locked
Multiple ADFS farms on different versions when to do adprep for 2016 and rais functional level RRS feed

  • Question

  • Hello All,

    I am currently running 3 different adfs farm at my site: adfs2.0, adfs3.0 (2012r2), adfs2016.  All three farms are completely independent and my 365 authentication is currently on the adfs 3.0 farm.

    I am planning on phasing out the other two farms at some point soon, and would like to switch my 365 authentication to the 2016 farm as soon as possible.

    Right now my domain level is at 2012r2, and I have not done an adprep for server 2016 yet.  I did not want to affect my adfs 3.0 farm in any way. 

    My question is, can I do the 2016 adprep right now without causing any issues on any of my adfs farms, and should I run the farm level raise command after that: Invoke-AdfsFarmBehaviorLevelRaise?  Should I wait until all other farms are phased out before I do the adprep or farmlevelraise?

    Thank you

    Tuesday, May 9, 2017 4:35 PM

All replies

  • Invoke-AdfsFarmBehaviorLevelRaise needs a Windows Server 2016 AD Schema. But there is no requirement for DFL/FFL.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 9, 2017 9:32 PM
  • Ok, thanks.  Sorry, that is what I meant. 

    So basically, I can upgrade the Domain schema at any point without worry?  If my farm is an independent fully functional adfs2016 farm already, is there any need to raise the farmbehaviorlevel after the 2016 schema?  Also, I haven't been able to tell, is that command specific to each adfs farm or does it affect the whole domain?

    Wednesday, May 10, 2017 4:21 PM
  • You need to raise the farm behavior level to use any of the new Windows Server 2016 ADFS features. So basically you have a Windows Server 2012 R2 ADFS farm for now. And it is a farm thing. So you can have multiple farms with different levels.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, May 18, 2017 1:48 PM
  • When I get adfs information on my 2016 farm it says CurrentFarmBehavior = 3.  As far as I've been able to tell that is the 2016 adfs level.

    I've found a few articles saying that the behavioral level is only restricted if you upgraded an existing farm, and to get the "new features" you would need to build an independent and fresh 2016 farm or use the raise fbl command.  That command requires the 2016 schema, I think.

    That doesn't really tie into my question.  I'm really just wanting to make sure that if I migrate all my sso services including o365 to the adfs2016 farm and then raise my domain schema later should I expect to see any issues?  Will it even be necessary to run the farmbehaviorraise command on an adfs cluster that has always been 2016 regardless of my AD schema levels?

    Thanks for the responses

    Thursday, May 18, 2017 3:50 PM