AD FS 快速還原工具AD FS Rapid Restore Tool

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

概觀Overview

今天 AD FS 可高度使用 AD FS 農場上的設定。Today AD FS is made highly available by setting up an AD FS farm. 某些組織想要的方式有單一伺服器 AD FS 部署,不需要為多個 AD FS 伺服器與網路負載平衡基礎結構,時仍有一些保證服務的可還原快速是否有問題。Some organizations would like a way to have a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing infrastructure, while still having some assurance that service can be restored quickly if there is a problem. AD FS 快速還原的新工具提供還原 AD FS 資料,而不需完整備份與還原作業系統或系統狀態的方式。The new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore of the operating system or system state. 若要匯出 AD FS 設定 Azure 或場所上的位置,您可以使用新的工具。You can use the new tool to export AD FS configuration either to Azure or to an on-premises location. 然後您可以 AD FS 全新安裝,以套用匯出的資料重新建立或複製 AD FS 環境。Then you can apply the exported data to a fresh AD FS installation, re-creating or duplicating the AD FS environment.

案例Scenarios

AD FS 快速還原工具可用於下列案例:The AD FS Rapid Restore tool can be used in the following scenarios:

  1. 快速之後問題還原 AD FS 功能Quickly restore AD FS functionality after a problem
    • 使用工具來建立冰凍的 AD FS 可快速部署來取代 online AD FS 伺服器待命安裝Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the online AD FS server
  2. 部署相同測試和實際環境Deploy identical test and production environments
    • 使用工具快速建立 production AD FS 正確複本,在測試環境中,或快速正式部署驗證的測試設定Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to quickly deploy a validated test configuration to production

備份是項目What is backed up

此工具備份 AD FS 下列設定The tool backs up the following AD FS configuration

  • AD FS 設定資料庫 (SQL 或 WID)AD FS configuration database (SQL or WID)
  • 設定檔 (位於 AD FS 資料夾)Configuration file (located in AD FS folder)
  • 自動產生權杖登入和解密憑證和私密金鑰 (從 Active Directory DKM 容器)Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
  • SSL 憑證和任何外部退出憑證 (權杖登入,權杖解密和服務通訊) 和對應私密金鑰 (請注意: 私密金鑰必須匯出和執行指令碼的使用者必須其存取權限)SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
  • 自訂驗證提供者、 屬性商店與本機宣告提供者的清單信任的安裝。A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

如何使用的工具How to use the tool

第一次,下載並 MSI 安裝程式 AD FS 伺服器。First, download and install the MSI to your AD FS server.

從 PowerShell 命令提示字元中執行下列命令:Run the following command from a PowerShell prompt:

import-module 'C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll'

注意

如果您使用 Windows 整合資料庫 (WID),則需要主要 AD FS 伺服器上執行此工具。If you are using the Windows Integrated Database (WID), then this tool needs to be run on the primary AD FS server. 您可以使用Get-SyncPropertiesPowerShell cmdlet 來判斷是否伺服器上的主要伺服器。You can use the Get-SyncProperties PowerShell cmdlet to determine whether or not the server you are on is the primary server.

系統需求System Requirements

  • 這個工具適用於在 Windows Server 2012 R2 及更新版本 AD FS。This tool works for AD FS in Windows Server 2012 R2 and later.
  • 所需的.NET framework 為至少 4.0。The required .NET framework is at least 4.0.
  • 還原必須完成 AD FS 相同版本做為備份的伺服器上為 AD FS 服務 account 使用相同的 Active Directory 帳號,The restore must be done on an AD FS server of the same version as the backup and that uses the same Active Directory account as the AD FS service account.

建立備份Create a backup

若要建立備份,請使用備份-ADFS cmdlet。To create a backup, use the Backup-ADFS cmdlet. 這個 cmdlet 備份 AD FS 設定資料庫、 SSL 憑證、 等等。This cmdlet backs up the AD FS configuration, database, SSL certificates, etc.

使用者必須執行這個 cmdlet 至少本機系統管理員。The user has to be at least a local admin to run this cmdlet. 若要備份 Active Directory DKM 容器 (預設 AD FS 設定必要),使用者會網域系統管理員也已或需要傳遞 AD FS 服務 account 認證中。To backup the Active Directory DKM container (required in the default AD FS configuration), the user either has to be domain admin as well, or needs to pass in the AD FS service account credentials.

