Professional Documents
Culture Documents
Current State:
15 Windows Server 2003 SP2 Servers (2 DCs, 3 File/Print Cluster, 3 Exchange Cluster,
1 FW, 1 SharePoint, etc)
15 Physical Servers
Future State:
SharePoint Online
Lync Online
Exchange Online
3 new physical servers running Windows Server 2008 R2 Enterprise (Enterprise is key,
because it gives you the licenses to run 4 virtual servers)
I will then Visio the solution. (Note: this one only shows the ADFS and DirSync setup)
One of the tools in my belt is the Exchange Server Deployment Assistant. This is an online
tool from Microsoft that allows you to enter information about your current Exchange
environment, your future Exchange environment and then it will spit out a beautiful plan for you
to follow.
Exchange Server Deployment Assistant
The Exchange Server Deployment Assistant is a web-based tool that asks you a few
questions about your current environment and then generates a custom step-by-step
checklist that will help you deploy different versions of Exchange Server for different types
of scenario
http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index
Select the End Goal for Exchange, for us this is Hybrid. The reason that we choose this and not
Cloud only is because we want that Hybrid server for Migration purposes. We are not going to
move 1500 accounts overnight. When the migration is complete, the Exchange 2010 Hybrid
server will be removed.
Do you want mail sent between Exchange Online and your on-premises organizations to go
through an Edge Transport server in your perimeter network?
Do you already use Forefront Online Protection for Exchange to protect your on-premises
mailboxes?
Once you click next it will compile a custom plan for you, to move to Office 365. This online
checklist will remember your choices as you check them off. You can also download a PDF of
the plan.
INSERT PLAN HERE
What I love about this is that includes detailed actions that you can share with the client and
some nice pics that can be used to show the client the setup and mail flow during the migration.
Happy Migrating
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single SignOn
This BLOG post covers setting up the primary AD FS 3.0 server on a Windows Server 2012 R2
virtual machine in Windows Azure.
Assumptions:
Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net
name space.
Select your Region or Affinity Group
Click OK
Selcect the AD FS Cloud Service that was created earlier. This is very important.
Verify Subnet
Drop down to Create an availability set
Enter name for the availability set
***Note*** This does not load balance the servers, it will just place the VM accordingly so that
if a rack of servers goes down, all the members of the set will be placed in different fault
domains. This ensures that an outage isnt extened to all the servers in the set.
Click Next
Click Next
Once the VM is provisioned go to the next step
Click Next
Leave defaults
Click Next
Click Next
Click Install
Type MMC
Click the MMC app
MMC opens
Click File
Click Add/Remove Snap-in
Select Certificates
Click Add>
Click OK
Expand Certificates
Expand Personal
Right Click Certificates
Select Import
Enter Password
Mark the key as exportable
Click Next
Click Finish
Successful
Click More
where it says Configuration required for Active Directory Federation Servers at
Click
Configure the federation service action on the Post-Deployment Configuration
Enter credentials for a user that has domain administrator permissions. This is used to complete
the install, its not used as the AD FS service account
Click Next
Select Windows Internal Database or the location of a SQL Server Database. The choice is yours,
but for most companies the Windows Internal Database works just fine
Click Next
Click Next
Successful
Connect to Microsoft Online Services with the credential variable set previously
Set the MSOL ADFS Context server, to the ADFS server (optional if you are on the AD
FS server)
Set-MsolADFSContext Computer
adfs_servername.domain_name.com
Convert-MsolDomainToFederated DomainName
domain_name.com
Successful Federation
Verify federation
This concludes the setup of the first AD FS server and federation with Office365. Please
continue through the rest of the series to complete the setup for the rest of the servers.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
2. Configure the AD FS Servers with Azure Load Balanced Set in Windows
Azure for Office365 Single Sign-On
4. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
5. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
6. Setting up the Second Web Application Proxy Server (AD FS Proxy) in
Windows Azure for Office365 Single Sign-On
7. Configure Endpoints and Test the Web Application Proxy Servers (LoadBalanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single
Sign-On
Now that we have the first AD FS server setup and are federate with Office365, we can add more
servers into the AD FS farm. This process can be repeated on one or many more servers
depending on the number of servers you need in the AD FS farm to support the load from your
user base.
