Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0

Applies To: Active Directory Federation Services (AD FS) 2.0

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0

This checklist includes the tasks that are necessary to migrate all the required settings from your existing Active Directory Federation Services (AD FS) 1.x Federation Service to a new AD FS 2.0 Federation Service.

When you finish the tasks in this checklist, your AD FS migration is complete and you will be ready to roll out your new AD FS 2.0 deployment in your production environment.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0

  Task Reference

Before you begin migrating Federation Service settings, review conceptual information in the AD FS 2.0 Design Guide and make sure that you have prepared a federation server with AD FS 2.0 software.

Planning a Migration to AD FS 2.0

Checklist: Preparing a New AD FS 2.0 Federation Server for Migration

If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x. When the certificate has been saved to a file, use the link to the right to add it to the AD FS 2.0 Federation Service.

If your AD FS 1.x deployment is using a self-signed token-signing certificate, this task of exporting the certificate is not necessary because AD FS 2.0 is configured to use a self-signed certificate by default.

Export the private key portion of a token-signing certificate

Add a Token-Signing Certificate

(Optional) If you require additional encryption of communications, you can also add a token-decryption certificate to the Federation Service.

Add a Token-Decrypting Certificate

On one of the federation servers running AD FS 1.x from which you will be migrating settings, complete the procedure in the link to the right to record and migrate existing AD FS 1.xsettings to equivalent AD FS 2.0 Federation Service settings.

Migrate AD FS 1.x Federation Service Settings to the AD FS 2.0 Federation Service

Using the Active Directory Federation Services snap-in on a federation server running AD FS 1.x, complete the procedure in the link to the right to record pertinent account partner settings in the AD FS 1.x Federation Service and migrate those settings to equivalent claims provider trust settings in the AD FS 2.0 Federation Service.

Repeat this procedure for each account partner trust that resides in the AD FS 1.x Federation Service until all account partners have been migrated.

Migrate an Account Partner to a Claims Provider Trust in the AD FS 2.0 Federation Service

Using the Active Directory Federation Services snap-in on a federation server running AD FS 1.x, complete the procedure in the link to the right to record pertinent resource partner settings in the AD FS 1.x Federation Service and migrate those settings to equivalent relying party trust settings in the AD FS 2.0 Federation Service.

Repeat this procedure for each resource partner trust that resides in the AD FS 1.x Federation Service until all resource partners have been migrated.

Migrate a Resource Partner to a Relying Provider Trust in the AD FS 2.0 Federation Service

Using the Active Directory Federation Services snap-in on a federation server running AD FS 1.x, complete the procedure in the link to the right to record pertinent resource partner settings in the AD FS 1.x Federation Service and migrate those settings to equivalent relying party trust settings in the AD FS 2.0 Federation Service.

Repeat this procedure for each application that resides in the AD FS 1.x Federation Service until all applications have been migrated.

Migrate an Application to a Relying Party Trust in the AD FS 2.0 Federation Service

Using the AD FS 2.0 Management snap-in, in the EndPoints node make sure that the following two endpoints are enabled. These endpoints are important for interoperating with AD FS 1.x Web applications:

  • https://<example.com>/adfs/ls/

  • https://<example.com>/adfs/fs/federationserverservice.asmx

N/A

Before you decommission all AD FS 1.x federation servers, consider leaving at least one of AD FS 1.x federation servers intact for a few days on the rare chance that you experience mission-critical compatibility issues with the AD FS 2.0 deployment.

N/A