將模式 」 adfsBackup_ID_Date 時間 「 根據命名為備份。The backup will be named according to the pattern "adfsBackup_ID_Date-Time". 它將會包含的版本號碼、 日期和時間,已完成備份。It will contain the version number, date and time that the backup was done. 下列參數 cmdlet:The cmdlet takes the following parameters:

參數集Parameter Sets

AD FS 快速還原工具

詳細的描述Detailed Description

  • BackupDKM -備份 Active Directory DKM 容器包含 AD FS 按鍵 (登入和解密憑證自動預付碼) 預設設定。BackupDKM - Backs up the Active Directory DKM container that contains the AD FS keys in the default configuration (automatically generated token signing and decrypting certificates). 這會使用 AD 工具 'ldifde' 匯出 AD 容器和所有其子樹。This uses an AD Tool 'ldifde' to export the AD Container and all its subtrees.

  • -StorageType<字串> -使用者想要使用的儲存空間的類型。-StorageType <string> - The type of storage the user wants to use. 「 檔案系統 」 表示使用者想要將它儲存在本機的資料夾或網路 」 Azure 」 表示使用者想要儲存在 Azure 儲存容器使用者執行備份時,它們選取備份的檔案系統位置,或在雲端中。"FileSystem" indicates that the user wants to store it in a folder locally or in the network "Azure" indicates the user wants to store it in the Azure Storage Container When the user performs the backup, they select the backup location, either the File System or in the cloud. 使用 azure,Azure 儲存認證應傳遞給 cmdlet。For Azure to be used, Azure Storage Credentials should be passed to the cmdlet. 儲存認證包含帳號和金鑰。The storage credentials contains the account name and key. 除了,容器名稱必須傳遞中。In addition to this, a container name must also be passed in. 如果容器不存在,它會建立備份時。If the container doesn’t exist, it is created during the backup. 使用檔案系統,必須授與的儲存空間路徑。For the file system to be used, a storage path must be given. 在該 directory,將會建立新的 directory 每個備份。In that directory, a new directory will be created for each backup. 建立的每個 directory 會包含備份的檔案。Each directory created will contain the backed up files.

  • EncryptionPassword<字串> -將用於備份的所有檔案都加密之前將它儲存的密碼EncryptionPassword <string> - The password that is going to be used to encrypt all the backed up files before storing it

  • AzureConnectionCredentials <pscredential> ** -account 名稱及 Azure 儲存 account 鍵AzureConnectionCredentials <pscredential>** - The account name and key for the Azure storage account

  • AzureStorageContainer<字串>的備份儲存在 Azure 儲存容器AzureStorageContainer <string> - The storage container where the backup will be stored in Azure

  • StoragePath<字串> -位置的備份將會儲存在StoragePath <string> - The location the backups will be stored in

  • ServiceAccountCredential <pscredential> ** -指定目前執行的 AD FS 服務所用服務 account。ServiceAccountCredential <pscredential>** - specifies the service account being used for the AD FS Service running currently. 若使用者想要備份 DKM 只需要此參數,並不網域系統管理員類型。This parameter is only needed if the user would like to backup the DKM and is not domain admin.

  • BackupComment<字串 []> ** -的備份還原,類似於 HYPER-V 檢查點命名的概念期間會顯示的相關資訊字串。BackupComment <string[]>** - An informational string about the backup that will be displayed during the restore, similar to the concept of Hyper-V checkpoint naming. 預設值是空字串The default is an empty string

