How to Change ADFS Service Account

Description:

You have existing ADFS running with regular user account. To increase security you want to change the ADFS service account to use group managed service account or gMSA account.

Resolution:

Source of Information: https://github.com/microsoft/adfsToolbox/tree/master/serviceAccountModule

1. Download the ServiceAccount.psm1 module to all of your AD FS servers (primary and secondary)

2. Import the PowerShell Module on all servers

   In a PowerShell window, run the following: ipmo ServiceAccount.psm1

3. For Windows Server 2016 and later, add a rule granting the new service account necessary permissions.

   In a PowerShell window on the primary AD FS server, run the following:

   Add-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to grant permissions to and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.

4. Change the service account on each machine in the farm.

   Beginning with the secondary servers, run the following:

   Update-AdfsServiceAccount

   Once the function has been executed on all secondary servers, proceed to run it on the primary server.

5. If Device Registration Services (DRS) is set up in your AD FS environment, you must also use the Set-AdfsDeviceRegistration cmdlet (an internal command exposed by the service) to add the proper permissions to the new service account.

6. For Windows Server 2016 and later, remove the rule granting permissions to the old service account.

   In a PowerShell window on the primary AD FS server, run the following:

   Remove-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to revoke permissions for and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.

Upgrading Active Directory Federation Service (ADFS) Server

Description:

You want to upgrade existing ADFS and ADFS Proxy (WAP) to new version in new machines.

Resolution:

Upgrade ADFS Server

• Export the existing SSL Certificate with Private Key

• Import the SSL Certificate with Private Key on new ADFS and ADFS Proxy machines

• Install the AD FS Role using Server Manager on the new machines

• Configure AD FS using Server Manager > Will need Domain Admin Account and Service Account for ADFS

• Move the Primary ADFS Role to the new ADFS machine

• To check the role, please run: Get-AdfsSyncProperties

• On the new primary machine, please run:

Set-AdfsSyncProperties -Role PrimaryComputer

• On the old ADFS primary machine, please run:

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName FQDNnewADFS

• Demote the old ADFS machines 

• Raise the ADFS Farm Behavior Level (FBL)

• Please run the following

• Get-AdfsFarmInformation

• Invoke-adfsfarmbehaviorlevelraise

• Change DNS Record to point to the new AD FS Server

• Test access and authentication to new ADFS

https://adfs.fabrikam.com/adfs/ls/idpinitiatedsignon.aspx

Upgrade WAP Server

• Install Web Application Proxy Role using Server Manager on the new machines

• Configure WAP using Server Manager > Will need local administrator account on the federation servers

• Verifying the trust with the AD FS farm

• Navigate to Applications and Services Logs > AD FS > Admin

• You should be able to see an event with ID 245

Local Administrator Password Solution (LAPS) - Cannot Reset Password

Description:

You have properly setup Local Administrator Password Solution (LAPS) in your Domain Environment.

• Admpwd.dll is being deployed and register at client computer
• Group Policy to manage password is configured and linked to the proper OU
• Permission to read and reset password is properly setup at the OU

However when you try to reset the local admin password for one of the computer, the new password never get generated automatically.

Resolution:

Please check the time configuration on where you reset the password. Does the machine time sync properly with the Domain Controller? If not, please fix it, restart the machine, and try to reset the password again.

Please also check the following registry at the machine:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Value Name: Type

Value Data: NT5DS

Azure AD Connect - AD DS Connector Account

If we want to know the specifics of the service account for the Active Directory connector(s). 

Use the following two lines of Windows PowerShell:

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Get-ADSyncADConnectorAccount

Network Policy Server (NPS) - Event Logs not appear

Description:

You have setup NPS in your environment and it seems to work properly. However when you check the event viewer at Custom Views\Server Roles\Network Policy and Access Services, you only saw very minimum event.

Resolution:

Run the following at elevated command prompt on the NPS Server

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable