locked
Unable to add ADFS node to farm RRS feed

 > 

  • General discussion

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Hi team,

    I have two ADFS servers already in place and wants to add another node. However, when i try to add a new node I am unable to add with errors, i ran the Test-ADFSFarmNode command and these are the errors I'm getting;

    PS C:\Users\adminuser> test-adfsfarmjoin -verbose

cmdlet Test-AdfsFarmJoin at command pipeline position 1
Supply values for the following parameters:
GroupServiceAccountIdentifier: domain\adfssvc$
PrimaryComputerName: <adfsprimary>.domain.com

Message                                                          Context           Status
-------                                                          -------           ------
Successfully verified the target computer is joined to a domain. PreCheckTest     Success
group Managed Service Account was validated.                     PrerequisiteTest Success
test-adfsfarmjoin : The system cannot open the device or file specified
At line:1 char:1
+ test-adfsfarmjoin -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Test-AdfsFarmJoin], DisplayableArgumentException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.TestJoinFarmCommand

Unable to retrieve group Managed Service Account information.... DeploymentTask     Error
test-adfsfarmjoin : There were no SPNs set on the following service account ''. Specify the service account used to
configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.
At line:1 char:1
+ test-adfsfarmjoin -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Test-AdfsFarmJoin], DisplayableArgumentException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.TestJoinFarmCommand

Unable to determine the Service SPN. There were no SPNs set o... DeploymentTask     Error
test-adfsfarmjoin : Client is unable to finish the security negotiation within the configured timeout
(00:09:59.8799902).  The current negotiation leg is 1 (00:09:59.8189848).
At line:1 char:1
+ test-adfsfarmjoin -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Test-AdfsFarmJoin], TimeoutException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.TestJoinFarmCommand

Unable to determine the current Farm Behavior Level. Client i... DeploymentTask     Error
test-adfsfarmjoin : Value cannot be null.
Parameter name: context.ServiceAccountUserName
At line:1 char:1
+ test-adfsfarmjoin -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Test-AdfsFarmJoin], ArgumentNullException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.TestJoinFarmCommand

Unable to retrieve configuration from the primary server. Val... DeploymentTask     Error

    Any inputs?

    Cheers,

    Jude.

    Friday, May 17, 2019 7:17 AM

All replies

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Have you spelled the service account domain and account name correctly?

    Since this step fails all the over steps fail too.

    Are you running PowerShell elevated?

    I'm using a regular account and this PowerShell script which works just fine:

    $DomainAdminCred = Get-Credential -Message "Enter Domain Administrator Credentials"
$ADFSServiceCred = Get-Credential -Message "Enter ADFS Service Account Credentials"
$PCN = 'adfswid2'
$Thumb = 'B4DCDF71A4E7DF912CC06CD1B49D750A1767D45F'
test-adfsfarmjoin -CertificateThumbprint $Thumb -ServiceAccountCredential $ADFSServiceCred -Credential $DomainAdminCred -PrimaryComputerName $PCN


    Friday, May 17, 2019 1:38 PM
  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Hi Moloko,

    Thank you for the reply. Yes, PowerShell was running as Admin and the services account+domain were all good.

    The service account I'm using is a gMSA. So how can I input that details to Test-ADFSFarmJoin?


    Regards,
    Jude.

    Monday, May 20, 2019 11:52 AM