AD FS 2.0 聯盟伺服器移轉到 Windows Server 2012 R2 上 AD FS 進行準備Prepare to Migrate the AD FS 2.0 Federation Server to AD FS on Windows Server 2012 R2

本文件告訴您如何將 AD FS 2.0 或 Windows Server 2012 聯盟伺服器陣列移轉到 Windows Server 2012 R2 AD FS 陣列。This document describes how to migrate an AD FS 2.0 or Windows Server 2012 federation server farm to a Windows Server 2012 R2 AD FS farm. 步驟可以搭配 AD FS 農場為基礎資料庫中使用 WID 或 SQL Server 中。The steps can be used with AD FS farms that use either WID or SQL Server as the underlying database.

移轉處理程序外框Migration Process Outline

若要完成移轉到 Windows Server 2012 R2 AD FS 聯盟伺服器陣列,您必須完成以下工作:To complete the migration of your AD FS federation server farm to Windows Server 2012 R2, you must complete the following tasks:

  1. 匯出記錄,並備份您現有的 AD FS 發電廠中的下列設定資料。Export, record, and backup the following configuration data in your existing AD FS farm. 詳細指示完成這些工作,請查看移轉 AD FS 聯盟伺服器For detailed instructions on how to complete these tasks, see Migrating the AD FS Federation Server.

在 Windows Server 2012 R2 安裝光碟 \support\adfs 資料夾中的指令碼的移轉下列設定:The following settings are migrated with the scripts located in the \support\adfs folder on the Windows Server 2012 R2 installation CD:

  • 宣告信任提供者,但在 Active Directory 宣告提供者信任自訂宣告規則除外。Claims provider trusts, with the exception of custom claim rules on the Active Directory Claims provider trust. 如需詳細資訊,請查看移轉 AD FS 聯盟伺服器For more information, see Migrating the AD FS Federation Server.

  • 可以廠商信任。Relying party trusts.

  • AD FS 內部產生、自我權杖登入及權杖解密憑證。AD FS internally generated, self-signed token signing and token decryption certificates.

您必須手動移轉自訂的下列設定:Any of the following custom settings must be migrated manually:

  • 服務設定:Service settings:

    • 非預設權杖登入,以及權杖解密企業版或公用憑證授權單位是發行憑證。Non-default token signing and token decryption certificates that were issued by an enterprise or public certification authority.

    • AD FS 使用的 SSL 伺服器驗證憑證。The SSL server authentication certificate used by AD FS.

    • AD FS 使用的服務通訊憑證(根據預設,這是相同的憑證以 SSL 憑證。The service communications certificate used by AD FS (by default, this is the same certificate as the SSL certificate.

      • 適用於任何同盟服務屬性,例如 AutoCertificateRollover 或 SSO 期間非預設值。Non-default values for any federation service properties, such as AutoCertificateRollover or SSO lifetime.

      • 非預設 AD FS 端點設定和宣告描述。Non-default AD FS endpoint settings and claim descriptions.

  • 自訂取得上的 Active Directory 宣告提供者信任規則。Custom claim rules on the Active Directory claims provider trust.

    • AD FS 登入頁面自訂項目AD FS sign-in page customizations

如需詳細資訊,請查看移轉 AD FS 聯盟伺服器For more information, see Migrating the AD FS Federation Server.

  1. 建立 Windows Server 2012 R2 聯盟伺服器陣列。Create a Windows Server 2012 R2 federation server farm.

  2. 這個新的 Windows Server 2012 R2 AD FS 發電廠匯入的原始設定資料。Import the original configuration data into this new Windows Server 2012 R2 AD FS farm.

  3. 設定及自訂 AD FS 登入頁面。Configure and customize the AD FS sign-in pages.

