{"id":248,"date":"2016-09-24T02:33:28","date_gmt":"2016-09-24T00:33:28","guid":{"rendered":"http:\/\/hentati.org\/?p=248"},"modified":"2020-12-06T20:41:53","modified_gmt":"2020-12-06T19:41:53","slug":"adfs-rapid-restore-tool-backup-and-restore-your-adfs-farm-easily-in-seconds","status":"publish","type":"post","link":"https:\/\/hentati.org\/index.php\/2016\/09\/24\/adfs-rapid-restore-tool-backup-and-restore-your-adfs-farm-easily-in-seconds\/","title":{"rendered":"ADFS Rapid Restore Tool, backup and restore your ADFS farm easily in seconds\u2026"},"content":{"rendered":"<p><span style=\"color: #000000;\"><strong>SAML authentication<\/strong> with Microsoft Azure \/ O365 hybrid cloud environments \u2013 or even Google or AWS, via ADFS services is something that must be taken very seriously. Few months ago, Microsoft released the <strong>ADFS Rapid Restore Tool\u00a0<\/strong>which is \u2013 it seems to me, somewhat passed unnoticed. So it\u2019s time to talk about it because this tool\u00a0is really useful\u00a0<strong>to\u00a0export and rebuild an ADFS farm for recovery or even to create \/ rebuild\u00a0an existing exported\u00a0ADFS farm in another environment.<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">In short, this tool is much more than just an export \/ import tool because it also allows you to <strong>reconfigure an existing ADFS farm<\/strong>. For example, with this tool, it is very easy to switch from the default WID database to a SQL Server instance, if required.<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\">So, first, to discover this powerful Microsoft tool,\u00a0download it from Microsoft Connect.<\/span><\/li>\n<li><span style=\"color: #000000;\">Second, once installed, use the new\u00a0<strong>Windows PowerShell cmdlets \u2013 Backup-ADFS and Restore-ADFS<\/strong>.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">Note that\u00a0the <strong>ADFS Rapid Restore Tool<\/strong> is features complete and\u00a0supports the following capabilities:<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\">Supports ADFS running on <strong>Windows Server 2012 R2 and 2016<\/strong>. Note that it does not support\u00a0ADFS 2.0 or ADFS running on Windows Server 2012.<\/span><\/li>\n<li><span style=\"color: #000000;\">Supports both <strong>SQL Server<\/strong> and <strong>WID databases<\/strong> configurations of ADFS.<\/span><\/li>\n<li><span style=\"color: #000000;\">Supports both self-generated token signing certificates (that is the default configuration in ADFS) and custom token signing certificates. In the case of custom token signing certificates, the tool will attempt to export these as well if it exportable. Note that if certificates are not exportable, then you have to install these on the target machine prior to the restore process.<\/span><\/li>\n<li><span style=\"color: #000000;\">Supports <strong>export and restore of SSL certificates<\/strong> if the certificate is exportable. Otherwise, you will have to install these on the target machine prior to the restore process.<\/span><\/li>\n<li><span style=\"color: #000000;\">Supports storage of the exported backup in a networked folder or better still offers support to store in <strong>Azure storage<\/strong>.<\/span><\/li>\n<li><span style=\"color: #000000;\">All exported backups are <strong>strongly encrypted<\/strong> using the password provided.<\/span><\/li>\n<li><span style=\"color: #000000;\">Backups can be done on-demand or can be integrated within a <strong>scheduled task<\/strong> on the machine.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Any custom<\/strong> attribute stores, additional authentication providers (for MFA) or local claims provider trusts (new ADFS feature running on Windows Server 2016) <strong>are also backed up and restored<\/strong>.<\/span><\/li>\n<li><span style=\"color: #000000;\">All page customizations are backed up and restored.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><strong>To backup your ADFS farm, use the command listed below with the\u00a0following switches:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><strong>BackupDKM<\/strong> \u2013 Backs up the Active Directory DKM container that contains the AD FS keys in the default configuration (automatically generated token signing and decrypting certificates).<\/span><\/li>\n<li><span style=\"color: #000000;\">\u2013<strong>StorageType <\/strong>\u2013 The type of storage:<strong>\u201cFileSystem\u201d<\/strong>-stores backup it in a folder locally or in the network.<strong>\u201cAzure\u201d-<\/strong>stores backup\u00a0in the Azure Storage Container (Azure Storage Credentials should be passed to the cmdlet). The storage credentials contains the account name and key,a container name must also be passed in,if the container doesn\u2019t exist, it is created during the backup.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>EncryptionPassword <\/strong>\u2013 The password that is going to be used to encrypt all the backed up files before storing it<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>AzureConnectionCredentials <\/strong>\u2013 The account name and key for the Azure storage account<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>AzureStorageContainer <\/strong>\u2013 The storage container where the backup will be stored in Azure<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>StoragePath <\/strong>\u2013 The location the backups will be stored in<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>ServiceAccountCredential <\/strong>\u2013 specifies the service account being used for the ADFS Service running currently. This parameter is only needed if the user would like to backup the DKM and is not domain admin.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>BackupComment &lt;string[]&gt;<\/strong> \u2013 An informational string about the backup that will be displayed during the restore, similar to the concept of Hyper-V checkpoint naming. The default is an empty string<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">Backup-ADFS -StorageType \u201cFileSystem\u201d -StoragePath \u201cC:\\Install\\ADFS_BACKUP\\\u201d -EncryptionPassword \u201cPassw0rd_2016!