On a Domain Controller you will get Group Policy Management, (by default) listed under administrative tools. But if you have a ‘Management Server‘ of a ‘Jump Box‘, that you want to install the tool onto, (without making it a domain controller!) Then do the following;
Option 1: Install GPMC with Powershell
This is the quickest and simplest option! Open a PowerShell Windows and execute the following command;
[box]
Install-WindowsFeature –Name GPMC
[/box]
Note: For older, (Windows Server 2012 and older) servers use the following commands instead.
Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.
After selecting USB media – the system could not see my USB Drive?
After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?
Option 1: Use iLO
Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.
Option 2: Use ExFAT
Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.
Note: Windows will also format as ExFAT 🙂
Then simply put your install .iSO file(s) on the media.
Now you can see your install media.
Option 3: Use the HP Media Creator
I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.
The actual configuration of ADFS depends largely on what you intend to do with it. Here I’m using it to broker connections from my Microsoft Web Application Proxy. This article is just to ‘join the dots’ and covers just the installation of the role itself.
Solution
Before you Start: Make sure you have a certificate ready to use for ADFS. I typically use a wildcard cert for this, it’s better if you have purchased one, or if you use certificate services, here’s how to create a wildcard certificate.
Note: You can add adfs.{your-domain} to your wildcard as a SAN, (Subject Alternative Name), Also add certauth.adfs.{your-domain}. Yes, even on a wildcard certificate!
For example: adfs.petenetlive.com and certauth.adfs.petenetlive.com.
You can either create a service account for ADFS to run under, or use a GROUP MANAGED SERVICE ACCOUNT.
What’s a Group Managed Service Account?
It’s an AD object that acts as a service account, and you don’t need to worry about entering a password for it.
Create a Group Managed Service Account
Before you can have a GSMA account you need a KDS Root Key in active Directory, to set that up, execute the following command;
[box]
If you have only one domain controller;
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
If you have more than one domain controllers;
Add-KdsRootKey –EffectiveImmediately
If you use the second option you must then WAIT 10 HOURS!
[/box]
Then go to a Domain Controller, and issue the following command;
In case you are interested, you will then see it appear in Active Directory.
Then ON the ADFS Server, run the following command;
[box]
setspn -a host/localhost {GSMA-Account-Name}
[/box]
Deploying Active Directory Federation Services
Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Active Directory Federation Services > Accept all the defaults and install the role.
Launch the configuration wizard > Create the first federation server in a federation farm > Next.
I’m setting this up while logged on as the domain administrator, so I’ll use that account to connect to AD > Next.
WARNING: If you use a wildcard cert like me it will choose the name of *.{domain-name}. THIS IS BAD! Change the federation service name to something sensible, like adfs.domain.com. The ‘Federation Service Display Name‘ is what will be shown to the users as they authenticate. > Next.
Make sure the federation server DNS name can be resolved in DNS! Remember if your Web Application Proxy server is in your DMZ, or outside the firewall, it will also need to be able to resolve this name, (I put them in the ‘hosts‘ file on my DMZ servers for this reason).
Enter your Group Managed Service Account, (created above) > Next.
Create a database. (Note; If you are reinstalling it will discover any existing databases, and ask if you want to overwrite them) > Next.
Next
Configure.
Close. (Note: I’ve got some warnings but all is well, trust me!)
To test, open a web browser and go to https://{FQDN-Of FS-Service}/adfs/ls/idpinitiatedsignon and log in.
Note: If using Server 2016 or Server 2019, you have to enable this, or it will error! See the link below.
At this point, how you proceed depends on what you are using Active Directory Federation Services for. You would set up either a relying or a claims provider trust next.
As said above I’m using this for Web Application Proxy. When that article is complete, I’ll put the link at the bottom of this article.
Related Articles, References, Credits, or External Links
I was setting up ADFS in Server 2019 today, and once I have all the basics setup, I like to got to, https://{server-fqdn}/adfs/ls/IdpInitiatedSignon to test, but this happened;
The resource you are trying to access is not available. Contact your administrator for more information.
Error details
.Activity ID: 3c53140c-cff3-4b59-0900-0080010000d4
.Error details: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
.Node name: 8d53ee58-2a75-42c1-ac37-88c7bc00ce97
.Error time: Thu, 02 May 2019 12:35:56 GMT
.Cookie: enabled
.User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
Solution
At first I though I’d broken something or forgotten to tick a tick box! But it seems this was turned off in Server 2016. You need to enable it on the ADFS server.