I recently designed a solution to provide AD FS high availability for a client, using Azure IaaS and PaaS. This necessitated deploying Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in order to align with desired DR testing plan, and accommodate downtime schedules. This article will review the specific steps for making the cutover from a mixed mode AD FS environment to a full Windows Server 2016 AD FS farm. It will not go into detail about installing the AD FS roles. At the time of writing this article, adding Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in a so-called “mixed-mode” scenario is fully supported, and you can subsequently designate any of the newly added Windows Server 2016 AD FS servers as the primary federation server in the farm. The idea would be to then eventually remove the Windows Server 2012 R2 AD FS role-servers (AD FS and proxy) from the farm so that you can upgrade to and take advantage of the many new features in the latest Farm Behavior Level (FBL).
Much like Active Directory Domain Services (AD DS), AD FS now has a concept of a “functional level” that determines the features or capabilities that the farm can use. This functional level is called the Farm Behavior Level (FBL), and it is an integer that indicates the AD FS farm’s functional level. You can view the current FBL of your farm by running the following command:Get-AdfsProperties | Select CurrentFarmBehavior
A value of 1 indicates that the farm is at the Windows Server 2012 R2 FBL and a value of 3 indicates a Windows Server 2016 FBL.
Promote New Server to Primary Federation Server Role
AD FS has the concept of primary and secondary servers. Assuming a default topology for AD FS, with a federation server farm using the Windows internal Database (WID), the primary federation server holds a read/write copy of the AD FS configuration database, while all the other servers in the farm (secondary federation servers) store read-only copies of the AD FS configuration database, and must replicate any changes that are made on the primary. As part of the effort of migrating to a Windows Server 2012 AD FS farm, you will need to designate a Windows Server 2016 AD FS server as the primary federation server. You can accomplish this with PowerShell:Set-AdfsSyncProperties -Role 'PrimaryComputer'
On the previous primary federation server and other secondary you can run:Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <internal_FQDN_of_the_new_Primary_Server>
You can now confirm changes using the following command. This will return only the Windows Server 2016 AD FS servers in the farm with corresponding roles(Get-AdfsInformation).FarmNodes
Raise Farm Functional Level
Prior to doing this, you have the option of removing your Windows Server 2012 R2 AD FS and WAP servers from your AD FS farm. Note the following
- When you invoke the farm behavior level raise, farm nodes running versions prior to Windows Server 2016 will no longer be a part of the farm, and so you’ll have to remove them from any load balancing configs for your service.
- If you’d like to uninstall AD FS from the Windows Server 2012 R2 servers in your farm, you can do so with PowerShell: Uninstall-WindowsFeature adfs-federation -IncludeManagementTools
- Windows Server 2012 R2 Web Application Proxy (WAP) servers can still work in this deployment, provided that they can access the new AD FS servers by hostname.
If however, you’d like to deploy Windows Server 2016 WAP servers, and remove the Windows Server 2012 R2 WAP Servers, install the Remote Access role with WAP role feature on your Windows Server 2016 serversInstall-WindowsFeature Web-Application-Proxy -IncludeManagementTools
#Identify Certificate ThumbprintDir Cert:\LocalMachine\My Install-WebApplicationProxy -FederationServiceName "federation service name" -CertificateTHumbprint "Thumbprint from above command"
You can uninstall the WAP feature from your Windows Server 2012 R2 WAP ServersUninstall-WindowsFeature Web-Application-Proxy -IncludeManagementTools
View list of WAP servers in the ‘connected servers name’ list.Get-WebApplicationProxyConfiguration | Select-Object -ExpandProperty ConnectedServersName
After running the above command, you will see the Windows Server 2012 R2 WAP Servers are still in the WAP Configuration, even after uninstalling the feature from the servers. This is because you’ll have to manually remove them from the manually connected servers list. To do so, upgrade your configuration version after removing the WAP feature from the Windows Server 2012 R2 WAP ServersSet-WebApplicationProxyConfiguration -UpgradeConfigurationVersion
You can now modify the list of servers in the connected servers list, by entering only the Windows Server 2016 WAP ServersSet-WebApplicationProxyConfiguration -ConnectedServersName < WAP Server 1, WAP Server 2,....>
You can now confirm that connected servers list is updatedGet-WebApplicationProxyConfiguration | Select-Object -ExpandProperty ConnectedServersName
You can now proceed to Raise the farm functional level using PowerShell. On the Primary node in the WID farm, run:Invoke-AdfsFarmBehaviorLevelRaise
This will run a few precheck tests, and will configure all configuration database copies on your Windows Server 2016 AD FS farm nodes for max functional level, and change the integer value to 3. You can confirm this change:Get-AdfsProperties | Select CurrentFarmBehavior
You’ll now be able to manage all of the new parameters with the new Farm Behavior Level. You can now configure parameters such as the ‘ExtranetLockoutRequirePDC‘ setting, and many more.
Latest posts by Chiyo Odika (see all)
- Zero Trust and the Azure Firewall service - July 9, 2019
- Making the move to Azure Security Center and Azure Sentinel - July 9, 2019
- Azure Monitor Management solution for RDS, Windows VDI and Citrix - February 28, 2019