Uninstalling AD FS 2.0 (and deleting the databases)

**This post was written for AD FS 2.0 running on Windows Server 2008 or Windows Server 2008 R2.  For information on uninstalling and cleaning up AD FS 2.1 on Windows Server 2012 please see the post Uninstalling AD FS in Windows Server 2012.

I’ve been working on an installation guide for AD FS 2.0 and have needed to uninstall and reinstall several times.  When you uninstall AD FS the database isn’t deleted.  The IIS applications aren’t removed and the token signing objects in AD DS aren’t removed.  Microsoft Support knowledgebase article kb982813 How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0 describes how to remove the AD DS objects and the IIS applications and virtual directories but does not explain how to remove the AD FS database.  This isn’t a major problem as the FsConfig.exe configuration tool has a /cleanconfig switch that will drop and create new databases however when you’re developing guidance for others you can’t really use the CLEAN switch and therefore need to be able to effectively remove the database.  The following instructions explain how to do this.  AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server was the guiding factor in putting this post together.

Here’s what I had to do and did.

Note.

If you are following these instructions and still have a working AD FS skim down to the clean up AD DS section and perform those steps first.

Uninstall AD FS 2.0

  1. Open APPWIZ.CPL.
  2. Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
  3. Select Active Directory Federation Services 2.0 and click Uninstall.

Remove databases from WID

  1. Downloaded and installed SQL Server 2008 R2 Express Management Tools.
  2. Using SQL Server Management Studio (SSMS) connected to:
    \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
  3. Executed the following T-SQL script:
    use master;
    go
    sp_detach_db 'adfsconfiguration';
    go
    sp_detach_db 'adfsartifactstore';
    go
    
  4. When complete I deleted the data files:
    del C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data\adfs*

Uninstall WID

Lastly, you can remove WID using Server Manager, e.g.

Import-Module ServerManager
Get-WindowsFeature | ? {
    $_.Installed -and
    $_.Name -eq 'Windows-Internal-DB'
} | Remove-WindowsFeature

Clean up and uninstall IIS

Next you need to clean up IIS as per kb982813:

  1. Open IIS manager.  Expand <server> | Sites | Default Web Site | adfs
  2. Right-click on ls and click Remove
  3. Right-click on adfs and click RemoveBe sure to remove LS and then ADFS and don’t just remove ADFS otherwise you’ll be in the applicationHost.config deleting XML elements.
  4. Click Application Pools (further up the tree) and right-click on ADFSAppPool and click Remove.
  5. Lastly delete the folders and files.
    Remove-Item C:\inetpub\adfs -Recurse

Clean up AD DS

Ideally this step is first –then you can do this:

Add-PSSnapin microsoft.adfs.powershell
(Get-ADFSProperties).CertificateSharingContainer

Which gives you the DN, e.g.

image

But more often than not we read the instructions last.  So we need to delete the container with a CN of the GUID of your AD FS farm from CN=Microsoft, CN=Program Data, DC=your-domain, DC=tld.

image

In the case of the above picture I’ve stood up and torn down five AD FS farms.  All of these certificate sharing containers need to go.  But you need to be careful here.  Please be sure there aren’t other active AD FS farms in the domain before you delete them!

And regarding deleting, I’m a big user of LDP but also like PowerShell and often don’t have access to ADWS (Active Directory Web Services) so here’s a little snippet for delete using S.DS (System.DirectoryServices).

$delme = New-Object System.DirectoryServices.DirectoryEntry(
    "LDAP://CN=42bc22f5-e636-412f-9175-ba75912d4b4a,CN=ADFS,CN=Microsoft,CN=Program Data,DC=rnd,DC=litware-inc,DC=com")
$delme.DeleteTree()

Wrap-up

At this point all should be removed and all well.  If you deleted the ADFS application before you deleted the LS application read on.  I hope this post has been helpful!

Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications

If you got the order wrong and you get the error: “Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications.” (dialog below) you need to perform the following steps.

image

  1. Open an elevated notepad and then open C:\Windows\system32\inetsrv\config\applicationHost.config.
  2. Search for adfs/ls and then delete the selected element below.image
  3. Save the file and you’ll be able to remove the application pool from IIS.
Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS and tagged , , , , , . Bookmark the permalink.

27 Responses to Uninstalling AD FS 2.0 (and deleting the databases)

  1. Pingback: AD FS 329: The certificate that is identified by thumbprint ‘<thumbprint>’ could not be decrypted using the keys for X.509 certificate private key sharing | Yet another identity management blog

  2. VIJAY ARUL LOURDU says:

    hi,

    I am not able to compete this setup

    Remove databases from WID.

    \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query.

    I am nota ble to connect to this path using SSMS.How to find the corresponding instance of my server where ADFS 2.0 is installed.

    Please help me on the same.

    • Are you using an elevated SQL Server Management Studio (SSMS) instance, i.e. did you open SSMS by right-clicking and choosing run as administrator? By default only members of the administrators group can access the database instance.