範例Examples

  1. 備份 AD FS 設定,以 DKM,檔案系統,同時執行為網域系統管理員Back up the AD FS configuration, with the DKM, to the File System, while running as the domain admin
Backup-ADFS -StorageType "FileSystem" -StoragePath "C:\Users\administrator\testExport\" -EncryptionPassword "password" -BackupComment "Clean Install of ADFS (FS)" -BackupDKM
  1. 使用本機系統管理員身分執行的服務 account 認證系統檔案備份 ADFS 設定,以 DKM,Back up the ADFS configuration, with the DKM, to the file system with the service account credential, running as local admin
Backup-ADFS -StorageType "FileSystem" -StoragePath "C:\Users\administrator\testExport\" -EncryptionPassword "password" -BackupComment "Clean Install of ADFS (FS)" -BackupDKM -ServiceAccountCredential $cred
  1. 備份不 DKM ADFS 設定 Azure 儲存容器。Back up the ADFS configuration without the DKM to the Azure Storage Container.
Backup-ADFS -StorageType "Azure" -AzureConnectionCredentials $cred -AzureStorageContainer "adfsbackups"  -EncryptionPassword "password" -BackupComment "Clean Install of ADFS"
  1. 這備份檔案系統 DKM 不 ADFS 設定This backs up the ADFS configuration without the DKM to the File System
Backup-ADFS -StorageType "FileSystem" -StoragePath "C:\Users\administrator\testExport\" -EncryptionPassword "password" -BackupComment "Clean Install of ADFS (FS)"

從備份還原Restore from backup

若要套用的設定建立備份-ADFS 使用 AD FS 全新安裝,請使用還原-ADFS cmdlet。To apply a configuration created using Backup-ADFS to a new AD FS installation, use the Restore-ADFS cmdlet.

這個 cmdlet 建立新的 AD FS 發電廠使用 cmdlet Install-AdfsFarm ,並還原 AD FS 設定資料庫、 憑證、 等等。如果尚未在伺服器上安裝 AD FS 的角色,cmdlet 將會安裝它。This cmdlet creates a new AD FS farm using the cmdlet Install-AdfsFarm and restores the AD FS configuration, database, certificates, etc. If the AD FS role has not been installed on the server, the cmdlet will install it. Cmdlet 檢查現有的備份還原的位置,並提示使用者選擇根據拍攝的日期/時間和使用者可能會有連接到備份任何備份意見適當的備份。The cmdlet checks the restore location for existing backups and prompts the user to choose an appropriate backup based on the date/time it was taken and any backup comment that the user might have attached to the backup. 如果有多個 AD FS 設定的不同同盟服務的名稱,使用者會提示第一次選擇的適當 AD FS 設定。If there are multiple AD FS configurations with different federation service names, then the user is prompted to first choose the appropriate AD FS configuration. 使用者必須執行這個 cmdlet 網域和本機系統管理員。The user has to be both local and domain admin to run this cmdlet.

注意

之前,請使用 AD FS 快速修復工具,請先確認伺服器所加入的網域之前還原備份。Before using the AD FS Rapid Recovery Tool, ensure that the server is joined to the domain prior to restoring the backup.

下列參數 cmdlet:The cmdlet takes the following parameters:

AD FS 快速還原工具

詳細的描述Detailed Description

  • StorageType<字串> -使用者想要使用的儲存空間的類型。StorageType <string> - The type of storage the user wants to use. 「 檔案系統 」 表示使用者想要將它儲存在本機的資料夾,或在網路 」 Azure 」 表示使用者想要將它儲存在 Azure 儲存容器"FileSystem" indicates that the user wants to store it in a folder locally or in the network "Azure" indicates the user wants to store it in the Azure Storage Container

  • DecryptionPassword<字串>的密碼,用於備份的所有檔案都加密DecryptionPassword <string> - The password that was used to encrypt all the backed up files

  • AzureConnectionCredentials <pscredential> ** -account 名稱及 Azure 儲存 account 鍵AzureConnectionCredentials <pscredential>** - The account name and key for the Azure storage account

  • AzureStorageContainer<字串>的備份儲存在 Azure 儲存容器AzureStorageContainer <string> - The storage container where the backup will be stored in Azure

  • StoragePath<字串> -位置的備份將會儲存在StoragePath <string> - The location the backups will be stored in

  • ADFSName<字串> ** -聯盟備份並前往還原的名稱。ADFSName < string >** - The name of the federation that was backed up and is going to be restored. 如果這不提供,而且有只有一個同盟服務的名稱,然後將會使用。If this is not provided and there is only one federation service name then that will be used. 如果有多個同盟服務備份到該位置,然後選擇備份同盟服務的其中一個提示使用者。If there is more than one federation service backed up to the location, then the user is prompted to choose one of the backed up Federation Services.