Assumptions:
Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG
series)
Verify Subnet
Choose the Availability Set that was created when we provisioned the first AD FS server
Click Next
Click Next
Wait for the Virtual Machine to be provisioned and then continue
Select AD FS
Click More
where it says Configuration required for Active Directory Federation Servers at
Click
Configure the federation service action on the Post-Deployment Configuration
Enter credentials for a user that has domain administrator permissions. This is used to complete
the install, its not used as the AD FS service account
Click Next
Select the SSL certificate that was imported earlier (the same certificate that was installed on the
primary AD FS server)
*** Note *** Since I am using a multi-name certificate the name of the certificate does not
match my AD FS farm name. In production I always recommend that you use a single name
certificate to keep things simple. If thats the case then the certificate name should match the AD
FS farm name e.g. sts.domain.com
Click Next
Select the AD FS service account (the same account that was used in the setup of the primary AD
FS server in the farm)
Enter the password
Click Next
Click Next
Success
We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you
have to continue to the next post to setup load balancing for the servers.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
2. Configure the AD FS Servers with Azure Load Balanced Set in Windows
Azure for Office365 Single Sign-On
4. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
5. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
6. Setting up the Second Web Application Proxy Server (AD FS Proxy) in
Windows Azure for Office365 Single Sign-On
7. Configure Endpoints and Test the Web Application Proxy Servers (LoadBalanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Load Balance the AD FS Servers in Windows Azure for Office365 Single Sign-On
1 Reply
Azure has two methods of load balancing services out of the box. Depending on your needs and
the security requirements of your company will help decide the method that you will use. I have
detailed both methods in two blog posts below. Be sure to reference the Microsoft link for the
details on both and decide what method is best for your company.
Azure Internal Load Balancing (ILB) provides load balancing between virtual machines that
reside inside of a cloud service or a virtual network with a regional scope
Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365
Single Sign-On
With this method you have one network with different address spaces for the internal (10.0.0.0)
and DMZ (172.16.0.0) networks. This method works, because Azure allows routing between the
different address spaces on the same network.
Azure load balanced set is layer 4 load balancing across the virtual machines of a cloud service
Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365
Single Sign-On
With this method, you have two physical networks in Azure. With this method, we rely on end
points and hosts files for routing between the networks. This is the more secure way of
implementing the solution since we will control access with ACLs between the networks.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
2. Configure the AD FS Servers with Azure Load Balanced Set in Windows
Azure for Office365 Single Sign-On
4. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
5. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
6. Setting up the Second Web Application Proxy Server (AD FS Proxy) in
Windows Azure for Office365 Single Sign-On
7. Configure Endpoints and Test the Web Application Proxy Servers (LoadBalanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Assumptions:
Primary and Secondary AD FS servers are setup (see previous posts in this
series)
WAP servers are deployed on the same network, different subnet as the ADFS
Servers. If you are unsure, see this BLOG post.
Type Add-AzureAccount
Press Enter
Enter email address and password used login to your Azure account
Click Continue
Azure authenticates your account and then takes you back to the PowerShell window.
Cloud Service Name This was created prior to creating the first AD FS 3.0 Virtual Machine
and can be found in the Azure Management Portal under Cloud Services
Internal Load-Balanced Instance Name This is a name that is used to reference the ILB Set
Subnet Name This was created when Azure Networking was created and can be found in the
Azure Management Portal under Networking
IP Address for the Internal Load-Balanced Instance This can be set or automatically generated
$vmname=ConceppsADFS01
$epname=ADFS02
$vmname=ConceppsADFS02
Testing AD FS Sign-On
Open IE
Browse to the URL https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
Click Sign in
We are now setup with a highly available AD FS solution for all internal users. Continue on with
the series to setup the Web Application Proxies (AD FS Proxy) so that the external users have
access.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
2. Configure the AD FS Servers with Azure Load Balanced Set in Windows
Azure for Office365 Single Sign-On
4. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
5. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
6. Setting up the Second Web Application Proxy Server (AD FS Proxy) in
Windows Azure for Office365 Single Sign-On
7. Configure Endpoints and Test the Web Application Proxy Servers (LoadBalanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for
Office365 Single Sign-On
Leave a reply
Assumptions:
Primary and Secondary AD FS servers are setup (see previous posts in this
series)
WAP servers are deployed on a differnet network than the ADFS Servers. If
you are unsure, see this BLOG post.
Configure as follows:
Name HTTPS
Protocol TCP
Public Port 443
Private Port 443
Configure as follows:
Load-Balanced Set Name ADFS_SSL
Probe Protocol TCP
Probe Port 443
Probe Internal 15
Number of Probes 2
The end point will be re-configured to load balance across the two ADFS servers.
At this point ADFS have now been load balanced. If you have more than two ADFS servers,
keep adding them to the load balanced endpoint.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
3 Replies
If you read the earlier posts in the series, you would have noted that there is two methods to
deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to
deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post
details how to setup Azure ACLs to allow communication from the DMZ network to the
production network and then deny all others.
This post needs the cloud service for the WAP servers created along with at least one WAP server
deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed
before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way
to blog this so you will have to jump back and forth between this post and Setting up the First
Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
to complete the task.
Assumptions:
Primary and Secondary AD FS servers are setup (see previous posts in this
series)
The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.
You will notice that the ACL list is not populated, which means that its wide open to the
internet. We need to secure the AD FS load balanced set, while still giving the WAP servers
access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two
rules; one permit and one deny.
The first rule will grant access from the WAP servers to the AD FS servers
Enter a description of the rule
Select Permit
Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the
end, which will limit the rule to that one IP address.
Now that we have granted access on port 443 to the WAP servers, we need to deny all others.
Keep in mind that this is for external traffic only. Internal users will still be able to access the AD
FS servers on the domain network. This is just for the NAT address from external client access in
Azure.
