Update AD FS 2012 R2 to AD FS 2016

By | 19th February 2019

When you are updating your existing AD FS 3.0 (Windows Servr 2012 R2) environment to AD FS version 4 (Windows Server 2016) there are some steps you really should not forget.

In this blog I will try to take you through all the steps on how to update your AD FS 2012 R2 environment to AD FS 2016.

The basic outline is that you

  • add the Windows Server 2016 servers to your existing WebApplicationProxy and your AD FS Farm
  • add the Windows Server 2016 servers to your existing AD FS Farm
  • remove your previous Windows 2012 R2 server from the WebApplicationProxy
  • remove your previous Windows 2012 R2 server from the AD FS farm
  • Update the ConfigurationVersion of your WebApplicationProxy
  • Update the farm BehaviorLevel of the AD FS farm

Certainly the last two steps are lesser know steps which should also be completed.

1. Add the Windows Server 2016 servers to your existing WebApplicationProxy Configuration

2. Add the Windows Server 2016 servers to your existing AD FS Farm

First establish whether you are using a WID or SQL database for your farm.

If you are using a WID then run this cmdlet to add the new server to the AD FS Farm.

If you are using a SQL database then run this cmdlet to add the new server to the AD FS Farm.

3. Remove the previous WAP servers from the configuration

Go to a previous WAP server running Windows Server 2012 R2, and run the following cmdlet:

Get-WebApplicationProxyConfiguration

Get-WebApplicationProxyConfiguration

In the output shown look for the line: ConnectedServerName

Confirm which server are currently in this field, select which servers you want to keep in the ConnectedServers list. In this case we want to continue with: ADFSWAP02.xanderbikbergen.com

Run this cmdlet to remove the old server(s) from the configuration, leaving only the new servers in the cmdlet:

Now run the Get-WebApplicationProxyConfiguration again to confirm the result.

Set-WebApplicationProxyConfiguration -ConnectedServerName [servername]

Set-WebApplicationProxyConfiguration -ConnectedServerName

4. Remove your previous Windows 2012 R2 server from the AD FS farm

Go to the a previous AD FS server running Windows Server 2012 R2 and run the cmdlet:

This will remove the AD FS Server from the farm.

5. Update the ConfigurationVersion of your WebApplicationProxy

On the new WAP server get the current configuration version using:

The current ConfigurationVersion is: Windows Server 2012 R2, after you have removed all the 2012 R2 servers (and older) from your WebApplicationProxy configuration upgrade the Configuration version.

On the new WebApplicationProxy run the cmdlet to upgrade the ConfigurationVersion:

Then run the cmdlet: Get-WebApplicationProxyConfiguration again to confirm the upgrade has successfully completed.

Note that in the previous ConfigurationVersion the ADFSSignOutUrl was empty which now by default does have a value.

 

6. Update the farm BehaviorLevel of the AD FS farm

The last step in the upgrade process is updating the farm BehaviorLevel, this is an import step especially if you want to use the (new) version of Extranet Smart Lockout feature in Windows Server 2016. You can find more about that in this post.

To get the current farm Behavior level run the following cmdlet from the AD FS server

Get-AdfsFarmInformation

To raise the farm behavior level run the cmdlet (assuming you use a WID database):

You do not have specify the new level, actually you can’t specify the new level, the command applies the latest version available on your forest.

Use the cmdlet below if your farm uses a SQL server database:

After the command has completed verify if the new farm Behavior level by running the cmdlet:

Get-AdfsFarmInformation

 

With all these steps completed you now have succesfully upgraded your AD FS 3.0 environment to AD FS 4.0 and you can start using the new Extranet Smart Lockout features.




I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.