Add a federation server to the federation server farm in Windows Server 2012 R2
Applies To: Azure, Office 365, Power BI, Windows Intune
After you install the Active Directory Federation Service (AD FS) role service on your computer running Windows Server 2012 R2, you are ready to configure this computer to become a federation server.
You can complete the following procedures to add this computer as a first federation server to an existing federation server farm.
Add a federation server to an existing federation server farm
Important
Make sure that you have obtained a valid SSL server authentication certificate before you complete this procedure. For more information, see Review the requirements for deploying AD FS.
To add a federation server to an existing federation server farm via the Active Directory Federation Service Configuration Wizard
On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
The Active Directory Federation Service Configuration Wizard is launched.
On the Welcome page, select Add a federation server to a federation server farm and click Next.
On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.
On the Specify Farm page, provide the name of the primary federation server in a farm using WID or specify the database host name and the database instance name of an existing federation server farm using SQL.
Warning
In , there is a workaround for specifying the SQL server default instance. The workaround is to not use the user interface. Instead, use the steps in To configure the first federation server in a new federation server farm via Windows PowerShell.
On the Specify SSL Certificate page, import the .pfx file containing the SSL certificate and key that you have obtained earlier. This is the required service authentication certificate. As stated in the ‘Certificate Requirements’ section of Review the requirements for deploying AD FS you must obtain this certificate and copy it onto the computer that you want to configure as a federation server. To import the .pfx file via the wizard, click Import and browse to the file’s location. Specify the password for the .pfx file when prompted.
On the Specify Service Account page, specify the same service account that you configured when you crated the first federation server in the farm. You can use an existing group Managed Service Account or an existing domain user account.
Important
The account you specify must be the same account as the one that was used on the primary federation server in this farm.
On the Review Options page, verify your configuration selections and click Next.
On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.
On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.
To add a federation server to an existing federation server farm via Windows PowerShell
You can add a federation server to an existing farm using either an existing gMSA or an existing domain user account.
If you want to join a federation server to a farm using an existing gMSA account, do the following:
On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command:
Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>
<domain>\<GMSA_name>
is your AD domain and the name of your GMSA account in that domain.<first_federation_server_hostname>
is the hostname of the primary federation server in this existing farm.You can obtain the value for
<certificate_thumbprint>
by runningdir Cert:\LocalMachine\My
in the above step.Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm node. If you want to create a SQL server farm node, you must have the SQL server already installed and operational. You can use the following command to add a federation server to an existing farm using SQL server:
Add-AdfsFarmNode -GroupServiceAccountIdentifier <GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name><SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".
If you want to join a federation server to a farm using an existing domain user account, do the following:
On the computer that you want to configure as a federation server, open the Windows PowerShell command window and run the following command:
$fscred = get-credential
. Enter the domain user account credentials that you want to use for the federation service account in the format domain\username.On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.In the same Windows PowerShell command window, run the following command:
Add-AdfsFarmNode -ServiceAccountCredential $fscred -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>
Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm node. If you want to create a SQL server farm node, you must have the SQL server already installed and operational. You can use the following command to add a federation server to an existing farm using SQL server:
Add-AdfsFarmNode -ServiceAccountCredential $fscred -SQLConnectionString "Data Source=<SQL_Host_Name><SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".
Next step
Now that you have installed the AD FS software, navigate back to Checklist: Deploy your federation server farm on Windows Server 2012 R2 and complete the rest of the steps.
See Also
Concepts
Checklist: Deploy your federation server farm on Windows Server 2012 R2
Checklist: Use AD FS to implement and manage single sign-on