AD FS 聯盟獨立伺服器或單一節點 AD FS 發電廠移轉Migrate a stand-alone AD FS federation server or a single-node AD FS farm

本文件會提供 AD FS 2.0 獨立伺服器移轉到 Windows Server 2012 上的詳細的資訊。This document provides detailed information on migrating an AD FS 2.0 stand alone server to Windows Server 2012.

移轉獨立 AD FS 2.0 伺服器Migrate a stand-alone AD FS 2.0 server

使用下列程序將 AD FS 2.0 移轉到 Windows Server 2012 的伺服器。Use the following procedure to migrate the AD FS 2.0 server to Windows Server 2012.

  1. 檢視並執行中的程序準備移轉獨立 AD FS 聯盟伺服器或單一節點 AD FS 發電廠Review and perform the procedures in Prepare to migrate a stand-alone AD FS federation server or a single-node AD FS farm.

  2. 伺服器從 Windows Server 2008 R2 或 Windows Server 2008 到 Windows Server 2012 上執行作業系統的就地升級。Perform an in-place upgrade of the operating system on your server from Windows Server 2008 R2 or Windows Server 2008 to Windows Server 2012. 如需詳細資訊,請查看安裝 Windows Server 2012For more information, see Installing Windows Server 2012.

重要

作業系統升級的結果,在此伺服器上的 AD FS 設定將會遺失,並且移除 AD FS 2.0 伺服器角色。As the result of the operating system upgrade, the AD FS configuration on this server is lost and the AD FS 2.0 server role is removed. Windows Server 2012 AD FS 伺服器角色已安裝改為,但未設定。The Windows Server 2012 AD FS server role is installed instead, but it is not configured. 您必須手動建立原始設定,AD FS,並還原剩餘 AD FS 設定完成聯盟伺服器移轉。You must manually create the original AD FS configuration and restore the remaining AD FS settings to complete the federation server migration.

  1. 建立原始設定,AD FS。Create the original AD FS configuration. 您可以建立原始設定,AD FS 使用其中一項下列方法:You can create the original AD FS configuration by using either of the following methods:

當您瀏覽精靈中,使用您準備,如下所示移轉 AD FS 聯盟伺服器時所收集的資訊:As you go through the wizard, use the information you gathered while preparing to migrate your AD FS federation server as follows:

聯盟伺服器設定精靈輸入的選項Federation Server Configuration Wizard input option 使用下列值Use the following value
SSL 憑證指定同盟服務名稱頁面SSL Certificate on the Specify the Federation Service Name page 選取您記錄時準備 AD FS 聯盟伺服器移轉主體名稱與指紋的 SSL 憑證。Select the SSL certificate whose subject name and thumbprint you recorded while preparing for the AD FS federation server migration.
服務 account密碼指定服務帳號頁面Service account and Password on the Specify a Service Account page 輸入的服務 account 資訊錄製時準備 AD FS 聯盟伺服器移轉。Enter the service account information that you recorded while preparing for the AD FS federation server migration. 注意:如果您選擇聯盟獨立伺服器精靈中的第二個頁面上,網路服務會自動做服務 account。Note: If you select stand-alone federation server on the second page of the wizard, NETWORK SERVICE is used automatically as the service account.

重要

只有在您使用 Windows 內部資料庫 (WID) 來儲存您獨立聯盟伺服器或單一節點 AD FS 陣列 AD FS 設定資料庫,您可以使用此方法。You can employ this method only if you are using Windows Internal Database (WID) to store the AD FS configuration database for your stand-alone federation server or a single-node AD FS farm.

如果您使用 SQL Server 來儲存您的單一節點 AD FS 陣列 AD FS 設定資料庫,您必須使用 Windows PowerShell 來建立原始設定,AD FS 聯盟伺服器上。If you are using SQL Server to store the AD FS configuration database for your single-node AD FS farm, you must use Windows PowerShell to create the original AD FS configuration on your federation server.

  • 使用 Windows PowerShellUse Windows PowerShell

重要

如果您正在使用 SQL Server 的獨立聯盟伺服器或單一節點 AD FS 發電廠儲存 AD FS 設定資料庫,您必須使用 Windows PowerShell。You must use Windows PowerShell if you are using SQL Server to store the AD FS configuration database for your stand-alone federation server or a single-node AD FS farm.

