This is multi part article. Please refer the Part 1 Article before you begin this article so that you will not get confused to understand and follow further.

Once Computer restarted the Server 2016, Now you can see that AD FS Management is available. Now Click on it and open the AD FS Management

But if you see, AD FS on Server 2016 is not showing anything here. Why??. Reason is the behavior of the farm is Server 2012 and only the Server 2012 ADFS nodes can manage the farm.
29If you run the command Get-AdfsSyncProperties  in the server 2016, You can that PrimaryComputerName is which is Server 2012 ADFS Server and the Server 2016 Role is SecodaryComputer. Hence it will act as a simple ADFS Server and can take connections and respond. wherein it cannot give any Server 2016 features.



If you run the same Get-AdfsSyncProperties in the Server 2012, You will see that Role is Primarycomputer.


Phase 3: Moving FBL to Server 2016

Step 1: Before we move FBL to Server 2016, We need to make Server 2016 as PrimaryComputer so that AD FS Server 2016 will get an option to manage.

Run the below PowerShell command on Server 2016 ADFS Node to make AD FS Server 2016 as PrimaryComputer

Set-AdfsSyncProperties -Role PrimaryComputer


Run the below command on Server 2012 R2 Node

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName

Here, is the Server 2016 ADFS Server Name
35Once moved the primary to Server 2016, if you open ADFS management in server 2012, you will get the below message.


And the meantime, in server 2016, you can now able to open AD FS Management console and it is loaded completely

37In Server 2016 run the below command to get the ADFS Farm Inforation



Since it is not going to show you the server 2012 nodes, you will get only the server 2016 nodes and FBL level is 2012 R2 which is 1

Install Server 2016 ADFSProxy servers and migrate all the nodes to server 2016 and remove adfs server 2012 R2 Nodes. ADFS Server 2016 installations as same as how to install Server 2012 ADFSProxy Servers. Please refer the article to know how to install ADFSProxy Servers.

Step 2: Removing ADFS 2012 R2 Servers from the ADFS farm:

Open Server ManagerManage— Click on Remove Roles and Features 

39Click on Next
40Click on Next
41Uncheck the Active Directory Federation Services and Click on Next
42Click on Next
43Click on Remove

Restart the Computer and you can see that ADFS role is removed from the server. Follow the same and remove all the Server 2012 ADFS Nodes from the Farm post you added Server 2016 nodes in the farm and all are working as expected.

If you run the below command again on Server 2016, You still see that the farm is running on FBL 1

Get-AdfsProperities | Select CurrentFarmBehavior


Step 3: Upgrading Farm to FBL Server 2016

Now run the below command to upgrade the Farm behavior level to Server 2016


Note: Don’t run this command if you have any Server 2012 Nodes in ADFS or ADFSProxy(WAP) farms.
46You can see that ADFS Farm is getting upgraded and all the Server 2016 features are getting enabled for the ADFS Farm
47Okay.. The upgradation has been completed successfully.

Run the below command to see current FBL Status

Get-AdfsProperities |Select CurrentFarmBehavior

 Now you can see CurrentFarmBehavior value is 3 which is AD FS 2016

49Also can see now new features of AD FS 2016

Login in to IDP Initiated page and check all the login process is working well

Click on Sign in and provide the credentials

51You can see sign in successful and all ADFS 2016 servers are healthy and working fine as expected.

I have seen other fellow folks are asking for adprep for Forest and domain. Ideally it is not required but yes we can do it so that you will get all the new values added to the forest for Server 2016 ADFS Features.

How to upgrade ADFS 3.0 to AD FS Server 2016 – Part 1

One thought on “How to upgrade ADFS 3.0 to AD FS Server 2016 – Part 2”
  1. Completed an ADFS 4.0 upgrade however the WAPs are not so good. Created 2016 WAPs and integrated into an existing MS LB configuration. After removing the 2012 WAPs, I still see the old nodes in the RAMgui and do not see the 2nd 2016 WAP. I tried using the instructions and it give me the error as follows:

    PS C:\Windows\system32> Set-WebApplicationProxyConfiguration -ConnectedServersName ((gwpc).connectedserversname -ne ‘old-server-name.domain’)
    Set-WebApplicationProxyConfiguration : You cannot change the existing Web Application Proxy configuration from a server running a new version if there are servers running an older version on the cluster. Make your configuration changes from a Web Application Proxy server that is running the older version. After all Web Application Proxy servers are running the new version, upgrade the configuration by running the ‘Set-WebApplicationProxyConfiguration’ with the ‘-UpgradeConfigurationVersion’ switch.
    At line:1 char:1
    + Set-WebApplicationProxyConfiguration -ConnectedServersName ((gwpc).co …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (WmiPSProvider:root/Microsoft/…xyConfiguration) [Set-WebApplicationProxyConfiguration], CimException
    + FullyQualifiedErrorId : WIN32 5904,Set-WebApplicationProxyConfiguration

    Were there instructions left out when working with the WAPs during this upgrade process? I am reading that the old WAPs can be pulled out as the new ones are introduced. If there’s a document published to correct this, please send me the link!


Leave a Reply

Your email address will not be published. Required fields are marked *