準備獨立 AD FS 聯盟伺服器或單一節點 AD FS 發電廠移轉Prepare to migrate a stand-alone AD FS federation server or a single-node AD FS farm

若要準備移轉(相同伺服器移轉)獨立 AD FS 2.0 聯盟伺服器或單一節點 AD FS 發電廠到 Windows Server 2012,您必須匯出並從這個伺服器備份 AD FS 設定資料。To prepare to migrate (same server migration) a stand-alone AD FS 2.0 federation server or a single-node AD FS farm to Windows Server 2012, you must export and back up the AD FS configuration data from this server.

若要匯出 AD FS 設定資料,請執行下列工作:To export the AD FS configuration data, perform the following tasks:

步驟 1:匯出服務設定Step 1: Export service settings

若要匯出服務設定,請執行下列程序:To export service settings, perform the following procedure:

若要匯出服務設定To export service settings

  1. 記錄憑證主體名稱與指紋的值同盟服務使用 SSL 憑證。Record the certificate subject name and thumbprint value of the SSL certificate used by the federation service. 若要尋找 SSL 憑證,開放網際網路服務 (IIS) 管理主控台中,選取預設網站在左窗格中,按一下 [繫結...To find the SSL certificate, open the Internet Information Services (IIS) management console, Select Default Web Site in the left pane, click Bindings… 動作窗格中,尋找並選取 https 繫結,按一下 [編輯,然後按一下 [檢視in the Action pane, find and select the https binding, click Edit, and then click View.

注意

或者,您也可以匯出同盟服務和.pfx 檔案其私密金鑰使用 SSL 憑證。Optionally, you can also export the SSL certificate used by the federation service and its private key to a .pfx file. 如需詳細資訊,請查看匯出私人鍵部分伺服器驗證憑證的For more information, see Export the Private Key Portion of a Server Authentication Certificate.

因為這憑證會儲存在本機電腦個人化憑證存放區中且會保留在作業系統升級匯出 SSL 憑證是選擇性的。Exporting the SSL certificate is optional because this certificate is stored in the local computer Personal certificates store and is preserved in the operating system upgrade.

  1. 記錄 AD FS 服務通訊的設定、權杖解密及權杖簽署的憑證。Record the configuration of the AD FS Service communications, token-decrypting and token-signing certificates. 若要檢視所有可用的憑證,開放 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”To view all the certificates that are used, open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令,以建立檔案中使用的所有的憑證清單Then run the following command to create a list of all certificates in use in a file PSH:>Get-ADFSCertificate | Out-File “.\certificates.txt”

注意

或者,您也可以匯出任何權杖簽署、權杖加密或服務通訊的憑證和按鍵不內部專,除了所有自動簽署的憑證。Optionally, you can also export any token-signing, token-encryption, or service-communications certificates and keys that are not internally generated, in addition to all self-signed certificates. 您可以檢視所有使用 Windows PowerShell 來使用您的伺服器上的憑證。You can view all the certificates that are in use on your server by using Windows PowerShell. 打開 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershellOpen Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell. 然後執行下列命令,以檢視所有的憑證會使用您的伺服器上的PSH:>Get-ADFSCertificateThen run the following command to view all certificates that are in use on your server PSH:>Get-ADFSCertificate. 這個命令的輸出包括 StoreLocation 和 StoreName 值指定每個憑證存放區的位置。The output of this command includes StoreLocation and StoreName values that specify the store location of each certificate. 您可以使用中的指導匯出私人鍵部分伺服器驗證憑證的,將每個憑證及私密金鑰匯出至.pfx 檔案。You can then use the guidance in Export the Private Key Portion of a Server Authentication Certificate to export each certificate and its private key to a .pfx file.

因為在作業系統升級過程中保留所有外部憑證匯出這些憑證是選擇性的。Exporting these certificates is optional because all external certificates are preserved during the operating system upgrade.

  1. 匯出 AD FS 2.0 聯盟服務屬性,例如同盟服務名稱、同盟服務顯示名稱,聯盟伺服器 id,檔案。Export AD FS 2.0 federation service properties, such as the federation service name, federation service display name, and federation server identifier to a file.

若要匯出同盟服務屬性,開放 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”To export federation service properties, open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令以匯出同盟服務屬性:PSH:> Get-ADFSProperties | Out-File “.\properties.txt”Then run the following command to export federation service properties: PSH:> Get-ADFSProperties | Out-File “.\properties.txt”.

輸出檔案將會包含重要設定下列值:The output file will contain the following important configuration values:

聯盟服務屬性名稱 Get-ADFSProperties 報告Federation Service Property name as reported by Get-ADFSProperties AD FS 管理主控台中同盟服務屬性名稱Federation Service Property name in AD FS management console
主機HostName 聯盟服務名稱Federation Service name
識別碼Identifier 聯盟服務識別碼Federation Service identifier
顯示名稱DisplayName 聯盟服務顯示名稱Federation Service display name
  1. 備份應用程式的設定檔。Back up the application configuration file. 在其他設定,此檔案包含原則資料庫連接字串。Among other settings, this file contains the policy database connection string.

若要備份應用程式的設定檔,您必須手動複製%programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config檔案備份伺服器在安全的位置。To back up the application configuration file, you must manually copy the %programfiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config file to a secure location on a backup server.

