ADFS upgrade process - certificate expired RRS feed

  • Question

  • Hi,

    I am in the middle of upgrading my ADFS farm from 2012R2 til 2016. I've got the new 2016 servers created, and setup as ADFS-servers. I also uses an external SQL-server for my database.

    So a the moment my setup is

    2 * 2012R2 ADFS
    2 * 2012R2 WAP

    2 * 2016 ADFS
    2 * 2016 WAP

    The DNS points to a load balancer that only has the 2012R2 servers as members at the moment.

    Now, as I am doing this the certificate is expiring. I've changed it on the 2012R2-servers, but when I try to change it on the 2016 I get the following:

    Set-AdfsSslCertificate –Thumbprint <thumbprint>
    Set-AdfsSslCertificate : PS0159: The operation is not supported at the current Farm Behavior Level '1'. Raise the farm to at least version '2' before retrying.

    Now, as far as I can tell version 2 is mixed mode between 2012R2 and 2016. I cant see how I cant get to that level. If i try to do a


    I get an error saying

    WARNING: After the farm behavior level is raised, farm nodes running versions prior to 'Windows Server 2016' will no longer be part of the farm and should be removed from the load balancer.

    How do I fix this? I would really like to be able to change my DNS to the 2016 servers without having to decommission the 2012R2 beforehand just to fix the certificate.

    Monday, February 25, 2019 1:02 PM


  • Solved this one by reinstalling the ADFS role on the 2016-servers.
    • Marked as answer by jensrottereng Wednesday, February 27, 2019 7:51 AM
    Wednesday, February 27, 2019 7:51 AM