none
Uninstalled AD FS in the incorrect order RRS feed

  • Question

  • Hi there,

    I've had a mishap in the removal of an old AD FS environment (relying party trusts don't exist on it) I've been decommissioning, so looking here for some advice on how to proceed.

    The AD FS servers and WAP servers in question are all Server 2012 R2 (ADFS 3.0). The process I followed was:

    1. Grabbed the DN from the primary ADFS server using PS cmdlet: (Get-ADFSProperties).CertificateSharingContainer
    2. Uninstalled all MFA Connectors from ADFS servers.
    3. Uninstalled MFA Server from the ADFS servers.
    4. Removed the MFA server entries from 'Server Status' section under Azure AD Portal -> MFA.
    5. Uninstalled AD FS role from the servers using cmdlet: Remove-WindowsFeature ADFS-Federation
    6. Uninstalled IIS using cmdlet: Remove-WindowsFeature Web-Server
    7. Removed the servers from the domain.
    8. Proceeded to decommission the WAP server.........this is where I noticed my mistakes....

    I realized at this point I should have removed IIS before the AD FS role too, but this isn't the problem I have at hand.

    I came to decommission the WAP servers and realized the AD FS server roles should have been maintained until the Remote Access Management configuration had been decommissioned as Remote Access Management is still trying to look at AD FS.

    The error in the console shows the following message:

    Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure that the Web Application Proxy server can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command (0x80075213).

    I've looked online and see a fair few articles discussing how to get it hooked up again with AD FS, but what if there is no AD FS? Is there a way to cleanly remove the installation and configuration from the environment now being in this state?

    I got complacent in the removal process so kicking myself now......if anyone could point me in the right direction, it would be greatly appreciated!

    Medz

    Wednesday, October 16, 2019 12:12 PM

Answers

  • ADFS on Windows Server 2012 R2 (aka ADFS 3.0) does not use IIS. So if you have an IIS service on your ADFS server, it was not a part of your ADFS deployment.

    If you are just trying to get rid of your ADFS farm it is as easy as getting rid of the server that it is composed of (ADFS servers and WAP servers) that's it. For the sake, you can delete the CertificateSharingContainer but that's not even taking much space anyways.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by msal7 Friday, October 18, 2019 9:10 AM
    Thursday, October 17, 2019 1:07 AM
    Owner

All replies

  • ADFS on Windows Server 2012 R2 (aka ADFS 3.0) does not use IIS. So if you have an IIS service on your ADFS server, it was not a part of your ADFS deployment.

    If you are just trying to get rid of your ADFS farm it is as easy as getting rid of the server that it is composed of (ADFS servers and WAP servers) that's it. For the sake, you can delete the CertificateSharingContainer but that's not even taking much space anyways.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by msal7 Friday, October 18, 2019 9:10 AM
    Thursday, October 17, 2019 1:07 AM
    Owner
  • Thanks for confirming. All decommissioned now along with the CertificateSharingContainer entries. Much appreciated!
    Friday, October 18, 2019 9:10 AM