾會包含匯出之的檔案的路徑。-Path <string> - the path to a folder that will contain the exported files.

    -電腦名稱 < string\ > -指定 STS 伺服器主機名稱。-ComputerName <string> - specifies the STS server host name. 預設值是本機電腦。The default is the local computer. 如果您要在 Windows Server 2012 R2 AD FS 移轉 AD FS 2.0 或 Windows Server 2012 中的 AD FS,這是主機舊版 AD FS 伺服器的名稱。If you are migrating AD FS 2.0 or AD FS in Windows Server 2012 to AD FS in Windows Server 2012 R2, this is the host name of the legacy AD FS server.

    -Credential < PSCredential\ > -指定帳號具有權限來執行此動作。-Credential <PSCredential> - specifies a user account that has permission to perform this action. 預設值是目前的使用者。The default is the current user.

    -強制– 指定不使用者確認的提示。-Force – specifies to not prompt for user confirmation.

    -CertificatePassword < SecureString\ > -指定匯出 AD FS 憑證私密金鑰的密碼。-CertificatePassword <SecureString> - specifies a password for exporting AD FS certificates’ private keys. 如果您不指定,如果需要匯出私密金鑰 AD FS 憑證指令碼將會提示輸入密碼。If not specified, the script will prompt for a password if an AD FS certificate with private key needs to be exported.

    輸入:無Inputs: None

    輸出:字串-這個 cmdlet 傳回匯出資料夾路徑。Outputs: string - this cmdlet returns the export folder path. 您可以管道 Import-FederationConfiguration 傳回的物件。You can pipe the returned object to Import-FederationConfiguration.

若要備份自訂屬性存放區To back up custom attribute stores

  1. 您必須手動匯出您想要讓您在 Windows Server 2012 R2 的新 AD FS 發電廠中的所有自訂屬性存放區。You must manually export all custom attribute stores that you want to keep in your new AD FS farm in Windows Server 2012 R2.

注意

在 Windows Server 2012 R2,AD FS 需要為基礎的.NET Framework 4.0 或上述自訂屬性存放區。In Windows Server 2012 R2, AD FS requires custom attribute stores that are based on .NET Framework 4.0 or above. 請依照的 Microsoft.NET Framework 4.5來安裝,安裝.Net Framework 4.5。Follow the instructions in Microsoft .NET Framework 4.5 to install and setup .Net Framework 4.5.

您可以執行下列 Windows PowerShell 命令 AD FS 使用找到自訂屬性存放區的相關資訊:You can find information about custom attribute stores in use by AD FS by running the following Windows PowerShell command:

Get-ADFSAttributeStore

步驟升級,或者移轉自訂屬性存放區而有所不同。The steps to upgrade or migrate custom attribute stores vary.

  1. 您必須手動匯出您想要讓您在 Windows Server 2012 R2 的新 AD FS 發電廠中的自訂屬性商店所有.dll 檔案。You must also manually export all .dll files of the custom attribute stores that you want to keep in your new AD FS farm in Windows Server 2012 R2. 步驟升級或移轉自訂屬性存放區的.dll 檔案,而有所不同。The steps to upgrade or migrate .dll files of custom attribute stores vary.

建立 Windows Server 2012 R2 聯盟伺服器陣列Create a Windows Server 2012 R2 federation server farm

  1. Windows Server 2012 R2 作業系統的電腦上安裝您想要作為聯盟伺服器,然後新增 AD FS 伺服器角色。Install the Windows Server 2012 R2 operating system on a computer that you want to function as a federation server and then add the AD FS server role. 如需詳細資訊,請查看安裝 AD FS 角色服務For more information, see Install the AD FS Role Service. 然後將您新同盟服務 Active Directory 同盟服務設定精靈透過或透過 Windows PowerShell 設定。Then configure your new federation service either through the Active Directory Federation Service Configuration Wizard or via Windows PowerShell. 如需詳細資訊,看到」新聯盟伺服器陣列中設定的第一個聯盟伺服器]設定聯盟伺服器For more information, see “Configure the first federation server in a new federation server farm” in Configure a Federation Server.

在完成此步驟,時,您必須遵循這些指示執行:While completing this step, you must follow these instructions:

  • 您必須以設定您的同盟服務網域系統管理員權限。You must have Domain Administrator privileges in order to configure your federation service.