\u201d BackupComment \u201cADFS_Farm_O365_WS2016\u201d -BackupDKM<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>In the same way, the restore\u00a0process is also very easy to achieve with the following switches:<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>StorageType <\/strong>\u2013 same as for backup (\u201cFileSystem\u201d and \u201cAzure\u201d)<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><strong>DecryptionPassword <\/strong>\u2013 The password that was used to encrypt all the backed up files<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>AzureConnectionCredentials <\/strong>\u2013 The account name and key for the Azure storage account<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>AzureStorageContainer <\/strong>\u2013 The storage container where the backup will be stored in Azure<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>StoragePath <\/strong>\u2013 The location the backups will be stored in<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>ADFSName &lt; string &gt;<\/strong> \u2013 The name of the federation that was backed up and is going to be restored.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>ServiceAccountCredential &lt; pscredential &gt;<\/strong> \u2013 specifies the service account that will be used for the new ADFS Service being restored<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>GroupServiceAccountIdentifier <\/strong>\u2013 The GMSA that the user wants to use for the new ADFS Service being restored. By default, if neither is provided then the backed up account name is used if it was GMSA, else the user is prompted to put in a service account<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>DBConnectionString <\/strong>\u2013 If the user would like to use a different DB for the restore, then they should pass the SQL Connection String or type in WID for WID.<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Force <\/strong>\u2013 Skip the prompts that the tool might have once the backup is chosen<\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>RestoreDKM <\/strong>\u2013 Restore the DKM Container to the AD, should be set if going to a new AD and the DKM was backed up initially.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">Note that <strong>you must specify the database engine\u00a0type<\/strong> used with the ADFS farm by using the<strong> -DBConnectionString parameter<\/strong> as follow:<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><strong>To restore your ADFS farm when using WID Database or SQL Server, use respectively the following paramters:<\/strong><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">Restore-ADFS -StorageType \u201cFileSystem\u201d -StoragePath \u201cC:\\Install\\ADFS_BACKUP\u201d -DecryptionPassword \u201cPassw0rd_2016!\u201d -RestoreDKM <strong>-DBConnectionString \u201cWID\u201d\u00a0<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">Restore-ADFS -StorageType \u201cFileSystem\u201d -StoragePath \u201cC:\\Install\\ADFS_BACKUP\u201d -DecryptionPassword \u201cPassw0rd_2016!\u201d -RestoreDKM <strong>-DBConnectionString \u201cData Source=SQLServer\\SQLINSTANCE; Integrated Security=True\u201d<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">During the restore process, note that the <strong>ADFS Rapid Restore Tool<\/strong> proposes to the administrator to specify which backup to restore\u00a0 \u2013 based on date and time.<\/span><\/p>\n<p><span style=\"color: #000000;\">As you can see, at\u00a0this point, it\u2019s almost done because <strong>after the restore operation, the ADFS service is not yet operational and running!<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">The <strong>final step<\/strong> consists to read the\u00a0<strong>Post Restore instructions .TXT file<\/strong> before to start the ADFS service to add \u2013 if necessary, \u00a0additional software or\u00a0DLLs on the ADFS folder to support additional MFA providers or attribute stores.<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>In summary,<\/strong> with the\u00a0Office 365 success, it is sure that the most important point to migrate successfully to the\u00a0Hybrid Cloud model consists to offer to users\u00a0a <strong>rich logon experience based on SSO \u2013\u00a0Single Sign On, via\u00a0ADFS services<\/strong>.<\/span><\/p>\n<p><span style=\"color: #000000;\">Unfortunately,\u00a0an ADFS solution requires\u00a0multiples ADFS \/ WAP servers\u00a0to ensure security and high availability. With the\u00a0<strong>ADFS Rapid Restore tool<\/strong>,\u00a0administrators have\u00a0the ability to export the configuration of a single AD FS server <strong>to be able to deploy a\u00a0new AD FS server\u00a0quickly\u00a0in the event of a server failure or a misconfiguration<\/strong>.<\/span><\/p>\n<p><span style=\"color: #000000;\">This approach can be useful for small and medium costomers that do not have the ability to deploy n ADFS servers.. In addition,\u00a0the\u00a0<strong>ADFS Rapid Restore tool<\/strong> can be used to duplicate an existing ADFS server into a\u00a0test\u00a0environment.<\/span><\/p>\n<p><span style=\"color: #000000;\">Enjoy,<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SAML authentication with Microsoft Azure \/ O365 hybrid cloud environments \u2013 or even Google or AWS, via ADFS services is something that must be taken very seriously. Few months ago, &#8230;<\/p>\n","protected":false},"author":1,"featured_media":250,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/248"}],"collection":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":3,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"predecessor-version":[{"id":633,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions\/633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media\/250"}],"wp:attachment":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}