Uninstall ADFS

Sometime you need to uninstall ADFS (Active Directory Federation Services) in a clean fashion. The process ins’t hard but you do need to do things in a proper order.

The process is slightly different between ADFS v2.0 and v3.0 but most of it is the same.

The Basics

Lets look at the basic steps and then go into more details.

  1. Gather your farm information
  2. Remove ADFS
  3. Clean up databases
  4. Remove WID if it’s no longer needed
  5. Clean up IIS sites for ADFS v2 installations
  6. Clean up AD DS (Active Directory Directory Services)

If your ADFS farm is all on one server, is dedicated for the the ADFS role and has no external (Internet) facing access points you only need to get the Certificate Sharing Container in AD from the farm. Once you have it you can shutdown and delete the server and skip right to step 6. The most common scenario for this is a local ADFS server interfacing to Azure Directory Services to provide Single Sign-On (SSO) services. Typically this server also is your Azure Sync/AD Connector/ server too. Microsoft keeps changing the name but the function is to sync local AD accounts to the cloud.

Gather farm information

  1. Open an Admin level PowerShell.
  2. Get the Certificate Sharing Container in AD DS, see command below.
  3. Get the Public DNS entries for any external or Internet enabled connection endpoints.

To get Certificate Sharing Container the use the two commands found below. The first command is only needed on Windows 2008 or Windows 2008 R2 servers. Windows 2012 servers and later should automatically have the snap-in enabled.

Add-PSSnapin microsoft.adfs.powershell
Get-ADFSProperties.CertificateSharingContainer

Remove ADFS

Windows 2008 or 2008 R2 servers for ADFS v2

  1. Open up your Application Control Panel
  2. Click on View Updates
  3. Find and select Select Active Directory Federation Services 2.0
  4. Click Uninstall.

Windoes 2012 or later servers for ADFS v3+

In your PowerShell Window run this command.

Remove-WindowsFeature adfs-federation

Clean Up Databases

You will need to download the Microsoft SQL Server Management Tool for your supported server version if you are using the Windows Internal Database (WID).

  1. Open up the database using the SQL Management Studio Tool. Microsoft likes to change this name a lot.
  2. Connect to WID server. See the connection string below.
  3. Detach the databases used by ADFS, see the script below.
  4. Delete the database files and logs.

If you are using WID then you need the connection string. It differs between ADFS v2 and ADFS v3 because the connection string is different between Windows server.

For ADFS v2, also for Windows 2008 or 2008 R2 servers
\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

For ADFS v3, also for Windows 2012 or later 
\\.\pipe\MICROSOFT##WID\tsql\query

This is the script to delete the ADFS databases BUT before you do open the properties for each database and see where the ADFS database files are located.

use master;
go
sp_detach_db 'adfsconfiguration';
go
sp_detach_db 'adfsartifactstore';
go

The default location for the WID database files are located here

For ADFS v2 or any WID installed on a Windows 2008 or 2008 R2 server
C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data\

Example command:
del C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data\adfs*

For ADFS v3 or any WID installed on a Windows 2012 or later server
C:\Windows\WID\data

Example command:
del C:\Windows\WID\data\adfs*

You can also search for the files names in the detach script. Add .mdf and .log to each name there will be four files to delete.

Remove WID

If you no longer need the Windows internal Database installed on the server you can remove it. The command differs based on Windows Server versions

For Windows 2008 and 2008 R2
Remove-WindowsFeatureWindows-Internal-DB

For Windows 2012 and later
Remove-WindowsFeature windows-internal-database

Clean Up IIS

There are two applications used with ADFS. /ADFS and /ADFS/LS. You must delete /ADFS/LS first of you will get an error.

If you no longer need IIS on this server you can remove the role using this command and skip the steps below

Remove-WindowsFeature web-server

Steps to clean up ADFS from IIS

  1. Click Start
  2. Click Administrative Tools
  3. Click IIS Manager
  4. Expand the server name node
  5. Expand Sites
  6. Select Default Web Site.
  7. In the Actions pane, select View Applications. You should see the following two virtual directories /adfs and /adfs/ls
  8. Right-click /adfs/ls and then click Remove
  9. Right-click /adfs and then click Remove
  10. In the Actions pane, select Application Pools
  11. Find and select the application pool named ADFSAppPool
  12. Right-click ADFSAppPool, and then select Remove
  13. In your PowerShell Window type these commands
cd %systemdrive%\inetpub
del Adfs -Recursive

Clean Up AD DS

The final step is to clean up the container. You will need to access an AD server to either get access too the ADSI Edit tool or PowerShell

Using the ADSI Edit tool

  1. Click Start
  2. Click Run
  3. Type ADSIEdit.msc, and then press ENTER. This opens the ADSIEdit Tool
  4. In the ADSIEdit tool, connect to the Default naming context by following these steps:
    1. Right-click ADSI Edit
    2. Click Connect to
    3. Under Connection Point, click Select a well-known Naming Context
    4. Select Default naming context
    5. Click OK.
  5. Expand the following node: Default naming context, {your domain partition}, CN=Program Data, CN=Microsoft, CN=ADFS
  6. Find the container named CN={GUID} where the GUID is the one from the “Get-ADFSProperties.CertificateSharingContainer” you ran earlier.
  7. Right-click the appropriate {GUID} container
  8. Select Delete
  9. Close out of the ADSIEdit Tool

Under CN=ADFS, you see a container named CN={GUID} for each ADFS farm that you have deployed, where {GUID} matches the CertificateSharingContainer property that you captured by using the Get-AdfsProperties PowerShell command. If you delete the wrong GUID will will need to restore AD from a backup.

Using PowerShell

$delme = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://{insert your value from step 1}")
$delme.DeleteTree()

Example:
$delme = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://CN={GUID},CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=local")

Troubleshooting

Error: Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications

You messed up the steps above. I’m going to guess you deleted the virtual applications in the wrong order. DON’T PANIC. You need to manually edit the application level host config file. Follow this process and you should be good to go.

  1. Open an elevated notepad instance
  2. Open C:\Windows\system32\inetsrv\config\applicationHost.config NOTE: you cannot double click this file via Windows Explorer, as it needs an elevated privilege to save.
  3. Search for adfs/ls
  4. Delete the XML element from the line with the start tag <application path=”/adfs/ls”… > to the end tag </application>. There will be at least 1 line between the two tags.
  5. Save the file
  6. Restart IIS
  7. Try removing the Application Pool again.

Pro Tip: install NotePad++ and let it be the default text editor for you system. It will automatically restart itself if you need to save a file that needs an elevated privilege and has nice color coding when viewing code files.

{fin}

References

Scroll to Top