Any existing configuration database was overwritten. A fresh installation of AD FS was then made, the tool installed and then the restore operation begun. Here I wanted to test a number of changes.įor this simple test, we elected to remove the AD FS farm (primary) role in each case and cleaned out the AD FS container in Active Directory ( CN=ADFS,CN=Microsoft,CN=Program Data). I’m no expert on DKM, so if you require a more detailed information, I suggest you go hunting here. The recovery tool provides for backup of the DKM facility and in the export command-line above the “ Backup-DKM” is used. The DKM master key is then stored in this container. A container is created in the local Active Directory of your AD FS during installation of the first AD FS node in the farm. These certificates are then encrypted using something called the Distributed Key Manager (DKM). private keys) used by AD FS are stored in the AD FS configuration database itself. Where the script can’t handle the service communication certificate migration, the PFX should be manually imported on the replacement server before the restore script is run.īy the way, the token signing and decryption certificates (incl. If “ Yes, export the private key” is greyed out, it’s not exportable. In the above example, my certificate does not fit that criteria. A simple way to check beforehand is to attempt to export the SSL certificate via the Certificate Export Wizard. a warning. As the Microsoft documentation points out, your AD FS SSL/TLS certificate will only be backed up during the export if the private keys are marked as exportable and the associated Manage Private Keys permission is given to the user running the script.
Here’s the syntax used for testing.īackup-ADFS -StorageType “FileSystem” -StoragePath “C:\ADFSExport\” -EncryptionPassword “12345678” -BackupComment “Clean Install of ADFS (FS)” -BackupDKM C:\ADFSExport) is created manually as the backup/restore location. In these test scenarios, the local file system is used.Ī backup folder (e.g. Let’s look at some of the command option via Get-Help Backup-ADFS -fullĪs can be seen from the graphic above, when we call the Backup-ADFS cmdlet, backup of the AD FS configuration is possible to both the filesystem or to Azure. With the tool installed we can launch a Administrative PowerShell prompt and then import the module. The tool is directly installed on the farm node and the installation process is very straightforward ( a la Next Next Next). Supported versions are AD FS 2012 R2 and AD FS 2016. To date, effectively backing key material and/or relying parties has been a proverbial thorn-in-the-side for AD FS administrators, so the release of this utility is very interesting.ĭoes this tool do the trick? Let’s give it a whirl…ĭownload the MSI and install the tool.
As the name suggests, this is a tool geared at aiding in the recovery of your AD FS configuration / environment, in the event of server failure or disaster. Slipping out of the Microsoft stable recently with little fanfare, the AD FS Rapid Restore Tool.