  • 已使用 AD FS 2.0 或 Windows Server 2012 中的 AD FS 中,您必須使用相同的同盟服務名稱(發電廠名稱)。You must use the same federation service name (farm name) as was used in the AD FS 2.0 or AD FS in Windows Server 2012. 如果您不使用的相同同盟服務名稱,在您嘗試設定的 Windows Server 2012 R2 同盟服務無法運作,您備份的憑證。If you do not use the same federation service name, the certificates that you backed up will not function in the Windows Server 2012 R2 federation service that you are trying to configure.

  • 指定是否 WID 或 SQL Server 聯盟伺服器發電廠。Specify whether this is a WID or SQL Server federation server farm. 如果是 SQL 發電廠,指定 SQL Server 資料庫位置和執行個體的名稱。If it is a SQL farm, specify the SQL Server database location and instance name.

  • 您必須提供 pfx 包含 SSL 伺服器驗證憑證的準備 AD FS 移轉處理程序的一部分為您備份檔案。You must provide a pfx file containing the SSL server authentication certificate that you backed up as part of preparing for the AD FS migration process.

  • 您必須指定中 AD FS 2.0 或 Windows Server 2012 發電廠中的 AD FS 使用的相同服務 account 身分。You must specify the same service account identity that was used in the AD FS 2.0 or AD FS in Windows Server 2012 farm.

  1. 初始節點設定之後, 您可以新增額外的節點您新發電廠。Once the initial node is configured, you can add additional nodes to your new farm. 如需詳細資訊,查看 [現有聯盟伺服器陣列新增聯盟伺服器]設定聯盟伺服器For more information, see “Add a federation server to an existing federation server farm” in Configure a Federation Server.

匯入 Windows Server 2012 R2 AD FS 發電廠原始設定資料Import the original configuration data into the Windows Server 2012 R2 AD FS farm

既然您已經執行 Windows Server 2012 R2 AD FS 聯盟伺服器發電廠,您可以匯入它的原始 AD FS 設定資料。Now that you have an AD FS federation server farm running in Windows Server 2012 R2, you can import the original AD FS configuration data into it.

  1. 匯入和其他自訂 AD FS 憑證的設定,包括外部退出權杖簽署及加密解密權杖日憑證,並服務通訊憑證是否不同 SSL 憑證。Import and configure other custom AD FS certificates, including externally enrolled token-signing and token- decryption/encryption certificates, and the service communication certificate if it is different from the SSL certificate.

在 AD FS 管理主控台中,選取 [的憑證In the AD FS management console, select Certificates. 檢查服務通訊,權杖-加密日解密和權杖簽署的憑證檢查每個針對您要匯出至 certificates.txt 檔案時準備移轉的值。Verify the service communications, token-encryption/decryption, and token-signing certificates by checking each against the values you exported into the certificates.txt file while preparing for the migration.

若要變更的預設自我簽署的憑證外部憑證權杖解密或預付碼簽署的憑證,您必須先停用功能的預設的自動憑證變換功能。To change the token-decrypting or token-signing certificates from the default self-signed certificates to external certificates, you must first disable the automatic certificate rollover feature that is enabled by default. 若要這樣做,您可以使用下列的 Windows PowerShell 命令:To do this, you can use the following Windows PowerShell command:

Set-ADFSProperties –AutoCertificateRollover $false  
  1. 在任何設定自訂 AD FS 服務 AutoCertificateRollover 或 SSO 期間使用 Set-AdfsProperties cmdlet 例如。Configure any custom AD FS service settings such as AutoCertificateRollover or SSO lifetime using the Set-AdfsProperties cmdlet.

  2. 若要匯入 AD FS 信賴的派對信任和宣告提供者信任,您必須登入以系統管理員身分 (不過,不做為網域系統管理員) 到您聯盟伺服器,並執行下列 Windows PowerShell 指令碼是位於 \support\adfs 資料夾中的 Windows Server 2012 R2 安裝光碟:To import AD FS relying party trusts and claims provider trusts, you must be logged in as Administrator (however, not as the Domain Administrator) onto your federation server and run the following Windows PowerShell script that is located in the \support\adfs folder of the Windows Server 2012 R2 installation CD:

import-federationconfiguration.ps1  

重要

匯入指令碼的參數下列動作:The import script takes the following parameters:

