U-Tools: Unique Tools for Windows System Administrators
U-Move Help
Menu

Moving the AD FS Database

Active Directory Federation Services (AD FS) provides single sign-on (SSO) access to applications that span organizational boundaries. It uses claims-based authentication to convert a trusted security token from the Accounts domain to a trusted security token in the Resources domain. It is typically used to access an extranet website that is hosted by a partner organization.

For web authentication, AD FS uses the WS-* Web Services Architecture.

Note: U-Move is designed primarily to move Active Directory Domain Services (AD DS), so it operates only on a domain controller. U-Move moves AD FS as a courtesy to help you move to a new domain controller. U-Move will not move AD FS to/from a non-domain controller.

How to Move the AD FS Database

To move the AD FS database, use the following procedure:

  1. On the source computer, run U-Move and check the box in Advanced Options to back up the AD FS database. (The box is checked by default.)
  2. On the destination computer, install and configure the AD FS Server Role (see below).
  3. On the destination computer, run U-Move and check the box in Advanced Options to load the AD FS database. (The box is checked by default for a comprehensive restore.)
  4. When prompted, click the Finish button. U-Move will load the requested databases (including AD FS) and reboot.

Before you can load AD FS, you must first install and configure the AD FS Server Role on the destination computer.

Installing AD FS: Create a dummy domain

If you have not yet copied AD from the source computer you will need to first create a temporary dummy domain. This is because AD FS will refuse to install unless it can see an Active Directory domain. (The dummy domain will be overwritten later when you run U-Move.)

Promote the destination computer to be a domain controller for the dummy domain. Select the option to create a new Domain controller for a new domain and a Domain in a new forest. For the name of the domain use a dummy name that is not used anywhere else on the network. For example use “dummy.local”. Reboot to bring up the new dummy domain.

Install AD FS

Install the AD FS Server Role on the destination computer. The version of AD FS that you install on the destination computer must be the same version that you installed on the source computer. U-Move will check the version and warn you if they are not the same.

During installation of AD FS, select Federation server (not Federation server proxy).

Configure AD FS

Go to Control Panel -> System and Security -> Administrative Tools -> AD FS Management and run the AD FS Configuration Wizard. If the AD FS database was installed locally on the source computer, select Create a new AD FS Service and New federation server farm. This will install the required Microsoft SQL Server engine that is bundled with Windows Server (Windows Internal Database). The database engine must be installed so that U-Move can load the database into it.

The AD FS Configuration Wizard requires that you install a dummy SSL web certificate before it will proceed. You can import the existing AD FS web certificate from the source computer (.pfx file), or you can create a new temporary one. The contents of the SSL certificate are not important because the dummy certificate will be replaced when you load Active Directory.

Choose or create a dummy service account to run AD FS. (The service account name is not important. It will be replaced when you load AD.)

You can skip any remaining configuration steps (e.g., add a trusted party or add claims).

U-Move Will Verify Compatibility

U-Move will verify that you have configured AD FS correctly on the destination computer. If the configuration is not compatible with the AD FS configuration on the source computer, U-Move will stop and display an explanatory error message. It will wait for to correct the problem before it will continue.

How to Move the AD FS Database

See Also

See Next steps for completing your AD FS installation (Microsoft Docs).

For information on how to migrate AD FS by hand, see Migrating Active Directory Federation Services Role Service to Windows Server 2012 R2 (Microsoft Docs). When cloning AD, U-Move will automatically do all these steps for you.

U-Move for Active Directory
U-Move for Active DirectoryU-Move for Active Directory
Backing Up Active DirectoryBacking Up Active Directory
Restoring Active DirectoryRestoring Active Directory
Cloning Active DirectoryCloning Active Directory
Advanced TopicsAdvanced Topics
Moving Application DatabasesMoving Application Databases
Moving the AD FS DatabaseMoving the AD FS Database
Moving the Certificate Services DatabaseMoving the Certificate Services Database
Moving COM+Moving COM+
Moving the DHCP DatabaseMoving the DHCP Database
Moving EFS Recovery Agent KeysMoving EFS Recovery Agent Keys
Moving IIS Security SettingsMoving IIS Security Settings
Moving the WSUS DatabaseMoving the WSUS Database
Moving the WINS DatabaseMoving the WINS Database
Upgrading Active DirectoryUpgrading Active Directory
Remote Use and ScriptingRemote Use and Scripting
AD Consulting and Repair ServiceAD Consulting and Repair Service
AD Recovery ServiceAD Recovery Service
Error MessagesError Messages