      • VIjay Arul Lourdu says:

        I am using SSMS.I need to know to which server and databse i need to connect to execute the query that is mentioned in step 3 and click Uninstall.
        Remove databases from WID
        2.Using SQL Server Management Studio (SSMS) connected to:
        \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query.
        How can i connect to my instance of Windows Internal DB.How can i know the path.

      • The listed path is the path to the local WID instance. You need to open an elevated SSMS and then connect to the described path (\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query). If that isn’t working the next question is are you sure you were using WID?

        If you open SQL Server Configuration Manager you can see whether or not there is a WID instance running on the host and you can start and stop it among other things. You should also see that only the Shared Memory protocol is enabled.

  3. Pingback: Uninstalling An ADFS v2.0 STS Server « Jorge's Quest For Knowledge!

  4. Daniel Abreu says:

    This is the best AD FS 2.0 uninstall guide I’ve seen so far. Thanks a lot for publishing.

  5. Lowell says:

    Excellent guide!

  6. Pingback: Uninstalling AD FS in Windows Server 2012 | Yet another identity management blog

  7. Kinan says:

    Hi,
    Nice work really, and I wonder if there is a way other than uninstalling if I want to move back from SQL database to WID.
    Why? Because of the licensing issue. The ADFS setup is being moved to different physical location where SQL servers do not exist and we need to make it redundant using the WID.
    Any ideas?
    Thanks,

    • There’s no migration from SQL –> WID that I know of. In your case you have to just plan to migrate the environment. Export the AD FS server and trust configuration using PowerShell. While the original system is still online build a new farm using WID and import the configuration and rules. Validate locally (HOST files or private, local DNS) and then switch DNS over to the new farm and decommission the old after a few days of the new environment running.

      When I speak to customers about AD FS design I always push for a WID-based deployment. I’ve yet to work with a customer that actually needed SQL, although at least two did implement it. Unfortunately there’s a mentality that the bigger, better, more expensive SQL is an enterprise option, which isn’t strictly true in this case as WID gives you far more availability and flexibility at a fraction of the cost.

  8. orshee says:

    Buw why didnt you mention your step “Clean up AD DS” needs to go 1st, couldnt you put that at the tome instead of at the end and there you say we need to do that 1st, how am i suposed to execute that step now when ADFS is removed…

    • The flow of the article is in a reactive voice, i.e. here’s what I did and why. I expect someone to read a set of instructions before executing them. What if you get half way through and there’s something you don’t trust or are unable to do without raising an additional change or needing more permissions from another area of the business?

      • Adil Baig says:

        ok since some of us followed the steps right away without reading, how do we go about the “Clean AD DS” step now. i understand u humored the followers of this article in a twisted way. but now since its done, how to proceed?

      • How many farms do you have? If just one, then delete the lot; if more than one you need to identify which is which. Are you in this position?

  9. Nagaraj says:

    Hello Paul,
    In one of the case i don’t see /adfs/fs virtual directory. any idea on how to create the virtual directory without re-configuring the complete ADFS services.
    It is configured on Windows 2012 standard edition.

    • Can you please describe the scenario here? The configuration wizard will recreate/redeploy the adfs virtual directory *if* you haven’t customised it. If you have I don’t know of a quick switch to do this and would look at exporting configuration and then reinstalling.

  10. Michael says:

    Thank you Paul, your this over two years ago, and as luck would have it, it’s exactly what I needed today.

  11. norock says:

    Tank You so much for the effort to share this info with the rest of the world! saved me a lot of time! Cheers

  12. Marvin says:

    Great post! This is what I’m looking for.

    I’m just having an error when I execute the Add-PSSnapin microsoft.adfs.powershell.

    Add-PSSnapin : The Windows PowerShell snap-in ‘Microsoft.Adfs.PowerShell’ is not installed on this computer.
    At line:1 char:1
    + Add-PSSnapin Microsoft.Adfs.PowerShell
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (Microsoft.Adfs.PowerShell:String) [Add-PSSnapin], PSArgumentException
    + FullyQualifiedErrorId : AddPSSnapInRead,Microsoft.PowerShell.Commands.AddPSSnapinCommand

    Above is exactly what I am getting. Hope you could help me on this.

    • Two thoughts – (1) You’ve uninstalled AD FS therefore the snap-in is no longer installed and thus unavailable; (2) you’re on a Windows Server 2012 R2 server in which case there is now a module (as opposed to a snap-in) which PowerShell will automatically load, so just go to the 2012 R2 post (link at the top) and run the cmdlet.

  13. Tony Sperbeck says:

    Can the CN=CryptoPolicy be removed as well?

    • It’s a child of the ADFS-owned/managed node, so yes if you are cleaning up. Be mindful that you shouldn’t delete it if there are active WID farms using auto-cert rollover, i.e. if you are removing one installation but there are others that are active then best not to if they are using them.

  14. Matthias says:

    Worked very well – thank you !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s