locked
Possible conflict from having a old ADFS 2.0 farm and new ADFS 3.0 farm online with the same fs.contoso.com name? RRS feed

  • Question

  • I have ADFS 2.0 farm online using a split DNS on Win2008 R2 and replacing it with ADFS 3.0 farm on 2012R2.  I am following the guide here - https://blogs.technet.microsoft.com/askpfeplat/2014/03/30/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2/

    I have exported my SSL cert and farm config, but am concerned about bringing the new farm online with the exact same name as the existing farm because we will need downtime for the actual swap because of needed IP changes for firewalls, etc.  I am just trying to get everything ready and staged for now.  I would like to keep the farm name to be the same, but will brining online a new farm with the same name fs.contoso.com try to update any AD/DNS records before we are ready to make that change? In other words, why is it asking for Domain Admin credentials when going through those steps?

    Thanks,


    Dave







    • Edited by DaveBryan37 Thursday, December 15, 2016 5:16 PM
    Monday, December 12, 2016 10:49 PM

Answers

  • Hi Dave,

    That guy doesn't give a lot of information but 503 error means "service unavailable" so maybe he stopped his ADFS service on his source servers? Maybe he reset the password on the service account.. maybe he used a different service account and changed the permissions on the DKM container inadvertantly. Lots of possibilities.

    I have done a few of these cutovers without incident, in fact I have one that has been sitting with ADFS 2 and ADFS 3 side by side for over a month waiting for the change control to be approved.

    Good Luck!

    Shane

    • Marked as answer by DaveBryan37 Tuesday, January 24, 2017 1:59 AM
    Tuesday, January 24, 2017 1:58 AM

All replies

  • Hi Dave, 

    As per the blog , the testing can also be done by adding the host file entries as well , can you try that and yes after that we need to make changes to the DNS to be pointing that to the new Server 3.0.


    Linus || Please mark posts as answers/helpful if it answers your question.

    Thursday, December 15, 2016 7:36 AM
  • Hey Linus,

    I know how host entries work, but trying to find out why I need Domain Admin credentials to go through the post ADFS configuration steps.  Is it just because it updates DNS or is it doing something else in AD that might cause an issue to the old production farm, while the new farm is being staged.  I am thinking I should probably just wait and go through the steps during the failover window, but trying to see if anyone knows the specifics. 

    Dan


    Dan Heim

    Thursday, December 15, 2016 5:14 PM
  • You need to be a domain admin only to install the first server of the farm.

    Details of the step by step migration path (the parallel run is the migration path) are here: https://technet.microsoft.com/en-us/library/dn486815.aspx  


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Liinus Friday, December 16, 2016 5:33 AM
    • Unproposed as answer by DaveBryan37 Friday, January 20, 2017 4:57 PM
    Thursday, December 15, 2016 8:12 PM
  • Thanks for the email and the link.  I am standing up a new 2012R2 ADFS 3.0 production farm and am wanting to get it 100% ready and then update the records during a specific window of downtime, so I can test everything. I just want to make sure that importing the ADFS configuration to a new farm does not cause any DNS registrations, etc. that would cause the old farm to stop working. I will redirect fs.contoso.com at a later date.  does anyone know if running Import-FederationConfiguration.ps1  will cause any issues with the current production farm?

    Thanks,


    Dave


    • Edited by DaveBryan37 Friday, January 20, 2017 6:43 PM
    Friday, January 20, 2017 6:42 PM
  • Hi DaveBryan37,

    If your certificates roll over while you are running both environments you might  have a problem. If you want to be cautious, make sure you have plenty of time between the build and the next certificate rollover. Apart from that, all good. ADFS doesn't maintain its own DNS record... well.. unless you have a server named the same as your ADFS service that is.

    Good luck!

    Shane

    Monday, January 23, 2017 2:59 AM
  • My concern was this guy mentioning a problem.  Just trying to get more info, but thanks for your reply.

    Help! I followed this guide, and everything worked as expected – EXCEPT that a few minutes after the new server came online our exisiting server started giving HTTP error 503 service unavailable. The new server was working fine when I pointed at it using
    my hosts file, but everyone else failed when hitting adfs.x.com through DNS.

    I cut over to the new 3.0 server in DNS to get it up and running but I need to know why this happened. Is it some type of SRV or SPN in AD?

    Thanks,


    Dave


    • Edited by DaveBryan37 Monday, January 23, 2017 5:54 PM
    Monday, January 23, 2017 5:54 PM
  • Hi Dave,

    That guy doesn't give a lot of information but 503 error means "service unavailable" so maybe he stopped his ADFS service on his source servers? Maybe he reset the password on the service account.. maybe he used a different service account and changed the permissions on the DKM container inadvertantly. Lots of possibilities.

    I have done a few of these cutovers without incident, in fact I have one that has been sitting with ADFS 2 and ADFS 3 side by side for over a month waiting for the change control to be approved.

    Good Luck!

    Shane

    • Marked as answer by DaveBryan37 Tuesday, January 24, 2017 1:59 AM
    Tuesday, January 24, 2017 1:58 AM
  • Thanks - I went ahead and did it and not seeing any errors, but I now have 2 farms online with the same name and not sure how to join another ADFS 3.0 server to the new farm instead of the old one and the same for the proxies, but not there yet.  It might let me go by servername or something simple.

    Dave


    • Edited by DaveBryan37 Tuesday, January 24, 2017 2:00 AM
    Tuesday, January 24, 2017 2:00 AM
  • Hey DaveBryan37,

    Add an entry to your hosts file C:\windows\system32\drivers\etc\hosts

    Good luck!

    Shane

    Tuesday, January 24, 2017 2:11 AM