locked
ADFS 2012 Farm upgrade to ADFS 2016 Farm RRS feed

  • Question

  • Our Environment is as follows:

    Two ADFS 2012 R2 Servers in internal network

    Two ADFS 2012 R2 Proxy servers in perimeter network

    Back end Database SQL

    The high level plan I am thinking of is as:

    1. Prepare Active Directory to have the Windows 2016 Schema by running Forestprep and Domainprep using Windows 2016 installation media

    2. Built new 4 servers ( 2 Internal servers + 2 Proxy servers) with Windows 2016

    3. Place the servers in existing respective network ( Internal and DMZ network)

    4. Configure the network for the new servers as identical as existing 2012 R2 servers

    5. Update the host file entries of Windows 2016 servers as identical as Windows 2012 servers

    6. Export and Import certificates from Windows 2012 servers to Windows 2016 servers

    7. Add ADFS role to Windows 2016 servers and add them into existing ADFS farm

    8. Add the new servers to the respective F5 load balancer

    9. Remove ADFS role from Windows 2012 servers

    10. Raise the FBL (Farm Behavior Level) to 3 (Windows 2016)

    11. Validate the complete functionality for new ADFS Windows 2016 servers

    Question around step 9:

    a. How do I validate 2016 servers are added to existing 2012 Farm

    b. I understand I can not see anything on ADFS Management console of 2016 server until unless FBL in increased to 2016. Does that all configuration are available in SQL database and once we increase FBL we are allowed to view/manage the configurations from 2016 servers?

    c. What is the tentative downtime expected?


    Thursday, February 14, 2019 7:57 AM

Answers

  • a. How do I validate 2016 servers are added to existing 2012 Farm

    Once you successfully add 2016 servers to the existing farm with no errors then they are part of the farm.  you can run the command on the 2016 server to get members

    (Get-AdfsFarmInformation).FarmNodes

    b. I understand I can not see anything on ADFS Management console of 2016 server until unless FBL in increased to 2016. Does that all configuration are available in SQL database and once we increase FBL we are allowed to view/manage the configurations from 2016 servers?

    Because you are using SQL database as oppose to WID, you should be able to see the ADFS Management console on all your ADFS servers, including the 2016 ones. (With WID you can only managed from the primary which is not the case with SQL) The only limitation is that you will not get the full functionality of the 2016 features until after you raise the fbl to 3.

    Yes, all the configurations will be available on the SQL DB

    c. What is the tentative downtime expected?

    Because you have multiple ADFS servers, there should be zero downtime based on the plan you outlined above.What I always advise is that before you remove the ADFS/ role and WAP feature on the 2012R2 servers (between step 8 and 9 above), first shutdown the servers for a few hours and  see if any issues using the new 2016 servers. Once confirm bring them back online and remove the role etc


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by Prakashkumaar Tuesday, March 26, 2019 2:41 PM
    Friday, February 15, 2019 7:44 AM

All replies

  • a. How do I validate 2016 servers are added to existing 2012 Farm

    Once you successfully add 2016 servers to the existing farm with no errors then they are part of the farm.  you can run the command on the 2016 server to get members

    (Get-AdfsFarmInformation).FarmNodes

    b. I understand I can not see anything on ADFS Management console of 2016 server until unless FBL in increased to 2016. Does that all configuration are available in SQL database and once we increase FBL we are allowed to view/manage the configurations from 2016 servers?

    Because you are using SQL database as oppose to WID, you should be able to see the ADFS Management console on all your ADFS servers, including the 2016 ones. (With WID you can only managed from the primary which is not the case with SQL) The only limitation is that you will not get the full functionality of the 2016 features until after you raise the fbl to 3.

    Yes, all the configurations will be available on the SQL DB

    c. What is the tentative downtime expected?

    Because you have multiple ADFS servers, there should be zero downtime based on the plan you outlined above.What I always advise is that before you remove the ADFS/ role and WAP feature on the 2012R2 servers (between step 8 and 9 above), first shutdown the servers for a few hours and  see if any issues using the new 2016 servers. Once confirm bring them back online and remove the role etc


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    • Marked as answer by Prakashkumaar Tuesday, March 26, 2019 2:41 PM
    Friday, February 15, 2019 7:44 AM
  • before remove old ADFS, just shutdown all old ADFS ( Both ADFS and ADF proxy ) and check authentication from both internal and external.  Load balancer should forward request to new ADFS servers.

    if it work, start all ADFS servers and go to next steps which you mentioned

    Monday, February 18, 2019 12:51 PM
  • Thank you for your inputs. I was able to complete upgrade successfully with zero downtime.
    Tuesday, March 26, 2019 2:42 PM