  • Import-FederationConfiguration.ps1-Path < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-LogPath < string\ >] [-CertificatePassword < securestring\ >]Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-LogPath <string>] [-CertificatePassword <securestring>]

    • Import-FederationConfiguration.ps1-路徑 < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-LogPath < string\ >] [-CertificatePassword < securestring\ >] [-RelyingPartyTrustIdentifier < 字串 [>] [-ClaimsProviderTrustIdentifier < 字串 [] >Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-LogPath <string>] [-CertificatePassword <securestring>] [-RelyingPartyTrustIdentifier <string[]>] [-ClaimsProviderTrustIdentifier <string[]>
    • Import-FederationConfiguration.ps1-路徑 < string\ > [-< string\ > 電腦名稱] [-認證 < pscredential\ >] [-推動] [-LogPath < string\ >] [-CertificatePassword < securestring\ >] [-RelyingPartyTrustName < 字串 [>] [-ClaimsProviderTrustName < 字串 [] >]Import-FederationConfiguration.ps1 -Path <string> [-ComputerName <string>] [-Credential <pscredential>] [-Force] [-LogPath <string>] [-CertificatePassword <securestring>] [-RelyingPartyTrustName <string[]>] [-ClaimsProviderTrustName <string[]>]

    -RelyingPartyTrustIdentifier < 字串 [> -可以其識別碼詳列於字串陣列廠商信任的 cmdlet 只匯入。-RelyingPartyTrustIdentifier <string[]> - the cmdlet only imports relying party trusts whose identifiers are specified in the string array. 預設值是信賴的派對信任皆匯入。The default is to import NONE of the relying party trusts. 如果未 RelyingPartyTrustIdentifier、ClaimsProviderTrustIdentifier、RelyingPartyTrustName,以及 ClaimsProviderTrustName 指定,指令碼將會匯入所有信賴信任並宣告信任提供者。If none of RelyingPartyTrustIdentifier, ClaimsProviderTrustIdentifier, RelyingPartyTrustName, and ClaimsProviderTrustName is specified, the script will import all relying party trusts and claims provider trusts.

    -ClaimsProviderTrustIdentifier < 字串 [> -cmdlet 只能匯入宣告其識別碼字串陣列中指定的提供者信任。-ClaimsProviderTrustIdentifier <string[]> - the cmdlet only imports claims provider trusts whose identifiers are specified in the string array. 預設值不是宣告提供者信任匯入。The default is to import NONE of the claims provider trusts.

    -RelyingPartyTrustName < 字串 [> -cmdlet 只匯入可以廠商信任字串陣列中指定的名稱。-RelyingPartyTrustName <string[]> - the cmdlet only imports relying party trusts whose names are specified in the string array. 預設值是信賴的派對信任皆匯入。The default is to import NONE of the relying party trusts.

    -ClaimsProviderTrustName < 字串 [> -cmdlet 只能匯入宣告其名稱的字串陣列中所指定的提供者信任。-ClaimsProviderTrustName <string[]> - the cmdlet only imports claims provider trusts whose names are specified in the string array. 預設值不是宣告提供者信任匯入。The default is to import NONE of the claims provider trusts.

    -Path < string\ >的資料夾,其中包含要匯入的設定檔的路徑。-Path <string> - the path to a folder that contains the configuration files to be imported.

    -LogPath < string\ > -資料夾會包含登入匯入檔案的路徑。-LogPath <string> - the path to a folder that will contain the import log file. 在此資料夾會建立名為「import.log「登入檔案。A log file named “import.log” will be created in this folder.

    -電腦名稱 < string\ > -指定主機 STS 伺服器名稱。-ComputerName <string> - specifies host name of the STS server. 預設值是本機電腦。The default is the local computer. 如果您要在 Windows Server 2012 R2 AD FS 移轉 AD FS 2.0 或 Windows Server 2012 中的 AD FS,此參數應設主機舊版 AD FS 伺服器的名稱。If you are migrating AD FS 2.0 or AD FS in Windows Server 2012 to AD FS in Windows Server 2012 R2, this parameter should be set to the hostname of the legacy AD FS server.

    -Credential < PSCredential\ >-指定帳號具有權限來執行此動作。-Credential <PSCredential>- specifies a user account that has permission to perform this action. 預設值是目前的使用者。The default is the current user.

    -強制– 指定不使用者確認的提示。-Force – specifies to not prompt for user confirmation.

