AD FS Rapid Restore Tool

Posted: January 7, 2017 in Windows Server

The AD FS Rapid Restore tool can be used to quickly backup and restore AD FS configuration..It backups the following items:

-ADFS configuration database (SQL or WID)
-Configuration file (located in ADFS folder)
-Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
-SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
-A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

Download tool from here

Open PowerShell as admin to import module:

import-module  'C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll'

Creating backup:

For backup,following switches are available:

  • BackupDKM – Backs up the Active Directory DKM container that contains the AD FS keys in the default configuration (automatically generated token signing and decrypting certificates).
  • StorageType – The type of storage:“FileSystem” -stores backup it in a folder locally or in the network.“Azure”-stores backup in the Azure Storage Container (Azure Storage Credentials should be passed to the cmdlet). The storage credentials contains the account name and key,a container name must also be passed in,if the container doesn’t exist, it is created during the backup.
  • EncryptionPassword – The password that is going to be used to encrypt all the backed up files before storing it
  • AzureConnectionCredentials – The account name and key for the Azure storage account
  • AzureStorageContainer – The storage container where the backup will be stored in Azure
  • StoragePath – The location the backups will be stored in
  • ServiceAccountCredential – specifies the service account being used for the ADFS Service running currently. This parameter is only needed if the user would like to backup the DKM and is not domain admin.
  • BackupComment <string[]> – An informational string about the backup that will be displayed during the restore, similar to the concept of Hyper-V checkpoint naming. The default is an empty string

For example,next example back up the ADFS configuration, with the DKM, to the File System, while running as the domain admin.

DKM (Distributed Key Manager) ,it’s a technology used to encrypt SSL certificates.AD FS creates and uses these DKM keys as and when needed, which basically means when you initialise the farm and when a key expires.For more info about DKM see this link

Backup-ADFS -StorageType "FileSystem" -StoragePath 'C:\testExport\' -EncryptionPassword 'Password01' -BackupComment "ADFS Backup" -BackupDKM

Restoring from backup:

  • StorageType – same as for backup (“FileSystem” and “Azure”)
  • DecryptionPassword – The password that was used to encrypt all the backed up files
  • AzureConnectionCredentials – The account name and key for the Azure storage account
  • AzureStorageContainer – The storage container where the backup will be stored in Azure
  • StoragePath – The location the backups will be stored in
  • ADFSName < string > – The name of the federation that was backed up and is going to be restored.
  • ServiceAccountCredential < pscredential > – specifies the service account that will be used for the new ADFS Service being restored
  • GroupServiceAccountIdentifier – The GMSA that the user wants to use for the new ADFS Service being restored. By default, if neither is provided then the backed up account name is used if it was GMSA, else the user is prompted to put in a service account
  • DBConnectionString – If the user would like to use a different DB for the restore, then they should pass the SQL Connection String or type in WID for WID.
  • Force – Skip the prompts that the tool might have once the backup is chosen
  • RestoreDKM – Restore the DKM Container to the AD, should be set if going to a new AD and the DKM was backed up initially.

Examples:

 

This restores the ADFS Configuration to WID

Restore-ADFS -StorageType "FileSystem" -StoragePath 'C:\testExport\' -DecryptionPassword 'Password01' -DBConnectionString 'WID'

 

This restores the ADFS Configuration to SQL

Restore-ADFS -StorageType "FileSystem" -StoragePath 'C:\testExport\' -DecryptionPassword 'Password01' -DBConnectionString 'Data Source=SQLServer\SQLINSTANCE; Integrated Security=True'

 

This restores the ADFS Configuration with the specified GMSA

Restore-ADFS -StorageType "FileSystem" -StoragePath 'C:\testExport\' -DecryptionPassword 'Password01' -GroupServiceAccountIdentifier 'test\msa$'
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s