In previous article, we have seen what are all the new features got introduced with AD FS 2016. All the features are very well power packed by keeping all current and future the cloud and application SSO integrations in mind.
Now we will see how to upgrade from ADFS 3.0 which is Server 2012 R2 version to AD FS 2016 which is now available with Server 2016 Operation system.
Being said that, Now a days ADFS is one of the very critical infra since it is used for Identity services which being used for office365, Azure, Applications be it in any which way it is been created/developed in terms of SAAS, PAAS and On-premises. I have seen the scenarios where ADFS is down, the complete company’s major applications are also going down. So we need to carefully plan and upgrade the ADFS infra. Any wrong command or wrong execution plan can mislead the infra and complete ADS infra can go down.
Please refer the article to know How to install ADFS 3.0 on Server 2012 R2 with SQL Databases
Please refer the article to know How to deploy ADFSProxy(WAP) Servers on Server 2012 R2
Hence Test-Plan-Execute-Test. Okay. Let’s get started
Why do we need to upgrade??
Answer is Simple, to get the new features and taste of AD FS 2016.
How can we upgrade to AD FS 2016:
In previous versions, if you want to upgrade from ADFS 2.0 to ADFS 3.0, you need to install separate ADFS 3.0 farm and move the ADFS databases, relay party configurations and other stuffs by exporting and importing on the ADFS 3.0. we need to have proper downtime and approvals from all the application teams and business folks to upgrade which is really time consuming and risky way as there are chances ADFS can go down for longer time if any problems in between.
But ADFS 3.0 to AD FS 2016 is very simple and not required any downtime. You can do it with Zero Impact to any applications. How?, Add AD FS 2016 server in to the existing ADFS 3.0 farm(like how we add ADFS 3.0 Servers 2012 in the farm) and remove the ADFS 3.0 one by one post implementing AD FS 2016 servers in the ADFS farm. It is very simple.. isn’t it??. ADFS WAP servers also follows the same procedure.
What is Farm Behavior Level(FBL) Feature:
FBL is the ADFS farm working mode in the Mixed mode to identify the ADFS infra working in ADFS 3.0 or AD FS 2016. Since both are different versions and having some own functionalities and features.
If you add AD FS 2016 servers in the Existing ADFS 3.0 farm, By default FBL will be in the mode of Server 2012 R2 and AD FS 2016 will act with ADFS 3.0 mode functionalities. Adding the AD FS 2016 Servers in the ADFS 3.0 is called mixed mode and you will not get any new features of AD FS 2016 as long as you have server 2012 R2 servers in the farm and FBL is on Server 2012 Mode.
FBL in the Server 2012 R2 mode is 1 and FBL in the Server 2016 mode is 3. You cannot change the FBL to 3 which is Server 2016 mode until and unless you have moved all the ADFS servers and WAP servers to Server 2016. Once you have moved to FBL 3 ADFS farm, You cannot add Server 2012 in the ADFS and ADFSProxy(WAP) Farms anymore. So ensure you’re concluded and tested before moving into the FBL 3.
Note: If you want to test the features of AD FS 2016 before upgrading from ADFS 3.0 to AD FS 2016, I strongly recommend to setup new ADFS 2016 in the test infra and do test all the features and upgrade the Production ADFS 3.0 Infrastructure.
Shown below the Best Practices to upgrade ADFS Infra from ADFS 3.0 to AD FS 2016. I have divided this activity into three phases so that our activity will get easier to understand and complete without any issues.
Consider you have 4 nodes in the ADFS Farm, 4 Nodes in the ADFSProxy Farm(WAP) and two databases for HA those all are running on Server 2012 R2.
Collect the complete ADFS Infra details and take complete backup of ADFS Databases, Relay party details, and certificates.
Add Server 2016 ADFS Server in the ADFS 3.0 farm and test the connections and same way introduce Server 2016 WAP Servers for ADFS Proxy and do the connection flow tests. Post verification, you can remove one Server 2012 R2 from the ADFS form and ADFSProxy farms and do follow the same procedure till you removed all the server 2012 Servers
Post upgraded and removed all the Server 2012 R2 servers from the ADFS and ADFS Proxy Farms, invoke the FBL from 1 to 3 and test the ADFS Functionalities from both Intranet and Extranet networks.
Now we will get into practical way of doing it..
Phase 1: Adding First Server 2016(AD FS 2016) in the Existing Server 2012R2(ADFS 3.0) Farm:
Step 1: Before we start adding the server, We need to import the ADFS Certificate in the new Server 2016 Servers. To do this, Export the certificate from the existing ADFS Servers with Private key in the format of PFX and store it in the secured shared path.
Open MMC–Personal–Certificates– Right Click-–All Tasks–Click on Import
Select Local Computer and Click Next
Now browse the certificate which you exported and click Next
Enter the password for the certificate and click on Next
Select Personal and Click on Next
Click on Finish
Now Certificate has been imported successfully and now we are good to add the ADFS Server 2016 in the ADFS server 2012 Farm
Step 2: Installing AD FS 2016
Login in to Server 2016 and open Server Manager—Manage--Click on Add Roles and features
Click on Next
Select Role-Based or features-based installation and Click on Next
Click on Next
Select Active Directory Federation Services and Click on Next
Click On Next as we don’t required any features for ADFS
Click on Next
Click on Next
Once role installation completed, Click on Configure the federation service on this server
Step 3: Adding Server 2016 in the ADFS Farm
Click on Add A federation server to a federation server farm
Enter the credentials for the Domain Admin permissions for the Federation service configuration and click on Next..
Note: You can select the federation service account or any other domain admin accounts here.
Enter any one of the existing ADFS Server 2012 hostname to connect and configure the ADFS in this node and click on Next
Select the certificate and Click on Next
Select the ADFS Service account and password and Click Next
Click on Next
Click on Configure
Now you can see that ADFS is installed and required a restart. Also it is giving DRS Error which you can safely ignore for now as we are focused in ADFS Upgrade here and restart the computer.