以下是如何在單一節點 SQL Server 發電廠聯盟伺服器上建立原始設定,AD FS 使用 Windows PowerShell 範例。The following is an example of how to use Windows PowerShell to create the original AD FS configuration on a federation server in a single-node SQL Server farm. 打開 Windows PowerShell 模組,並執行下列命令:$fscredential = Get-CredentialOpen the Windows PowerShell module and run the following command: $fscredential = Get-Credential. 輸入名稱及服務帳號錄製時您 SQL server 發電廠準備移轉的密碼。Enter the name and the password of the service account that you recorded while preparing your SQL server farm for migration. 然後執行下列命令:C:\PS> Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<Data Source>;Integrated Security=True"Data Source是原則市集連接字串值,在下列檔案中的資料來源值:%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.configThen run the following command: C:\PS> Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<Data Source>;Integrated Security=True" where Data Source is the data source value in the policy store connection string value in the following file: %programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config.

  1. 還原剩餘 AD FS 服務設定以及信任關係。Restore the remaining AD FS service settings and trust relationships. 這是手動步驟期間,您可以使用您要匯出的檔案和您 AD FS 移轉準備時所收集的值。This is a manual step during which you can use the files that you exported and the values that you collected while preparing for the AD FS migration. 詳細指示,會看到還原剩餘 AD FS 發電廠設定。For detailed instructions, see Restoring the Remaining AD FS Farm Configuration.

注意

這個步驟只有需要如果您的移轉獨立聯盟伺服器或單一節點 WID 發電廠。This step is only required if you are migrating a stand-alone federation server or a single node WID farm. 聯盟伺服器使用 SQL Server 資料庫設定存放區與,如果服務設定和信任關係的資料庫中保留。If the federation server uses a SQL Server database as the configuration store, the service settings and trust relationships are preserved in the database.

  1. 更新您 AD FS 網頁。Update your AD FS webpages. 這是手動的步驟。This is a manual step. 如果您的移轉準備時備份您自訂 AD FS 網頁,使用您備份的資料覆寫預設 AD FS 網頁中的預設所建立的%systemdrive%\inetpub\adfs\ls目錄根據 AD FS 設定 Windows Server 2012 上。If you backed up your customized AD FS webpages while preparing for the migration, use your backup data to overwrite the default AD FS webpages that were created by default in the %systemdrive%\inetpub\adfs\ls directory as a result of the AD FS configuration on Windows Server 2012.

  2. 還原任何剩餘 AD FS 的自訂項目,例如自訂屬性存放區。Restore any remaining AD FS customizations, such as custom attribute stores.

還原剩餘 AD FS 發電廠設定Restoring the Remaining AD FS Farm Configuration

  • 下列 AD FS 服務設定還原至單一節點 WID 或獨立同盟服務,如下所示:Restore the following AD FS service settings to a single node WID farm or stand-alone federation service as follows:

    • 在 AD FS 管理主控台中,選取 [服務,按一下 [編輯同盟服務....In the AD FS management console, select Service and click Edit Federation Service…. 檢查每個您要匯出至 properties.txt 檔案時準備移轉的值對值驗證同盟服務設定:Verify the federation service settings by checking each of the values against the values you exported into the properties.txt file while preparing for the migration:
聯盟服務屬性名稱 Get-ADFSProperties 報告Federation Service Property name as reported by Get-ADFSProperties AD FS 管理主控台中同盟服務屬性名稱Federation Service Property name in AD FS Management console
顯示名稱DisplayName 聯盟服務顯示名稱Federation Service display name
主機HostName 聯盟服務名稱Federation Service name
識別碼Identifier 聯盟服務識別碼Federation Service identifier
  • 在 AD FS 管理主控台中,選取 [的憑證In the AD FS management console, select Certificates. 確認服務通訊,解密預付碼和權杖簽署的憑證檢查每個針對您要匯出至 certificates.txt 檔案時準備移轉的值。Verify the service communications, token-decrypting, and token-signing certificates by checking each against the values you exported into the certificates.txt file while preparing for the migration.