Windows Server 2012 R2 的新 AD FS 功能New AD FS functionality in Windows Server 2012 R2

AD FS 下列功能在 Windows Server 2012 R2 影響移轉從變更 AD FS 2.0 或 Windows Server 2012 中的 AD FS:The following AD FS functionality changes in Windows Server 2012 R2 impact a migration from AD FS 2.0 or AD FS in Windows Server 2012:

IIS 相依性IIS dependency

  • 在 Windows Server 2012 R2 AD FS 自我裝載並不需要 IIS 安裝。AD FS in Windows Server 2012 R2 is self-hosted and does not require IIS installation. 請確定您注意下列由於這項變更:Make sure you note the following as a result of this change:
  • 現在必須透過 Windows PowerShell 執行 SSL 憑證管理聯盟伺服器和您 AD FS 發電廠 proxy 電腦。SSL certificate management for both federation servers and proxy computers in your AD FS farm must now be performed via Windows PowerShell.

變更 AD FS 登入頁面的設定和自訂項目Changes to AD FS sign-in pages’ settings and customizations

  • 在 Windows Server 2012 R2 AD FS,有幾個變更要改善的系統管理員與使用者登入的體驗。In AD FS in Windows Server 2012 R2, there are several changes intended to improve the sign-in experience for both administrators and users. 立即移除 IIS 裝載網頁有在舊版的 AD FS。The IIS-hosted web pages that existed in the previous version of AD FS are now removed. AD FS 登入之網站的外觀及操作 AD FS 中自我裝載,現在您可以自訂來量身訂做的使用者體驗。The look and feel of the AD FS sign-in web pages are self-hosted in AD FS and can now be customized to tailor the user experience. 變更包括:The changes include:
    • 自訂 AD FS 登入體驗,包括自訂的公司名稱、商標、圖,以及登入的描述。Customizing the AD FS sign-in experience, including the customization of the company name, logo, illustration, and sign-in description.
    • 自訂的錯誤訊息。Customizing the error messages.
    • 自訂 ADFS Home 領域探索體驗,其中包括下列項目:Customizing the ADFS Home Realm Discovery experience, which includes the following:
      • 設定您的身分使用某些電子郵件尾碼的提供者。Configuring your identity provider to use certain email suffixes.
      • 設定可以依據身分提供者清單派對。Configuring an identity provider list per relying party.
      • 略過 Home 領域探索內部網路。Bypassing Home Realm Discovery for intranet.
      • 建立自訂 web 主題。Creating custom web themes.

設定 AD FS 登入頁面的外觀與感覺詳細指示,請查看[自訂頁面 AD FS 登入For detailed instructions on configuring the look and feel of the AD FS sign-in pages, see Customizing the AD FS Sign-in Pages.

如果您有您想要移轉到 Windows Server 2012 R2 的現有 AD FS 陣列網頁自訂項目,您可以重新建立他們使用的新的自訂項目功能在 Windows Server 2012 R2 移轉程序的一部分。If you have web page customization in your existing AD FS farm that you want to migrate to Windows Server 2012 R2, you can recreate them as part of the migration process using the new customization features in Windows Server 2012 R2.

  • 其他的變更Other changes

    • 在 Windows Server 2012 R2 AD FS 是以在 Windows 的身分基礎 (WIF) 3.5,不 WIF 4.5 為基礎。AD FS in Windows Server 2012 R2 is based on Windows Identity Foundation (WIF) 3.5, not WIF 4.5. 因此,在 Windows Server 2012 R2 AD FS 不支援 WIF 4.5(例如,Kerberos 宣告和動態存取控制)的某些特定功能。Therefore, some specific features of WIF 4.5 (for example, Kerberos claims and dynamic access control) are not supported in AD FS in Windows Server 2012 R2.

    • 連接埠 443; 上裝置登記服務 (DRS) 在 Windows Server 2012 R2 的運作方式連接埠 49443 ClientTLS 使用者憑證驗證的運作方式Device Registration Service (DRS) in Windows Server 2012 R2 operates on port 443; ClientTLS for user certificate authentication operates on port 49443

      • 作用中的非瀏覽器用憑證傳輸模式驗證的專門為固定指向連接埠 443,程式碼變更,才能繼續使用使用者憑證驗證 49443 連接埠。For active, non-browser clients using certificate transport mode authentication that are specifically hard-coded to point to port 443, a code change is required to continue to use user certificate authentication on port 49443.

