AD FS Service Hangs on Starting

In previous versions of Windows Server and AD FS, it was not recommended to install AD FS on a domain controller due to security issue cause by running IIS on a domain controller. In Windows Server 2012 R2, AD FS does not use IIS. So, it is now possible to run AD FS on a domain controller.

I"m not sure whether is was possible in previous versions of AD FS, but AD FS in Windows Server 2012 allows you to run the service by using a group Managed Service Account (gMSA). The main benefit of using a gMSA is automatic password changes. The account password is changed automatically in the background to enhance service security.

It turns out that if you run AD FS on a Windows Server 2012 R2 domain controller and use a gMSA for the service, it prevents the service from starting. When you do the initial installation, it will look fine, but after you do a reboot, the service will have a status of Starting and hang. There are no events in the event log to indicate what the issue is.

I first noticed the hanging issue in prerelease versions of Windows Server 2012 R2, but didn't understand exactly what was causing the issue. This behavior still exists in the RTM release of Windows Server 2012 R2.

To avoid this issue, do one of the following:

• Use a standard domain user account instead of a gMSA
• Install AD FS on a Windows Srever 2012 R2 member server

You can see that this behavior has been confirmed by others here:

• http://social.technet.microsoft.com/Forums/windowsserver/en-US/a290c5c0-3112-409f-8cb0-ff23e083e5d1/ad-fs-windows-2012-r2-adfssrv-hangs-in-starting-mode?forum=winserverDS