注意

請記下資料庫連接字串此檔案中位於後立即」policystore 連接字串 =」)。Make note of the database connection string in this file, located immediately after “policystore connectionstring=”). 如果連接字串指定 SQL Server 資料庫還原原始 AD FS 伺服器上的設定聯盟時需要值。If the connection string specifies a SQL Server database, the value is needed when restoring the original AD FS configuration on the federation server.

以下是 WID 連接字串的範例:“Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True"The following is an example of a WID connection string: “Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True". 以下是 SQL Server 連接字串的範例:"Data Source=databasehostname;Integrated Security=True"The following is an example of a SQL Server connection string: "Data Source=databasehostname;Integrated Security=True".

  1. 記錄 AD FS 2.0 同盟服務 account 的身分,這 account 的密碼。Record the identity of the AD FS 2.0 federation service account and the password of this account.

若要尋找的身分值,請檢查登入身分欄的AD FS 2.0 Windows 服務服務主機,並手動記錄這個值。To find the identity value, examine the Log On As column of AD FS 2.0 Windows Service in the Services console and manually record this value.

注意

獨立同盟服務,可建帳號網路的服務。For a stand-alone federation service, the built-in NETWORK SERVICE account is used. 若是如此,您不需要有密碼。In this case, you do not need to have a password.

  1. 檔案匯出讓 AD FS 端點的清單。Export the list of enabled AD FS endpoints to a file.

若要這樣做,請打開 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”To do this, open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令,以讓 AD FS 端點清單匯出至檔案:PSH:> Get-ADFSEndpoint | Out-File “.\endpoints.txt”Then run the following command to export the list of enabled AD FS endpoints to a file: PSH:> Get-ADFSEndpoint | Out-File “.\endpoints.txt”.

  1. 匯出檔案的任何自訂宣告描述。Export any custom claim descriptions to a file.

若要這樣做,請打開 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”To do this, open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令以匯出檔案的任何自訂宣告描述:Get-ADFSClaimDescription | Out-File “.\claimtypes.txt”Then run the following command to export any custom claim descriptions to a file: Get-ADFSClaimDescription | Out-File “.\claimtypes.txt”.

步驟 2:匯出宣告信任提供者Step 2: Export claims provider trusts

若要匯出宣告提供者信任,執行下列程序:To export the claims provider trusts, perform the following procedure:

若要匯出宣告信任提供者To export claims provider trusts

  1. 您可以使用 Windows PowerShell 來匯出所有宣告提供者信任。You can use Windows PowerShell to export all claims provider trusts. 打開 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”Open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令以匯出所有宣告提供者信任:PSH:>Get-ADFSClaimsProviderTrust | Out-File “.\cptrusts.txt”Then run the following command to export all claims provider trusts: PSH:>Get-ADFSClaimsProviderTrust | Out-File “.\cptrusts.txt”.

步驟 3:匯出信賴廠商信任Step 3: Export relying party trusts

若要匯出信賴廠商信任,執行下列程序:To export relying party trusts, perform the following procedure:

若要匯出信賴廠商信任To export relying party trusts

  1. 匯出所有信賴廠商信任、透過 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”To export all relying party trusts, open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令,將所有信賴廠商信任匯出:PSH:>Get-ADFSRelyingPartyTrust | Out-File “.\rptrusts.txt”Then run the following command to export all relying party trusts:PSH:>Get-ADFSRelyingPartyTrust | Out-File “.\rptrusts.txt”.

步驟 4:備份自訂屬性存放區Step 4: Back up custom attribute stores

您可以使用 Windows PowerShell 來使用 AD FS 找到自訂屬性存放區的相關資訊。You can find information about custom attribute stores in use by AD FS by using Windows PowerShell. 打開 Windows PowerShell 並執行下列命令新增至您的 Windows PowerShell 工作階段的 AD FS cmdlet: PSH:>add-pssnapin “Microsoft.adfs.powershell”Open Windows PowerShell and run the following command to add the AD FS cmdlets to your Windows PowerShell session: PSH:>add-pssnapin “Microsoft.adfs.powershell”. 然後執行下列命令,以尋找自訂屬性存放區的相關資訊:PSH:>Get-ADFSAttributeStoreThen run the following command to find information about the custom attribute stores: PSH:>Get-ADFSAttributeStore. 步驟升級,或者移轉自訂屬性存放區而有所不同。The steps to upgrade or migrate custom attribute stores vary.

步驟 5:備份網頁的自訂項目Step 5: Back up webpage customizations

若要備份的任何網頁自訂項目,複製 AD FS 網頁和web.config檔案從 [對應至 virtual 路徑 directory 」日 adfs 日 ls]在。To back up any webpage customizations, copy the AD FS webpages and the web.config file from the directory that is mapped to the virtual path “/adfs/ls” in IIS. 根據預設,這是在%systemdrive%\inetpub\adfs\ls directory。By default, it is in the %systemdrive%\inetpub\adfs\ls directory.

後續步驟Next Steps

準備移轉 AD FS 2.0 聯盟伺服器Prepare to Migrate the AD FS 2.0 Federation Server
移轉 AD FS 2.0 聯盟伺服器 Proxy 準備Prepare to Migrate the AD FS 2.0 Federation Server Proxy
移轉 AD FS 2.0 聯盟伺服器Migrate the AD FS 2.0 Federation Server
移轉 AD FS 2.0 聯盟伺服器 ProxyMigrate the AD FS 2.0 Federation Server Proxy
移轉 AD FS 1.1 Web 代理程式Migrate the AD FS 1.1 Web Agents