    -CertificatePassword < SecureString\ > -指定匯入 AD FS 憑證私密金鑰的密碼。-CertificatePassword <SecureString> - specifies a password for importing AD FS certificates’ private keys. 如果您不指定,如果需要匯入 AD FS 憑證,以私密金鑰指令碼將會提示輸入密碼。If not specified, the script will prompt for a password if an AD FS certificate with private key needs to be imported.

    輸入:字串-這個命令會匯入資料夾路徑當做輸入。Inputs: string - this command takes the import folder path as input. 您可以管道 Export-FederationConfiguration 此命令。You can pipe Export-FederationConfiguration to this command.

    輸出:無。Outputs: None.

任何空格信賴的派對信任的 WSFedEndpoint 屬性中可能會造成錯誤匯入指令碼。Any trailing spaces in the WSFedEndpoint property of a relying party trust may cause the import script to error. 此時,請手動移除空間檔案之前,若要匯入。In this case, manually remove the spaces from the file prior to import. 例如,這些項目會造成錯誤:For example, these entries cause errors:

```  
<URI N="WSFedEndpoint">https://127.0.0.1:444 /</URI>  
```  

```  
<URI N="WSFedEndpoint">https://myapp.cloudapp.net:83 /</URI>  
```  

 They must be edited to:  

```  
<URI N="WSFedEndpoint">https://127.0.0.1:444/</URI>  
```  

```  
<URI N="WSFedEndpoint">https://myapp.cloudapp.net:83/</URI>  
```  

重要

如果您有任何自訂宣告規則(規則 AD FS 預設規則以外)上的 Active Directory 宣告提供者信任的來源系統中,這些將不會移轉的指令碼。If you have any custom claim rules (rules other than the AD FS default rules) on the Active Directory claims provider trust in the source system, these will not be migrated by the scripts. 這是因為 Windows Server 2012 R2 有新的預設值。This is because Windows Server 2012 R2 has new defaults. 必須手動新增到新的 Windows Server 2012 R2 發電廠 Active Directory 宣告提供者信任合併任何自訂規則。Any custom rules must be merged by adding them manually to the Active Directory claims provider trust in the new Windows Server 2012 R2 farm.

  1. 設定所有自訂 AD FS 結束點。Configure all custom AD FS endpoint settings. AD FS 管理主控台中,選取 [的端點In the AD FS Management console, select Endpoints. 檢查清單中時準備 AD FS 移轉匯出到檔案的讓 AD FS 端點針對讓的 AD FS 結束點。Check the enabled AD FS endpoints against the list of enabled AD FS endpoints that you exported to a file while preparing for the AD FS migration.

    -以及-- And -

    設定任何自訂宣告描述。Configure any custom claim descriptions. AD FS 管理主控台中,選取 [宣告描述In the AD FS Management console, select Claim Descriptions. 檢查 AD FS 理賠要求描述清單的理賠要求描述您的檔案匯出準備 AD FS 移轉作業時的清單。Check the list of AD FS claim descriptions against the list of claim descriptions that you exported to a file while preparing for the AD FS migration. 新增包含在您的檔案,但在 [預設清單中 AD FS 不包含任何自訂宣告描述。Add any custom claim descriptions included in your file but not included in the default list in AD FS. 請注意宣告識別碼管理主控台中的將檔案 ClaimType 對應。Note that Claim identifier in the management console maps to the ClaimType in the file.

  2. 安裝和所有備份的自訂的設定存放區的屬性。Install and configure all backed up custom attribute stores. 系統管理員的身分,以確保任何自訂屬性市集二進位檔.NET Framework 4.0 或更高版本升級之前更新 AD FS 指向這些設定。As an administrator, ensure any custom attribute store binaries are upgrade to .NET Framework 4.0 or higher before updating the AD FS configuration to point to them.

  3. 設定 web.config 舊版檔案參數地圖服務屬性。Configure service properties that map to the legacy web.config file parameters.

