Uninstalling AD FS 2.0 (and deleting the databases)

I’ve been working on an installation guide for AD FS 2.0 and have needed to uninstall and reinstall several times.  When you uninstall AD FS the database isn’t deleted.  The IIS applications aren’t removed and the token signing objects in AD DS aren’t removed.  Microsoft Support knowledgebase article kb982813 How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0 describes how to remove the AD DS objects and the IIS applications and virtual directories but does not explain how to remove the AD FS database.  This isn’t a major problem as the FsConfig.exe configuration tool has a /cleanconfig switch that will drop and create new databases however when you’re developing guidance for others you can’t really use the CLEAN switch and therefore need to be able to effectively remove the database.  The following instructions explain how to do this.  AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server was the guiding factor in putting this post together.

Here’s what I had to do and did.

Note.

If you are following these instructions and still have a working AD FS skim down to the clean up AD DS section and perform those steps first.

Uninstall AD FS 2.0

1. Open APPWIZ.CPL.
2. Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
3. Select Active Directory Federation Services 2.0 and click Uninstall.

Remove databases from WID

1. Downloaded and installed SQL Server 2008 R2 Express Management Tools.
2. Using SQL Server Management Studio (SSMS) connected to:

   \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

3. Executed the following T-SQL script:

   use master;
   go
   sp_detach_db 'adfsconfiguration';
   go
   sp_detach_db 'adfsartifactstore';
   go
   

4. When complete I deleted the data files:

   del C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data\adfs*

Uninstall WID

Lastly, you can remove WID using Server Manager, e.g.

Import-Module ServerManager
Get-WindowsFeature | ? {
	$_.Installed -and
	$_.Name -eq 'Windows-Internal-DB'
 } | Remove-WindowsFeature

Clean up and uninstall IIS

Next you need to clean up IIS as per kb982813:

1. Open IIS manager.  Expand <server> | Sites | Default Web Site | adfs
2. Right-click on ls and click Remove
3. Right-click on adfs and click RemoveBe sure to remove LS and then ADFS and don’t just remove ADFS otherwise you’ll be in the applicationHost.config deleting XML elements.
4. Click Application Pools (further up the tree) and right-click on ADFSAppPool and click Remove.
5. Lastly delete the folders and files.

   Remove-Item C:\inetpub\adfs -Recurse

Clean up AD DS

Ideally this step is first –then you can do this:

Add-PSSnapin microsoft.adfs.powershell
(Get-ADFSProperties).CertificateSharingContainer

Which gives you the DN, e.g.

But more often than not we read the instructions last.  So we need to delete the container with a CN of the GUID of your AD FS farm from CN=Microsoft, CN=Program Data, DC=your-domain, DC=tld.

In the case of the above picture I’ve stood up and torn down five AD FS farms.  All of these certificate sharing containers need to go.  But you need to be careful here.  Please be sure there aren’t other active AD FS farms in the domain before you delete them!

And regarding deleting, I’m a big user of LDP but also like PowerShell and often don’t have access to ADWS (Active Directory Web Services) so here’s a little snippet for delete using S.DS (System.DirectoryServices).

$delme = New-Object System.DirectoryServices.DirectoryEntry(
    "LDAP://CN=42bc22f5-e636-412f-9175-ba75912d4b4a,CN=ADFS,CN=Microsoft,CN=Program Data,DC=rnd,DC=litware-inc,DC=com")
$delme.DeleteTree()

Wrap-up

At this point all should be removed and all well.  If you deleted the ADFS application before you deleted the LS application read on.  I hope this post has been helpful!

Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications

If you got the order wrong and you get the error: “Application pool ‘ADFSAppPool’ cannot be deleted because it contains 1 applications.” (dialog below) you need to perform the following steps.

1. Open an elevated notepad and then open C:\Windows\system32\inetsrv\config\applicationHost.config.
2. Search for adfs/ls and then delete the selected element below.
3. Save the file and you’ll be able to remove the application pool from IIS.