adfs-30-upgrade-to-windows-server-2016-01

To take benefit of new features provided by AD FS 2016/2019, an AD FS 3.0 deployment must be upgraded following specific steps to avoid service disruption.

The upgrade procedure is pretty straightforward and it doesn’t require any service downtime.

The steps involved in the upgrade procedure are the following:

  • Add a new Windows Server 2016 and install the AD FS role
  • Configure AD FS service in the new Server
  • Move the FBL to the new Server
  • Remove old Server from the AD FS farm
  • Upgrade to FBL Server 2016

Although the upgrade procedure uses Windows Server 2016 as a reference, steps are similar also for the upgrade to Windows Server 2019.

Install the AD FS role to the new server

From Server Manager click Manage > Add Roles and Features. Click Next to begin with the role installation.

Add Roles and Features

Select Role-based or feature-based installation then click Next.

Select Role-based or feature-based installation

Select the server to install and click Next.

Select the server to install

Select Active Directory Federation Services role and click Next.

Active Directory Federation Services

Nothing to select here, click Next to continue.

Features

Click Next.

Azure Directory Federtion Services

Select Restart the destination server automatically if required option and click Yes to confirm.

Restart the destination server automatically if required

Click Install to proceed wth role installation.

Click Install to proceed

The selected role is being installed in the new server.

The selected role is being installed

When the installation completes, click Close to exit the wizard.

When the installation completes

Configure AD FS in the new server

In the top-right of the screen click on the Exclamation mark and select the link Configure the federation service on this server.

Exclamation mark

Since we are going to upgrade the AD FS version, an existing federation farm is already available in the network. Select Add a federation server to a federation server farm option and click Next.

Add a federation server to a federation server farm

Make sure a Domain Administrator account is selected to perform the service configuration. Click Next.

Domain Administrator account

Choose Specify the primary federation server in an existing farm using Windows Internal Database (if WID is used) and enter the FQDN of any AD FS Server 2012 R2 in the Primary Federation Server field. Click Next.

Primary federation server

Click Import to import the SSL certificate used in the farm.

SSL certificate

Enter the certificate password and click OK.

Enter the certificate password

When the correct certificate has been selected, click Next.

Select the certificate password

Enter the credentials of the service domain account and click Next.

Enter the credential

Click Next.

Review options

When the Pre-requisite checks passed successfully, click Configure to proceed with the configuration.

 Pre-requisite checks

When the configuration process has been configured, click Close to exit the wizard. The Server reboots.

The Server reboots

Open PowerShell and run the following command in the Server 2016 to identify the Primary Computer Name:

identify the Primary Computer Name

From the old Server 2012 R2, run the same command to identify the current role, that is Primary Computer.

Primary Computer

Move the Farm Behavior Levels (FBL) to the new Server 2016

Introduced in AD FS for Windows Server 2016, the farm behavior level (FBL) is a farm-wide setting that determines the features the AD FS farm can use.

Run the following command to make the Server 2016 as PrimaryComputer.

Server 2016 as PrimaryComputer

Now verify the Server 2016 role has been assigned successfully.

Now verify the Server 2016

In the Windows Server 2012 R2 run the command:

 Windows Server 2012 R2

Now verify the Windows Server 2012 R2 Role has been changed to SecondaryComputer.

SecondaryComputer

The following command in the Server 2016 will show the current AD FS farm information with the exception of old versions.:

AD FS farm information

From the Windows Server 2012 R2 open the AD FS Management console. Since the current server doesn’t hold the primary federation server role, no configuration changes are allowed.

AD FS Management console

The AD FS Management console from Windows Server 2016 is fully working instead.

AD FS Management console

Web Application Proxy upgrade

If AD FS Web Application Proxy Servers 2012 are configured in your infrastructure, migrate all the nodes to version 2016 then remove the old AD FS Proxy Servers.

Remove Windows Server 2012 R2 from the AD FS farm

Access the Server 2012 R2 and open Server Manager. Select Manage > Remove Roles and Features.

Server Manager

Go through the wizard and uncheck the Active Directory Federation Services role then click Next.

uncheck the Active Directory Federation Services

At the end of the wizard click Remove to remove the selected role from the server.

Remove

Upgrade to FBL Server 2016

From the Windows Server 2016 run the following command to check current FBL level.

FBL level

Depending on the version used, these are the FBL values by Windows Server version.

FBL values by Windows Server

To upgrade current FBL level to Windows Server 2016, run the following command:

Upgrade current FBL level to Windows Server 2016

Click Yes to proceed with the upgrade. Upgrading the FBL creates a new AD FS configuration database.

AD FS configuration database

After a few seconds the upgrade completed successfully.

After a few seconds the upgrade completed successfully

Check the current FBL level. Now the reported value is 3.

Check the current FBL level

The AD FS Manager in the Windows Server 2016 shows now all the available features.

AD FS Manager

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

Test AD FS authentication

Using your preferred browser, enter the address https://<adfs>/adfs/ls/IdpInitiatedSignon.aspx and click Sign in to test the authentication process.

Test AD FS authentication

Enter the account credentials to test and click Sign in.

Enter the account credentials

The sign-in was successful.

The sign-in was successful.

The AD FS infrastructure is now running the new version.

Views All Time
14
Views Today
54
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Paolo Valsecchi
System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, Author of virtual blog nolabnoparty.com