    • 如果useRelayStateForIdpInitiatedSignOn已加入到web.config中 AD FS 2.0 或中 Windows 伺服器 2012 年發電廠,AD FS 檔案,您必須在 Windows Server 2012 R2 發電廠您 AD FS 中設定下列服務屬性:If useRelayStateForIdpInitiatedSignOn was added to the web.config file in your AD FS 2.0 or AD FS in Windows Sever 2012 farm, then you must configure the following service properties in your AD FS in Windows Server 2012 R2 farm:

      • 在 Windows Server 2012 R2 AD FS 包含%systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config檔案。AD FS in Windows Server 2012 R2 includes a %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config file. 使用與相同的語法建立的項目web.config元素檔案:<useRelayStateForIdpInitiatedSignOn enabled="true" />Create an element with the same syntax as the web.config file element: <useRelayStateForIdpInitiatedSignOn enabled="true" />. 將此項目的一部分< Microsoft.identityserver.web >區段Microsoft.IdentityServer.Servicehost.exe.config檔案。Include this element as part of <microsoft.identityserver.web> section of the Microsoft.IdentityServer.Servicehost.exe.config file.
    • 如果< persistIdentityProviderInformation 支援 =」true 和 #124; false」lifetimeInDays =」90」enablewhrPersistence =」true 和 #124; false」日 \ >已加入到web.config中 AD FS 2.0 或中 Windows 伺服器 2012 年發電廠,AD FS 檔案,則必須設定中的 Windows Server 2012 R2 發電廠您 AD FS 下列服務屬性:If <persistIdentityProviderInformation enabled="true|false" lifetimeInDays="90" enablewhrPersistence=”true|false” /> was added to the web.config file in your AD FS 2.0 or AD FS in Windows Sever 2012 farm, then you must configure the following service properties in your AD FS in Windows Server 2012 R2 farm:

      1. 在 Windows Server 2012 R2 AD FS,執行下列 Windows PowerShell 命令:Set-AdfsWebConfig –HRDCookieEnabled –HRDCookieLifetimeIn AD FS in Windows Server 2012 R2, run the following Windows PowerShell command: Set-AdfsWebConfig –HRDCookieEnabled –HRDCookieLifetime.
    • 如果< singleSignOn 支援 = 」 true 和 #124; false 」 日 \ >已加入到web.config中您 AD FS 2.0 檔案或 AD FS 發電廠 Windows 伺服器 2012 」 中的,您不需要任何其他服務屬性在 AD FS 您設定 Windows Server 2012 R2 發電廠。If <singleSignOn enabled="true|false" /> was added to the web.config file in your AD FS 2.0 or AD FS in Windows Sever 2012 farm, you do not need to set any additional service properties in your AD FS in Windows Server 2012 R2 farm. 單一登入預設的 Windows Server 2012 R2 發電廠 AD FS 支援。Single sign-on is enabled by default in AD FS in Windows Server 2012 R2 farm.

    • 如果 localAuthenticationTypes 設定已新增至web.config您必須在 Windows Server 2012 R2 發電廠您 AD FS 中設定下列服務屬性檔案 AD FS 2.0 或中 Windows 伺服器 2012年發電廠,AD FS 中:If localAuthenticationTypes settings were added to the web.config file in your AD FS 2.0 or AD FS in Windows Sever 2012 farm, then you must configure the following service properties in your AD FS in Windows Server 2012 R2 farm:

      • 整合,表單、 TlsClient,基本轉換清單相當於在 Windows Server 2012 R2 的 AD FS 有全球驗證原則設定支援兩種同盟服務和 proxy 驗證類型。Integrated, Forms, TlsClient, Basic Transform list into equivalent AD FS in Windows Server 2012 R2 has global authentication policy settings to support both federation service and proxy authentication types. 在 [管理] 嵌入式管理單元在 AD FS 這些設定可以設定驗證原則These settings can be configured in the AD FS in Management snap-in under the Authentication Policies.

    匯入的原始設定資料之後,您可以視需要自訂 AD FS 登入頁面。After you import the original configuration data, you can customize the AD FS sign in pages as needed. 如需詳細資訊,請查看[自訂頁面 AD FS 登入For more information, see Customizing the AD FS Sign-in Pages.

後續步驟Next Steps

Active Directory 同盟服務角色服務移轉到 Windows Server 2012 R2Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2
正在準備移轉 AD FS 聯盟伺服器Preparing to Migrate the AD FS Federation Server
移轉 AD FS 聯盟伺服器 ProxyMigrating the AD FS Federation Server Proxy
檢查 AD FS 移轉到 Windows Server 2012 R2Verifying the AD FS Migration to Windows Server 2012 R2