{"id":5159,"date":"2024-09-09T13:41:37","date_gmt":"2024-09-09T20:41:37","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=5159"},"modified":"2024-09-09T13:41:39","modified_gmt":"2024-09-09T20:41:39","slug":"how-to-decommission-an-ad-fs-server-correctly","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=5159","title":{"rendered":"How to decommission an AD FS server Correctly"},"content":{"rendered":"\n<p>Microsoft Entra ID provides a simple cloud-based sign-in experience to all your resources and apps with strong authentication and real-time, risk-based adaptive access policies to grant access to resources reducing operational costs of managing and maintaining an AD FS environment and increasing IT efficiency.<\/p>\n\n\n\n<p>For more info on&nbsp;<strong>why<\/strong>&nbsp;you should upgrade from AD FS to Microsoft Entra ID, visit&nbsp;<a href=\"https:\/\/aka.ms\/adfs2aad\">moving from AD FS to Microsoft Entra ID<\/a>. See&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/migrate-from-federation-to-cloud-authentication\">migrate from federation to cloud authentication<\/a>&nbsp;to understand&nbsp;<strong>how<\/strong>&nbsp;to upgrade from AD FS.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.youtube-nocookie.com\/embed\/D0M-N-RQw0I\">https:\/\/www.youtube-nocookie.com\/embed\/D0M-N-RQw0I<\/a><\/p>\n\n\n\n<p>This document will provide you with the recommended steps for decommissioning your AD FS servers.<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-fs\/decommission\/adfs-decommission-guide#pre-requisites-for-decommissioning-ad-fs-servers\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"pre-requisites-for-decommissioning-ad-fs-servers\">Pre-requisites for decommissioning AD FS servers<\/h2>\n\n\n\n<p>Before you begin decommissioning your AD FS Servers, ensure the following items are complete. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/migrate-from-federation-to-cloud-authentication\">migrating from federation to cloud authentication<\/a>.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-health-agent-install#install-the-agent-for-ad-fs\">Install Microsoft Entra Connect Health<\/a>&nbsp;to provide robust monitoring of your on-premises identity infrastructure.<\/li>\n\n\n\n<li>Complete the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/migrate-from-federation-to-cloud-authentication#pre-work-for-sso\">pre-work for single sign-On (SSO)<\/a>.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-staged-rollout\">Migrate your user authentication to Microsoft Entra ID<\/a>. With cloud authentication enabled, Microsoft Entra ID is capable of handling the users&#8217; sign-in process securely. Microsoft Entra ID provides you with three options for secure cloud authentication of users:<ul><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/whatis-phs\">Microsoft Entra Password Hash Synchronization (PHS)<\/a>&nbsp;\u2013 Allows your users to sign-in to both on-premises and cloud-based applications using the same passwords. Microsoft Entra Connect synchronizes a&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-password-hash-synchronization#detailed-description-of-how-password-hash-synchronization-works\">hash of a hash of a user&#8217;s password<\/a>&nbsp;from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance. The two layers of hashing ensure your passwords are never exposed or transmitted to cloud systems.<\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-certificate-based-authentication\">Microsoft Entra Certificate Based Authentication (CBA)<\/a>&nbsp;\u2013 Enables you to adopt a phishing resistant authentication method and authenticate users with an X.509 certificate against your Public Key Infrastructure (PKI).<\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-pta\">Microsoft Entra pass-through authentication (PTA)<\/a>&nbsp;\u2013 Allows your users to sign-in to both on-premises and cloud-based applications using the same passwords. It installs an agent on your on-premises Active Directory and validates the users\u2019 passwords directly against your on-premises Active Directory.<\/li><\/ul>You can try cloud authentication for your users using\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-staged-rollout\">Staged Rollout<\/a>. It allows you to selectively test groups of users with the cloud authentication capabilities mentioned above.\u00a0Note\n<ul class=\"wp-block-list\">\n<li>PHS &amp; CBA are the preferred options for cloud managed authentication. PTA must be used only in cases where there are regulatory requirements to not synchronize any password information to the cloud.<\/li>\n\n\n\n<li>User authentication and App Migration can be done in any order, however, it is recommended to complete user authentication migration first.<\/li>\n\n\n\n<li>Make sure to evaluate the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-staged-rollout#supported-scenarios\">supported<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-staged-rollout#unsupported-scenarios\">not-supported<\/a>&nbsp;scenarios for Staged Rollout.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/migrate-adfs-apps-to-azure\">Migrate all your applications<\/a>\u00a0that are currently using AD FS for authentication to Microsoft Entra ID, as it gives you a single control plane for identity and access management to Microsoft Entra ID. Ensure you also migrate your Office 365 applications and joined devices to Microsoft Entra ID.\n<ul class=\"wp-block-list\">\n<li>Migration assistant can be used for migrating applications from AD FS to Microsoft Entra ID.