  • ServiceAccountCredential < pscredential > ** -指定服務帳號,用於新 AD FS 服務進行還原ServiceAccountCredential < pscredential >** - specifies the service account that will be used for the new AD FS Service being restored

  • GroupServiceAccountIdentifier<字串> -GMSA 使用者想要還原新 AD FS 服務使用。GroupServiceAccountIdentifier <string> - The GMSA that the user wants to use for the new AD FS Service being restored. 根據預設,如果都不提供然後備份上 account 名稱使用是否 GMSA,其他使用者會提示要放在 [服務 accountBy default, if neither is provided then the backed up account name is used if it was GMSA, else the user is prompted to put in a service account

  • DBConnectionString<字串>若使用者想要使用不同的 DB 還原,然後他們應該 SQL 連接字串或類型 WID 為傳入 WID.-DBConnectionString <string> - If the user would like to use a different DB for the restore, then they should pass the SQL Connection String or type in WID for WID.

  • 推動<bool> ** -略過在選擇備份時,可能會有工具提示Force <bool>** - Skip the prompts that the tool might have once the backup is chosen

  • RestoreDKM <bool> ** -還原 DKM 容器 ad、 移到新的廣告應該設定和 DKM 備份一開始。RestoreDKM <bool>** - Restore the DKM Container to the AD, should be set if going to a new AD and the DKM was backed up initially.

範例Examples

  1. 這會 AD FS 不 DKM 設定還原從 Azure 儲存容器This restores the AD FS configuration without the DKM from the Azure Storage Container
Restore-ADFS -StorageType "Azure" -AzureConnectionCredential $cred -DecryptionPassword "password" -AzureStorageContainer "adfsbackups"
  1. 這會 AD FS 不 DKM 設定還原的檔案系統This restores the AD FS configuration without the DKM from the File System
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password"
  1. 這會使用 DKM AD FS 設定還原的檔案This restores the AD FS configuration with the DKM to the File
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password" -RestoreDKM
  1. 這會還原 WID AD FS 設定This restores the AD FS Configuration to WID
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password" -DBConnectionString "WID"
  1. 這會還原 SQL AD FS 設定This restores the AD FS Configuration to SQL
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password" -DBConnectionString "Data Source=TESTMACHINE\SQLEXPRESS; Integrated Security=True"
  1. 這會還原指定 GMSA 使用 AD FS 設定This restores the AD FS Configuration with the specified GMSA
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password" -GroupServiceAccountIdentifier "mangupd1\adfsgmsa$"
  1. 這會還原與指定的服務 account 認證 AD FS 設定This restores the AD FS Configuration with the specified service account creds
Restore-ADFS -StorageType "FileSystem" -StoragePath "C:\uSERS\administrator\testExport\" -DecryptionPassword "password" -ServiceAccountCredential $cred

附錄: 加密資訊Appendix: Encryption information

推送至雲端,或將它儲存檔案系統中之前加密備份的所有資料。All backup data is encrypted before pushing it to the cloud or storing it in the file system.

每份文件所建立的備份一部分使用好一段-256 加密。Each document that is created as part of the backup is encrypted using AES-256. 傳送到此工具的密碼 pass 句子用於產生 Rfc2898DeriveBytes 課程的新密碼。The password passed into the tool is used as a pass phrase to generate a new password using the Rfc2898DeriveBytes Class.

RngCryptoServiceProvider 用於產生鹽好一段和 Rfc2898DeriveBytes 課程使用。RngCryptoServiceProvider is used to generate the salt used by AES and the Rfc2898DeriveBytes Class.

登入附錄: 的檔案Appendix: Log Files

每次執行時的備份或還原登入會建立檔案。Every time a backup or restore is performed a log file is created. 您可以在下列位置找到這些:These can be found at the following location:

  • %localappdata%\ADFSRapidRecreationTool%localappdata%\ADFSRapidRecreationTool

注意

當執行 PostRestore_Instructions 檔案可能包含的額外的驗證者概觀建立的還原,屬性儲存和本機宣告提供者信任開始 AD FS 服務之前手動安裝。When performing a restore a PostRestore_Instructions file might be created containing an overview of the additional authentication providers, attribute stores and local claims provider trusts to be installed manually before starting the AD FS service.