若要變更的預設自我簽署的憑證外部憑證權杖解密或預付碼簽署的憑證,您必須先停用功能的預設的自動憑證變換功能。To change the token-decrypting or token-signing certificates from the default self-signed certificates to external certificates, you must first disable the automatic certificate rollover feature that is enabled by default. 若要這樣做,您可以使用下列的 Windows PowerShell 命令:PSH: Set-ADFSProperties –AutoCertificateRollover $falseTo do this, you can use the following Windows PowerShell command: PSH: Set-ADFSProperties –AutoCertificateRollover $false.

  • AD FS 管理主控台中,選取 [的端點In the AD FS Management console, select Endpoints. 檢查清單中時準備 AD FS 移轉匯出到檔案的讓 AD FS 端點針對讓的 AD FS 結束點。Check the enabled AD FS endpoints against the list of enabled AD FS endpoints that you exported to a file while preparing for the AD FS migration.

  • AD FS 管理主控台中,選取 [宣告描述In the AD FS Management console, select Claim Descriptions. 檢查 AD FS 理賠要求描述清單的理賠要求描述您的檔案匯出準備 AD FS 移轉作業時的清單。Check the list of AD FS claim descriptions against the list of claim descriptions that you exported to a file while preparing for the AD FS migration. 新增包含在您的檔案,但在 [預設清單中 AD FS 不包含任何自訂宣告描述。Add any custom claim descriptions included in your file but not included in the default list in AD FS. 請注意宣告識別碼管理主控台中的將檔案 ClaimType 對應。Note that Claim identifier in the management console maps to the ClaimType in the file. 適用於新增宣告描述的詳細資訊,請查看需要新增描述取得For more information on adding claim descriptions, see Add a Claim Description. 如需詳細資訊,查看「步驟 1-匯出服務設定」中的區段準備要移轉 AD FS 2.0 聯盟伺服器。For more information, see the “Step 1 - Export Service Settings” section in Prepare to Migrate the AD FS 2.0 Federation Server.

  • AD FS 管理主控台中,選取 [宣告提供者信任In the AD FS Management console, select Claims Provider Trusts. 您必須使用以手動方式每個宣告提供者信任重新建立新增宣告提供者信任精靈You must recreate each Claims Provider trust manually using the Add Claims Provider Trust Wizard. 使用您匯出和時準備 AD FS 移轉錄製宣告提供者信任的清單。Use the list of claims provider trusts that you exported and recorded while preparing for the AD FS migration. 您可以忽略檔案的識別碼「AD 授權單位」宣告提供者信任因為這是「Active Directory「宣告提供者信任的 AD FS 設定預設的一部分。You can disregard the claims provider trust with Identifier “AD AUTHORITY” in the file because this is the “Active Directory” claims provider trust that is part of the default AD FS configuration. 不過,檢查您可能已新增至之前移轉的 Active Directory 信任任何自訂宣告規則。However, check for any custom claim rules you may have added to the Active Directory trust prior to the migration. 針對上建立的詳細資訊宣告信任提供者,請查看建立宣告提供者信任使用聯盟中繼資料宣告提供者信任手動建立For more information on creating claims provider trusts, see Create a Claims Provider Trust Using Federation Metadata or Create a Claims Provider Trust Manually.

  • AD FS 管理主控台中,選取可以廠商信任In the AD FS Management console, select Relying Party Trusts. 您必須使用以手動方式每個信賴信任重新建立新增可以廠商信任精靈You must recreate each Relying Party trust manually using the Add Relying Party Trust Wizard. 使用您匯出和時準備 AD FS 移轉錄製信賴廠商信任的清單。Use the list of relying party trusts that you exported and recorded while preparing for the AD FS migration. 適用於建立信賴廠商信任的詳細資訊,請查看建立可以廠商信任使用聯盟中繼資料可以廠商信任手動建立For more information on creating relying party trusts, see Create a Relying Party Trust Using Federation Metadata or Create a Relying Party Trust Manually.

後續步驟Next Steps

準備移轉 AD FS 2.0 聯盟伺服器Prepare to Migrate the AD FS 2.0 Federation Server
移轉 AD FS 2.0 聯盟伺服器 Proxy 準備Prepare to Migrate the AD FS 2.0 Federation Server Proxy
移轉 AD FS 2.0 聯盟伺服器Migrate the AD FS 2.0 Federation Server
移轉 AD FS 2.0 聯盟伺服器 ProxyMigrate the AD FS 2.0 Federation Server Proxy
移轉 AD FS 1.1 Web 代理程式Migrate the AD FS 1.1 Web Agents