<\/li>\n\n\n\n<li>If you don&#8217;t find the right SaaS application in the app gallery, they can be requested from&nbsp;<a href=\"https:\/\/aka.ms\/AzureADAppRequest\">https:\/\/aka.ms\/AzureADAppRequest<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Ensure to run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-health-agent-install#install-the-agent-for-ad-fs\">Microsoft Entra Connect Health<\/a>&nbsp;for at least one week to observe the usage of apps in Microsoft Entra ID. You should also be able to view user sign-in logs in Microsoft Entra ID.<\/li>\n<\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-fs\/decommission\/adfs-decommission-guide#steps-to-decommission-your-ad-fs-servers\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"steps-to-decommission-your-ad-fs-servers\">Steps to decommission your AD FS Servers<\/h2>\n\n\n\n<p>This section provides you with the step-by-step process to decommission your AD FS servers.<\/p>\n\n\n\n<p>Before reaching this point, you must verify that there&#8217;s no relying party (Replying Part Trusts) with traffic which are still present in the AD FS servers.<\/p>\n\n\n\n<p>Before you begin, check the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-health-adfs\">AD FS event logs and\/or Microsoft Entra Connect Health<\/a>&nbsp;for any sign-in failures or success as that would mean these servers are still being used for something. In case you see sign-in successes or failures, check how to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/migrate-adfs-apps-to-azure\">migrate your apps<\/a>&nbsp;from AD FS or&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/migrate-from-federation-to-cloud-authentication\">move your authentication<\/a>&nbsp;to Microsoft Entra ID.<\/p>\n\n\n\n<p>Once the above is verified, you can take the following steps (assuming the AD FS servers aren&#8217;t used for anything else now):<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>After you moved your authentication to Microsoft Entra ID, test your environment for at least one week to verify cloud authentication is running smoothly without any issues.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Consider taking an optional&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-fs\/operations\/ad-fs-rapid-restore-tool#create-a-backup\">final backup<\/a>&nbsp;before decommissioning AD FS servers.<\/li>\n\n\n\n<li>Remove any AD FS entries from any of the load balancers (internal as well as external) you might have configured in your environment.<\/li>\n\n\n\n<li>Delete any corresponding DNS entries of the respective farm names for AD FS servers in your environment.<\/li>\n\n\n\n<li>On the primary AD FS server run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/adfs\/get-adfsproperties?view=windowsserver2022-ps&amp;preserve-view=true\"><code>Get-ADFSProperties<\/code><\/a>&nbsp;and look for&nbsp;<strong>CertificateSharingContainer<\/strong>. Keep a note of this DN, as you&#8217;ll need to delete it near the end of the installation (after a few reboots and when it isn&#8217;t available anymore)<\/li>\n\n\n\n<li>If your AD FS configuration database is using a SQL Server database instance as the store, ensure to delete the database before uninstalling AD FS servers.<\/li>\n\n\n\n<li>Uninstall the WAP (Proxy) servers.\n<ul class=\"wp-block-list\">\n<li>Sign in to each WAP server, open the Remote Access Management Console and look for published web applications.<\/li>\n\n\n\n<li>Remove any related to AD FS servers that aren&#8217;t being used anymore.<\/li>\n\n\n\n<li>When all the published web applications are removed, uninstall WAP with the following command&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/servermanager\/uninstall-windowsfeature?view=windowsserver2022-ps&amp;preserve-view=true\">Uninstall-WindowsFeature Web-Application-Proxy,CMAK,RSAT-RemoteAccess<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Uninstall the AD FS servers.\n<ul class=\"wp-block-list\">\n<li>Starting with the secondary nodes, uninstall AD FS with&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/servermanager\/uninstall-windowsfeature?view=windowsserver2022-ps&amp;preserve-view=true\">Uninstall-WindowsFeature ADFS-Federation,Windows-Internal-Database<\/a>&nbsp;command. After this run del C:\\Windows\\WID\\data\\adfs* command to delete any database files<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Delete AD FS Secure Socket Layer (SSL) certificates from each server storage.<\/li>\n\n\n\n<li>Re-image AD FS servers with full disk formatting.<\/li>\n\n\n\n<li>You can now safely delete your AD FS account.<\/li>\n\n\n\n<li>Remove the content of the\u00a0<strong>CertificateSharingContainer<\/strong>\u00a0DN using ADSI Edit after uninstallation.<\/li>\n<\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-fs\/decommission\/adfs-decommission-guide\">Active Directory Federation Services (AD FS) decommission guide | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Entra ID provides a simple cloud-based sign-in experience to all your resources and apps with strong authentication and real-time, risk-based adaptive access policies to grant access to resources reducing operational costs of managing and maintaining an AD FS environment and increasing IT efficiency. For more info on&nbsp;why&nbsp;you should upgrade from AD FS to Microsoft <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=5159\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,15],"tags":[1815,1816],"class_list":["post-5159","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-windows-servers","tag-ad-fs-server-decommissioning","tag-decommission-adfs"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5159"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5159\/revisions"}],"predecessor-version":[{"id":5160,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/5159\/revisions\/5160"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}