Configure the first federation server in a new federation server farm (if you Install Azure AD Connect with Customized settings, this was being configured)

  1. Logon ADFS server.
  2. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
  3. On the Welcome page, select Create the first federation server in a federation server farm, and then click Next.

4. On the Connect to AD DS page, specify an account by using domain administrator permissions for the Active Directory (AD) domain to which this computer is joined, and then click Next.

5. On the Specify Service Properties page, select the certificate which you were import.

6. Select the Federation Service Name which you were assign for the external FQDN.

7. Provide a display name for your federation service in Federation Service Display Name and then click Next.


8. On the Specify Service Account page, specify a service account. You can either create or use an existing group Managed Service Account (gMSA) or use an existing domain user account.

If you select the option to create a new gMSA account, specify a name for the new account. If you select the option to use an existing gMSA or domain account, click Select to select an account and then click Next.

If you receive the warning message as shown in the picture, it means that the KDS Root Key has not been set yet. This is part of the new Group Managed Service Accounts Windows 2012 feature.


The benefit of using a gMSA account is its auto-negotiated password update feature.

If you want to use a gMSA account, you must have at least one domain controller in your environment that is running the Windows Server 2012 operating system.

If the gMSA option is disabled, and you see an error message, such as Group Managed Service Accounts are not available because the KDS Root Key has not been set, you can enable gMSA in your domain by running the following Windows PowerShell command on a domain controller, which runs Windows Server 2012 or later, in your Active Directory domain:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)


Then return to the wizard, click Previous, and then click Next to re-enter the Specify Service Account page. The gMSA option should now be enabled. You can select it and enter a gMSA account name that you want to use.

9. On the Specify Configuration Database page, specify an AD FS configuration database, and then click Next.
You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the location and the instance name of Microsoft SQL Server.


If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.

10. On the Review Options page, verify your configuration selections, and then click Next.

11. On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and then click Configure.


12. On the Results page, review the results and check whether the configuration is completed successfully, and then click Next steps required for completing your federation service deployment.

13. Wait until the installation is complete and open AD FS Management to review information.


Hope you enjoy this post.

Cary sun