      • 適用於被動式應用程式需要不會變更,因為 AD FS 重新導向至 amc 到正確的使用者憑證驗證連接埠。For passive applications no change is required because AD FS redirects to the correct port for user certificate authentication.

      • Client 與 proxy 之間防火牆連接埠必須讓使用者憑證驗證通過連接埠 49443 流量。Firewall ports between the client and the proxy must enable port 49443 traffic to pass through for user certificate authentication.

在 Windows Server 2012 R2 AD FS 需求AD FS Requirements in Windows Server 2012 R2

為了已成功將您 AD FS 發電廠移轉到 Windows Server 2012 R2,您必須符合下列需求:In order to successfully migrate your AD FS farm to Windows Server 2012 R2, you must meet the following requirements:

AD fs 運作,每個您想要聯盟的電腦必須加入網域。For AD FS to function, each computer that you want to be a federation must be joined to a domain.

才能執行 Windows Server 2012 R2 上 AD fs,您 Active Directory domain 必須執行下列其中一項:For AD FS running on Windows Server 2012 R2 to function, your Active Directory domain must run either of the following:

  • Windows Server 2012 R2Windows Server 2012 R2

  • Windows Server 2012Windows Server 2012

  • Windows Server 2008 R2Windows Server 2008 R2

  • Windows Server 2008Windows Server 2008

    如果您打算使用 AD FS 為服務 account 群組管理服務 Account (gMSA),您必須至少網域控制站在 Windows Server 2012 或 Windows Server 2012 R2 的作業系統上執行的環境中。If you plan to use a group Managed Service Account (gMSA) as the service account for AD FS, you must have at least one domain controller in your environment that is running on Windows Server 2012 or Windows Server 2012 R2 operating system.

    如果想要部署的工作地點 AD Join 裝置登記服務 (DRS) AD FS 部署的一部分,AD DS 架構需要更新到 Windows Server 2012 R2 層級。If you plan to deploy Device Registration Service (DRS) for AD Workplace Join as a part of your AD FS deployment, the AD DS schema needs to be updated to the Windows Server 2012 R2 level. 有三種方式,若要更新:There are three ways to update the schema:

  1. 在現有的 Active Directory 樹系執行 adprep /forestprep 從在執行 Windows Server 2008,或更新版本任何 64 位元伺服器上的 Windows Server 2012 R2 作業系統系統 DVD \support\adprep 資料夾。In an existing Active Directory forest, run adprep /forestprep from the \support\adprep folder of the Windows Server 2012 R2 operating system DVD on any 64-bit server that runs Windows Server 2008 or later. 在這種情形下,任何其他網域控制站需要安裝,且不現有的網域控制站需要升級。In this case, no additional domain controller needs to be installed, and no existing domain controllers need to be upgraded.

若要執行 adprep 日 forestprep,您必須架構管理員群組、企業系統管理員群組和的成員,主控架構主機的網域系統管理員」群組。To run adprep/forestprep, you must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master.

  1. 在現有的 Active Directory 樹系安裝執行 Windows Server 2012 R2 網域控制站。In an existing Active Directory forest, install a domain controller that runs Windows Server 2012 R2. 在本案例中,adprep /forestprep 會自動執行為網域控制站安裝的一部分。In this case, adprep /forestprep runs automatically as part of the domain controller installation.

網域控制站在安裝期間,您可能需要額外的認證指定以執行 adprep /forestprep。During the domain controller installation, you may need to specify additional credentials in order to run adprep /forestprep.

