Test Layout

In previous versions of Windows Server and AD FS, it was not recommended to install AD FS on a domain controller due to security issue cause by running IIS on a domain controller. In Windows Server 2012 R2, AD FS does not use IIS. So, it is now possible to run AD FS on a domain controller. I"m not sure whether is was possible in previous versions of AD FS, but AD FS in Windows Server 2012 allows you to run the service by using a group Managed Service Account (gMSA). The main benefit of using a gMSA is automatic password changes. The account password is changed automatically in the background to enhance service security. It turns out that if you run AD FS on a Windows Server 2012 R2 domain controller and use a gMSA for the service, it prevents the service from starting. When you do the initial installation, it will look fine, but after you do a reboot, the service will have a status of Starting and hang. There are no events in the event log to indicate what the issue is. I first no...