This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Upgrade & move ADFS 3 to ADFS 2016 running in Azure

Question
0

Sign in to vote

Hello All,

We currently have 2 ADFS 3.0 servers using Windows NLB on-premise with no WAP servers currently to handle SSO for Office 365. We are looking to move ADFS to Azure based virtual servers running 2 new ADFS 2016 and adding 2 new 2016 WAP servers running in Azure on a DMZ network. There will be an internal Azure load balancer for the ADFS 2016 servers and an external Azure load balancer for the 2016 WAP servers. The ADFS 3.0 will be decommisioned after ADFS 2016 is up and tested.

The plan is to add the ADFS 2016 servers to the existing 3.0 farm, promote one of the ADFS 2016 servers as primary and then add the new WAP servers. The WAP servers will have a host entry that will point to the internal Azure load balancer. The goal is to limit the changes to just an external DNS change and not have to make any additional federation changes or need for new certs or dns names.

The question is once I add the WAP servers to the ADFS 2016 server will the existing ADFS 3.0 server still accept requests that do not come from the new WAP servers? What I'd like to make sure is that the legacy ADFS 3.0 infrastructure will still function while I test the new 2016 ADFS/WAP infrastucture before changing our DNS entry to point to the external Azure load balancer for the 2016 WAP servers. Or able to roll back if the ADFS 2016 system doesn't work.

Hopefully this makes sense.

Thanks in advanced,

Gene

Tuesday, April 17, 2018 4:13 PM

All replies

1

Sign in to vote

Hi,

I have done same transition and can say that your plan is going to work.

WAP will only add functionality and ADFS will works at the same time. WAP only redirect external users to internal ADFS servers.

I think that you can easily find detailed guides how to set-up ADFS in Azure or how to move them to Azure. Only one thing I can add you need to be sure, that your users can access ADFS servers in Azure (maybe you need to add a new route) and test port connectivity.

Also you can try to use AD FS Health Agents for monitoring.
1

Wednesday, April 18, 2018 2:21 PM
0

Sign in to vote

Hi,

Thanks for the reply. This makes me feel a bit better with the transition to ADFS 2016 into Azure. We do have a VPN tunnel set up from internal network up to Azure. Just need to confirm that all our sites can route across that VPN tunnel. We do currently use ADFS Health Agents so that will be part of our 2016 implementation as well.

Based on your comments, I can have a single ADFS farm operate at the same time as 2 separate independent if you will load balanced groups. The legacy ADFS 3.0 group and the new ADFS/WAP 2016 group. Introducing the new WAP servers for the 2016 ADFS servers only will not interfere with the legacy ADFS 3.0 group.

If I understood incorrectly, please let me know.

Thanks again,

Gene

Wednesday, April 18, 2018 6:27 PM
1

Sign in to vote
Yes, just check network connectivity, maybe it would be better to use telnet or tcping to check 443 port for availability

Here is some links.

Load Balancing ADFS Services In Azure RM

https://blogs.technet.microsoft.com/rmilne/2016/12/07/load-balancing-ad-fs-services-in-azure-rm/

Deploying Active Directory Federation Services in Azure ADFS

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs

Finding and Changing the Primary AD FS 2.0 Server in an AD FS 2.0 Farm with PowerShell

http://office365support.ca/finding-and-changing-the-primary-ad-fs-2-0-server-in-an-ad-fs-2-0-farm-with-powershell/

Deploying Active Directory Federation Services in Azure

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs

How to upgrade ADFS 3.0 to AD FS Server 2016 – Part 1

http://windowstechpro.com/how-to-upgrade-adfs-3-0-to-ad-fs-server-2016-part-1/

How to upgrade ADFS 3.0 to AD FS Server 2016 – Part 2

http://windowstechpro.com/how-to-upgrade-adfs-3-0-to-ad-fs-server-2016-part-2/

Migrating the AD FS Federation Server

https://technet.microsoft.com/en-us/library/dn486787(v=ws.11).aspx

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 1

https://blog.kloud.com.au/2017/01/20/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-1/

ADFS v 3.0 (2012 R2) Migration to ADFS 4.0 (2016) – Part 2

https://blog.kloud.com.au/2017/01/23/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-2/

Upgrading to AD FS in Windows Server 2016 using a WID database

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

And don't forget about backups :)

1. AD FS Rapid Restore Tool

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool

2. Restore your AD FS farm the easy way!

https://blogs.msdn.microsoft.com/samueld/2016/09/14/restore-your-ad-fs-farm-the-easy-way/

1
- Proposed as answer by alexiszp Tuesday, April 24, 2018 1:31 PM
Thursday, April 19, 2018 7:33 AM
0

Sign in to vote

Hi,

If my ideas helps you - you can my my answer as helpful.

Thanks.
1

Friday, April 20, 2018 11:39 AM
0

Sign in to vote

Hi.

Thanks so much for the additional links. They all look to be very helpful especially the AD FS Rapid Restore Tool.

Hopefully I can get my change approved and get some of these things done this weekend.

Tuesday, April 24, 2018 1:11 PM