ADFS Rapid restore tool:

– download it from Microsoft Connect. 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool 

With ADFS Rapid Restore Tool, backup and restore your ADFS farm easily in seconds…

 

To backup your ADFS farm, use the command listed below with the following switches:

  • BackupDKM – Backs up the Active Directory DKM container that contains the AD FS keys in the default configuration (automatically generated token signing and decrypting certificates).
  • StorageType – The type of storage:“FileSystem” -stores backup it in a folder locally or in the network.“Azure”-stores backup in the Azure Storage Container (Azure Storage Credentials should be passed to the cmdlet). The storage credentials contains the account name and key,a container name must also be passed in,if the container doesn’t exist, it is created during the backup.
  • EncryptionPassword – The password that is going to be used to encrypt all the backed up files before storing it
  • AzureConnectionCredentials – The account name and key for the Azure storage account
  • AzureStorageContainer – The storage container where the backup will be stored in Azure
  • StoragePath – The location the backups will be stored in
  • ServiceAccountCredential – specifies the service account being used for the ADFS Service running currently. This parameter is only needed if the user would like to backup the DKM and is not domain admin.
  • BackupComment <string[]> – An informational string about the backup that will be displayed during the restore, similar to the concept of Hyper-V checkpoint naming. The default is an empty string

Example:

import-module ‘C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll’

Backup-ADFS -StorageType “FileSystem” -StoragePath “d:\Scripts\ADFS Backups\” -EncryptionPassword “mypwd” -BackupComment “ADFS” -BackupDKM

In the same way, the restore process is also very easy to achieve with the following switches:

StorageType – same as for backup (“FileSystem” and “Azure”)

  • DecryptionPassword – The password that was used to encrypt all the backed up files
  • AzureConnectionCredentials – The account name and key for the Azure storage account
  • AzureStorageContainer – The storage container where the backup will be stored in Azure
  • StoragePath – The location the backups will be stored in
  • ADFSName < string > – The name of the federation that was backed up and is going to be restored.
  • ServiceAccountCredential < pscredential > – specifies the service account that will be used for the new ADFS Service being restored
  • GroupServiceAccountIdentifier – The GMSA that the user wants to use for the new ADFS Service being restored. By default, if neither is provided then the backed up account name is used if it was GMSA, else the user is prompted to put in a service account
  • DBConnectionString – If the user would like to use a different DB for the restore, then they should pass the SQL Connection String or type in WID for WID.
  • Force – Skip the prompts that the tool might have once the backup is chosen
  • RestoreDKM – Restore the DKM Container to the AD, should be set if going to a new AD and the DKM was backed up initially.

Note that you must specify the database engine type used with the ADFS farm by using the -DBConnectionString parameter as follow:

To restore your ADFS farm when using WID Database or SQL Server, use respectively the following paramters:

import-module ‘C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll’

Restore-ADFS -StorageType “FileSystem” -StoragePath “d:\Scripts\ADFS Backups” -DecryptionPassword “mypwd” -RestoreDKM

DBConnectionString “WID” 

Restore-ADFS -StorageType “FileSystem” -StoragePath “d:\Scripts\ADFS Backups” -DecryptionPassword “mypwd” -RestoreDKM 

-DBConnectionString “Data Source=SQLServer\SQLINSTANCE; Integrated Security=True”

During the restore process, note that the ADFS Rapid Restore Tool proposes to the administrator to specify which backup to restore  – based on date and time.

As you can see, at this point, it’s almost done because after the restore operation, the ADFS service is not yet operational and running!

Advertisements