  1. 藉由在執行 Windows Server 2012 R2 的伺服器上安裝 AD DS 建立新的 Active Directory 森林。Create a new Active Directory forest by installing AD DS on a server that runs Windows Server 2012 R2. 在本案例中,adprep /forestprep 不需要執行,因為架構將一開始建立的所有所需的容器和支援 DRS 物件。In this case, adprep /forestprep does not need to be run because the schema will be initially created with all the necessary containers and objects to support DRS.

在 Windows Server 2012 R2 AD FS SQL Server 支援SQL Server support for AD FS in Windows Server 2012 R2

如果您想要建立 AD FS 發電廠 SQL Server 來儲存您設定的資料的使用,您可以使用 SQL Server 2008 和較新版本,包括 SQL Server 2012。If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012.

增加您的 Windows PowerShell 限制Increasing your Windows PowerShell limits

如果您有多個 1000 年宣告提供者信任並信賴信任 AD FS 陣列、中或如果您在嘗試執行 AD FS 移轉/匯出工具時看到以下錯誤,您必須提高您的 Windows PowerShell 限制:If you have more than 1000 claims provider trusts and relying party trusts in your AD FS farm, or if you see the following error while trying to run the AD FS migration export/import tool, you must increase your Windows PowerShell limits:

'Exception of type 'System.OutOfMemoryException' was thrown. At E:\dev\ds\security\ADFSv2\Product\Migration\Export-FederationConfiguration.ps1:176 char:21 + $configData = Invoke-Command -ScriptBlock $GetConfig -Argume ...  

因為 Windows PowerShell 工作階段預設記憶體限制太低狀況這個錯誤。This error is thrown because the Windows PowerShell session default memory limit is too low. Windows PowerShell 2.0,工作階段預設記憶體是 150 MB。In Windows PowerShell 2.0, the session default memory is 150MB. Windows PowerShell 3.0 中的工作階段預設記憶體是 1024 MB。In Windows PowerShell 3.0, the session default memory is 1024MB. 您可以檢查 Windows PowerShell 工作階段遠端記憶體限制,使用下列命令:Get-Item wsman:localhost\Shell\MaxMemoryPerShellMBYou can verify Windows PowerShell remote session memory limit using the following command: Get-Item wsman:localhost\Shell\MaxMemoryPerShellMB. 您可以增加限制,請執行下列命令:Set-Item wsman:localhost\Shell\MaxMemoryPerShellMB 512You can increase the limit by running the following command: Set-Item wsman:localhost\Shell\MaxMemoryPerShellMB 512.

其他移轉工作及注意事項Other migration tasks and considerations

已成功將您 AD FS 發電廠移轉到 Windows Server 2012 R2,以確認您會注意到以下:In order to successfully migrate your AD FS farm to Windows Server 2012 R2, make sure you are aware of the following:

  • 在 Windows Server 2012 R2 安裝光碟 \support\adfs 資料夾中的移轉指令碼需要您保留相同聯盟伺服器發電廠名稱和時,使用您的舊版 AD FS 陣列在您移轉到 Windows Server 2012 R2 的服務 account 身分名稱。The migration scripts located in the \support\adfs folder on the Windows Server 2012 R2 installation CD require that you retain the same federation server farm name and service account identity name that you used in your legacy AD FS farm when you migrate it to Windows Server 2012 R2.

  • 如果您想要移轉 SQL Server AD FS 發電廠,請注意移轉程序,包括建立新 SQL 資料庫執行個體您要必須匯入的原始設定資料。If you want to migrate a SQL Server AD FS farm, note that the migration process involves creating a new SQL database instance into which you must import the original configuration data.

後續步驟Next Steps

Active Directory 同盟服務角色服務移轉到 Windows Server 2012 R2Migrate Active Directory Federation Services Role Services to Windows Server 2012 R2
移轉 AD FS 聯盟伺服器Migrating the AD FS Federation Server
移轉 AD FS 聯盟伺服器 ProxyMigrating the AD FS Federation Server Proxy
檢查 AD FS 移轉到 Windows Server 2012 R2Verifying the AD FS Migration to Windows Server 2012 R2