Windows 10: What are the port requirements between ADFS servers and AD Domain Controllers?

What are the port requirements between ADFS servers and AD Domain Controllers? Does it need to be bi-directional or unidirectional? I am configuring a new setup and asked network security team to open bi-directional ports between ADFS and AD DCs but they have security concerns on it. Please guide me.

:)

 

ADFS and change of domain controller

Hello there

Hoping you can help. We have ADFS installed on a member server (NON domain controller). We also have 4 DC's (2 x 2008R2 and 2 2012R2) and have started a project to replace all the current dc's with 2 x 2016 DC's.

I've had a look on our member server where ADFS is installed and cant see anything that shouts at me regarding our current DC's and I'm just a bit concerend that when we do the switchover something will break.

I was hoping someone might have gone through something similar and might have some pointers on where to look and what to look for?

Many thanks

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

ADFS SAML setup

Hello,

I have questions regarding ADFS SAML configuration.

I have been charged with setting up ADFS SAML and connecting our system with clarity safetyzone.

I am using Using windows serv 2019 platform for the servers. I have created a test environment that has a domain controller, server with ADCS, and another server with ADFS. I have a certificate created within the ADCS server and I installed ADFS on the
respective server. I verified after installation of the role and configuring an adfs administrator that the adfs administrator can sign into the https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx, I created a windows test account and logged into the
adfs server for testing purposes and when navigating to the https://sts.contoso.com/adfs/ls/ and attempting to sign in with that user, I get an error:

An error occurred
An error occurred. Contact your administrator for more information.
Error details
Activity ID: f68cc99a-b6e5-40dc-1a00-0080000000e5Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.Node name: 85253664-435b-4d04-8775-d4b96854cb12Error time: Mon, 02 Nov 2020 20:11:16 GMTCookie:
enabledUser agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

I have everyone permitted for intranet access in the Access Control Policies.
Am i missing something? Once i can verify that a standard user can login, then i can move on to the step of setting up the appropriate claims/trusts.

Does anyone have experience with this and maybe even experience with the Clarity Safety Zone platform?