
When you are updating your existing AD FS 3.0 (Windows Servr 2012 R2) environment to AD FS version 4 (Windows Server 2016) there are some steps you really should not forget.
In this blog I will try to take you through all the steps on how to update your AD FS 2012 R2 environment to AD FS 2016.
The basic outline is that you
- add the Windows Server 2016 servers to your existing WebApplicationProxy and your AD FS Farm
- add the Windows Server 2016 servers to your existing AD FS Farm
- remove your previous Windows 2012 R2 server from the WebApplicationProxy
- remove your previous Windows 2012 R2 server from the AD FS farm
- Update the ConfigurationVersion of your WebApplicationProxy
- Update the farm BehaviorLevel of the AD FS farm
Certainly the last two steps are lesser know steps which should also be completed.
1. Add the Windows Server 2016 servers to your existing WebApplicationProxy Configuration
1 2 3 4 5 6 |
# install the Web Application Proxy feature Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools # configure the Web Application Proxy $Credentials = Get-Credential # enter the credential of your AD FS Farm Service account Install-WebApplicationProxy –CertificateThumbprint [certificatethumbprint] -FederationServiceTrustCredential $Credentials -FederationServiceName federation.xanderbikbergen.com |
2. Add the Windows Server 2016 servers to your existing AD FS Farm
First establish whether you are using a WID or SQL database for your farm.
If you are using a WID then run this cmdlet to add the new server to the AD FS Farm.
1 2 |
$Credentials = get-credential # enter the credential of your ADFS Service account Add-AdfsFarmNode -ServiceAccountCredential $Credentials -PrimaryComputerName adfsp01.xanderbikbergen.com -CertificateThumbprint [certificatethumbprint] |
If you are using a SQL database then run this cmdlet to add the new server to the AD FS Farm.
1 2 |
$Credentials = Get-Credential #enter the credential of your AD FS Service acocunt which should also have access to your SQL Db Add-AdfsFarmNode -ServiceAccountCredential $Credentials -SQLConnectionString "Data Source=[enter SQL Servername\instance];Integrated Security=True" -CertificateThumbprint [certificatethumbprint] -Credential $Credentials |
3. Remove the previous WAP servers from the configuration
Go to a previous WAP server running Windows Server 2012 R2, and run the following cmdlet:
1 |
Get-WebApplicationProxyConfiguration |
In the output shown look for the line: ConnectedServerName
Confirm which server are currently in this field, select which servers you want to keep in the ConnectedServers list. In this case we want to continue with: ADFSWAP02.xanderbikbergen.com
Run this cmdlet to remove the old server(s) from the configuration, leaving only the new servers in the cmdlet:
1 |
Set-WebApplicationProxyConfiguration -ConnectedServersName ADFSWAP02.xanderbikbergen.com |
Now run the Get-WebApplicationProxyConfiguration again to confirm the result.
Go to the a previous AD FS server running Windows Server 2012 R2 and run the cmdlet:
1 |
Remove-AdfsFarmNode |
This will remove the AD FS Server from the farm.
5. Update the ConfigurationVersion of your WebApplicationProxy
On the new WAP server get the current configuration version using:
1 |
Get-WebApplicationProxyConfiguration |
The current ConfigurationVersion is: Windows Server 2012 R2, after you have removed all the 2012 R2 servers (and older) from your WebApplicationProxy configuration upgrade the Configuration version.
On the new WebApplicationProxy run the cmdlet to upgrade the ConfigurationVersion:
1 |
Set-WebApplicationProxyConfiguration -UpgradeConfigurationVersion |
Then run the cmdlet: Get-WebApplicationProxyConfiguration again to confirm the upgrade has successfully completed.
Note that in the previous ConfigurationVersion the ADFSSignOutUrl was empty which now by default does have a value.
6. Update the farm BehaviorLevel of the AD FS farm
The last step in the upgrade process is updating the farm BehaviorLevel, this is an import step especially if you want to use the (new) version of Extranet Smart Lockout feature in Windows Server 2016. You can find more about that in this post.
To get the current farm Behavior level run the following cmdlet from the AD FS server
1 |
Get-AdfsFarmInformation |
To raise the farm behavior level run the cmdlet (assuming you use a WID database):
1 |
Invoke-AdfsFarmBehaviorLevelRaise |
You do not have specify the new level, actually you can’t specify the new level, the command applies the latest version available on your forest.
Use the cmdlet below if your farm uses a SQL server database:
1 2 |
$Credentials = Get-Credential Invoke-AdfsFarmBehaviorLevelRaise -Credential $Credentials |
After the command has completed verify if the new farm Behavior level by running the cmdlet:
1 |
Get-AdfsFarminformation |
With all these steps completed you now have succesfully upgraded your AD FS 3.0 environment to AD FS 4.0 and you can start using the new Extranet Smart Lockout features.
I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:
Comments