Prerequisites
- Ensure that the deployment is planned fir the correct capacity using the ADFS capacity and planning sizing spreadsheet.
- Every user in active directory must have a UPN set.
- For Single Sign On (SSO) to work usernames can only contain letters, numbers, periods, dashes and underscores.
- A service account for ADFS with log on as service and log on as batch rights.
- An A record in DNS ( adfs.domain.com ) and a service principal name (SPN) for the service account.
- SSL Certificate – (Must use RC4 cypher to support XP machines).
- Port 443 open
- SQL Server 2005 or later or WID.
Installing
If your installing ADFS on an OS older than 2012 R2, then you need to install ADFS with ADFSSetup.exe which can be downloaded from here.
If your ADFS server is on 2012 R2, the install ADFS from the server manager.
Once ADFS is installed, we need to run FSConfigWizard.exe from c:Program FilesActive Directory Federation Services 2.0.
Converting Domains for use with Federated Services
$msolcred = get-credential
connect-msolservice -credential $msolcred
connect-msolservice -credential $msolcred
Convert-MsolDomainToFederated -DomainName “Techshizz”
(If there are multiple domains add “-SupportMultipleDomain”)
How do we know this worked?
Get-MsolDomain OR
Get-MsolFederationProperty -Domainname “Techshizz”
Converting back to Standard Domain
In converting back all users will have to have their passwords changed.
$msolcred = get-credential
connect-msolservice -credential $msolcred
connect-msolservice -credential $msolcred
Convert-MsolDomaintoStandard -DomainName “Techshizz” -SkipUserConversion $false -PasswordFile “C:passwords”
This command sets the user attribute “Force change password on logon” to on!
Finally you must run this command for every user:
Convert-MsolFederateduser -PrincipalName