locked
ADFS 2.0 Migration to ADFS 3.0 RRS feed

  • Question

  • Hello,

    I am currently in the process of migrating an 2008 R2 ADFS server to Server 2012 R2 on ADFS 3.0. The migration itself seems pretty straight forward but I was curious about changing the service account it runs on. What i would like to do is move away from using the Domain admin user account that is currently used in the ADFS setup and instead use a group managed service account. I read a few articles and am planning to use the PowerShell scripts provided in the 2012 media to export the configuration from the old server but many of the posts warn that it is non negotiable when it comes to the ADFS account to use and that you must use the same one that was used in the 2.0 setup. Is this the case or are they just being over cautious?

    Any insight you guys could provide would be great!


    Will Hume


    • Edited by Will Hume Monday, March 14, 2016 6:56 PM
    Monday, March 14, 2016 6:55 PM

Answers

  • First things first, move to ADFS on Windows Server 2012 R2. There is a step by step guide available here:

    It requires that you are using the same service account for the migration. Then change the service account. For this you can use this script:

    And yes, it requires to be a member of the Domain Admins group to install your new farm (even in a migration scenario).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Will Hume Monday, March 14, 2016 7:34 PM
    Monday, March 14, 2016 7:30 PM

All replies

  • First things first, move to ADFS on Windows Server 2012 R2. There is a step by step guide available here:

    It requires that you are using the same service account for the migration. Then change the service account. For this you can use this script:

    And yes, it requires to be a member of the Domain Admins group to install your new farm (even in a migration scenario).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Will Hume Monday, March 14, 2016 7:34 PM
    Monday, March 14, 2016 7:30 PM
  • Thank you for the prompt reply!

    I have read the first one and the second one is exactly what I am looking for. I am a domain admin so that is not and issue I just wanted to move away from using actual AD user accounts that have domain admins rights as a way of authenticating a service on a local box.

    Again thank you, I am going to take a look at the script and test it in a lab environment!


    Will Hume

    Monday, March 14, 2016 7:34 PM
  • Glad it helped :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 14, 2016 9:28 PM