I’ve been working on an installation guide for AD FS 2.0 and have needed to uninstall and reinstall several times. When you uninstall AD FS the database isn’t deleted. The IIS applications aren’t removed and the token signing objects in AD DS aren’t removed. Microsoft Support knowledgebase article kb982813 How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0 describes how to remove the AD DS objects and the IIS applications and virtual directories but does not explain how to remove the AD FS database. This isn’t a major problem as the FsConfig.exe configuration tool has a /cleanconfig switch that will drop and create new databases however when you’re developing guidance for others you can’t really use the CLEAN switch and therefore need to be able to effectively remove the database. The following instructions explain how to do this. AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server was the guiding factor in putting this post together.
Here’s what I had to do and did.
Note.
If you are following these instructions and still have a working AD FS skim down to the clean up AD DS section and perform those steps first.
Uninstall AD FS 2.0
- Open APPWIZ.CPL.
- Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
- Select Active Directory Federation Services 2.0 and click Uninstall.
Remove databases from WID
- Downloaded and installed SQL Server 2008 R2 Express Management Tools.
- Using SQL Server Management Studio (SSMS) connected to:
\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
- Executed the following T-SQL script:
use master; go sp_detach_db 'adfsconfiguration'; go sp_detach_db 'adfsartifactstore'; go
- When complete I deleted the data files:
del C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data\adfs*
Uninstall WID
Lastly, you can remove WID using Server Manager, e.g.
Import-Module ServerManager
Get-WindowsFeature | ? {
$_.Installed -and
$_.Name -eq 'Windows-Internal-DB'
} | Remove-WindowsFeature
Clean up and uninstall IIS
Next you need to clean up IIS as per kb982813:
- Open IIS manager. Expand <server> | Sites | Default Web Site | adfs
- Right-click on ls and click Remove
- Right-click on adfs and click RemoveBe sure to remove LS and then ADFS and don’t just remove ADFS otherwise you’ll be in the applicationHost.config deleting XML elements.
- Click Application Pools (further up the tree) and right-click on ADFSAppPool and click Remove.
- Lastly delete the folders and files.
Remove-Item C:\inetpub\adfs -Recurse
Clean up AD DS
Ideally this step is first –then you can do this:
Add-PSSnapin microsoft.adfs.powershell (Get-ADFSProperties).CertificateSharingContainer
Which gives you the DN, e.g.
But more often than not we read the instructions last. So we need to delete the container with a CN of the GUID of your AD FS farm from CN=Microsoft, CN=Program Data, DC=your-domain, DC=tld.
In the case of the above picture I’ve stood up and torn down five AD FS farms. All of these certificate sharing containers need to go. But you need to be careful here. Please be sure there aren’t other active AD FS farms in the domain before you delete them!
And regarding deleting, I’m a big user of LDP but also like PowerShell and often don’t have access to ADWS (Active Directory Web Services) so here’s a little snippet for delete using S.DS (System.DirectoryServices).
$delme = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://CN=42bc22f5-e636-412f-9175-ba75912d4b4a,CN=ADFS,CN=Microsoft,CN=Program Data,DC=rnd,DC=litware-inc,DC=com")
$delme.DeleteTree()
Wrap-up
At this point all should be removed and all well. If you deleted the ADFS application before you deleted the LS application read on. I hope this post has been helpful!
Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications
If you got the order wrong and you get the error: “Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications.” (dialog below) you need to perform the following steps.
- Open an elevated notepad and then open C:\Windows\system32\inetsrv\config\applicationHost.config.
- Search for adfs/ls and then delete the selected element below.
- Save the file and you’ll be able to remove the application pool from IIS.
Pingback: AD FS 329: The certificate that is identified by thumbprint ‘<thumbprint>’ could not be decrypted using the keys for X.509 certificate private key sharing | Yet another identity management blog
hi,
I am not able to compete this setup
Remove databases from WID.
\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query.
I am nota ble to connect to this path using SSMS.How to find the corresponding instance of my server where ADFS 2.0 is installed.
Please help me on the same.
Are you using an elevated SQL Server Management Studio (SSMS) instance, i.e. did you open SSMS by right-clicking and choosing run as administrator? By default only members of the administrators group can access the database instance.
I am using SSMS.I need to know to which server and databse i need to connect to execute the query that is mentioned in step 3 and click Uninstall.
Remove databases from WID
2.Using SQL Server Management Studio (SSMS) connected to:
\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query.
How can i connect to my instance of Windows Internal DB.How can i know the path.
The listed path is the path to the local WID instance. You need to open an elevated SSMS and then connect to the described path (\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query). If that isn’t working the next question is are you sure you were using WID?
If you open SQL Server Configuration Manager you can see whether or not there is a WID instance running on the host and you can start and stop it among other things. You should also see that only the Shared Memory protocol is enabled.