Select Deny
Enter the 0.0.0.0/0
This will deny all traffic
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure
for Office365 Single Sign-On
4 Replies
The Web Application Proxy servers are the new way to publish AD FS to the internet. They
replace the old AD FS proxy servers and are new to Windows Server 2012 R2. These servers
should be deployed in a DMZ network and are non-domain joined.
Click New
Select Compute -> Cloud Service -> Custom Create
Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net
name space.
Select your Region or Affinity Group
Click OK
Let the process configure the virtual machine. Once completed, log into the server and continue
with the next steps.
Click Change
Click More
Enter your public domain as the Primary DNS suffix of this computer
Click OK
Click OK
Reboot
Click Next
Click Next
Click Next
Click Next
Click Next
Click Next
Click Install
Installing
Click Close
Type MMC
Click the MMC app
MMC opens
Click File
Click Add/Remove Snap-in
Select Certificates
Click Add>
Click OK
Expand Certificates
Expand Personal
Right Click Certificates
Select Import
Enter Password
Mark the key as exportable
Click Next
Click Finish
Successful
Complete in Azure
Setup Azure ACLs to Allow the WAP Servers to Communicate with the
AD FS Servers
Since we are on separate networks (from the Internal Network) we also need to make sure that
we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves
on the internal network. Please review this BLOG post to complete that task.
Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
Click Open the Web Application Proxy under the Action column
Click Next
Click Configure
Success
Click Close
At this point the WAP server is functioning. To test the WAP server, you can edit your local
workstation hosts file to point at the external IP of the WAP cloud service. This will allow you to
test the configuration without editing global DNS.
Continue on to the rest of the series where we will add a second WAP server and then load
balance the two.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Setting up the Second Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
4 Replies
In the previous post, we created the first of two WAP servers. This is the continuation of the
series.
Select the cloud service you created when creating the first WAP server
Verify Virtual Network
Select an Availability Set that you created when creating the first WAP server
Click Next arrow
Let the process configure the virtual machine. Once completed, log into the server and continue
with the next steps.
Click Change
Click More
Enter your public domain as the Primary DNS suffix of this computer
Click OK
Click OK
Reboot
Click Next
Click Next
Click Next
Click Next
Click Next
Click Next
Click Install
Installing
Click Close
Type MMC
Click the MMC app
MMC opens
Click File
Click Add/Remove Snap-in
Select Certificates
Click Add>
Click OK
Expand Certificates
Expand Personal
Right Click Certificates
Select Import
Enter Password
Mark the key as exportable
Click Next
Click Finish
Successful
Complete in Azure
Click Cloud Services
Click the Cloud Service for your AD FS Servers
Make note of the Public Virtual IP (VIP) Address
Setup Azure ACLs to Allow the WAP Servers to Communicate with the
AD FS Servers
Since we are on separate networks (from the Internal Network) we also need to make sure that
we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves
on the internal network. Please review this BLOG post to complete that task.
Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
Click Open the Web Application Proxy under the Action column
Click Next
Click Configure
Success
Click Close
At this point the WAP server is functioning. Now all that remains is that we need to do is that we
need to add an end point for port 443 and load balance the two servers.
Continue onto the next post in the series to finish the configuration.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant
Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set
in Windows Azure) for Office365 Single Sign-On
2 Replies
In the previous post we setup two WAP servers that will act as the AD FS proxy role for our
internal AD FS servers. Now that the servers are setup, we need to add an end point so that the
servers are accessible from the internet and we also need to load balance the end point across the
two WAP servers.
Configure a Load Balanced End Point on the first Web Application Proxy
Server
Open the Azure Management Portal
Select the first WAP Server
Select Endpoints
Click + Add
Select HTTPS
Verify TCP
Verify Public Port 443
Verify Private Port 443
Select Create a Load-balanced set
Click Next Arrow
Add the Second Web Application Proxy Server to the WAP Load
Balanced Set
Now that we have the load balanced endpoint setup on the first server, we now need to add the
second server to this set.
At this point the servers are both added to the load balanced end point and are live on the
internet.
The user name should be populated with the value entered on Office365 sign-in page
Enter Password
Click Sign-in
This completes the series for Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for
Single Sign-on with Office365.
My BLOG Series
Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with
Office365
1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365
Single Sign-On
3. Load Balance the AD FS Servers in Windows Azure for Office365 Single SignOn
1. Configure the AD FS Servers in an Internal Load-Balanced Set in
Windows Azure for Office365 Single Sign-On
2. Configure the AD FS Servers with Azure Load Balanced Set in Windows
Azure for Office365 Single Sign-On
4. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP
Communications
5. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows
Azure for Office365 Single Sign-On
6. Setting up the Second Web Application Proxy Server (AD FS Proxy) in
Windows Azure for Office365 Single Sign-On
7. Configure Endpoints and Test the Web Application Proxy Servers (LoadBalanced Set in Windows Azure) for Office365 Single Sign-On
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment
or email me with what you would like to see.
Kelsey Epps Office365 MVP
Technical Consultant