Windows Server 2016 AD FS has Farm Behavior Level feature (FBL) which is farm wide feature and has same ideology than AD DS FFL & DFL, all of the AD FS servers have to be running at least Windows Server 2016 that level can be raised and new features can be used. Windows Server 2012 R2 farm is naturally at Windows Server 2012 R2 FBL.
Good news is that Windows Server 2016 ADFS server can be added to W2012 R2 farm and actual migration process is not needed.
Upgrade AD FS farm to 2016 FBL
- Install ADFS role to Windows Server 2016
2. After role has been successfully installed open Server Manager and configure ADFS role
Note that AAD Connect link has been added to wizard
Specify farm and certificate information
Specify service account which is used for farm. In my case I’m using the gMSA account which has been supported by ADFS since W2012 R2.
3. Once installation is complete change new W2016 ADFS to primary server of the farm
- Set-AdfsSyncProperties -Role PrimaryComputer
On the original AD FS W2012R2, open PowerShell and run the following command:
- Set-AdfsSyncProperties –Role SecondaryComputer –PrimaryComputerName <servername.domain.com>
4. Verify by opening W2016 AD FS console that it’s primary computer of the farm. If all nodes are configurable primary role has been transferred
5. At WAP servers run the following command
- $FScredential = Get-Credential (enter credentials which has permission to ADFS)
- Install-WebApplicationProxy -FederationServiceName “sts.feta.fi” -FederationServiceTrustCredential $FScredential -CertificateThumbprint “ec886c38ce9bd9bccdcc37c0202448129881cda2”
When configuring WAP you can face errors like below. In my case I ran the command second time and after 15min wait WAP was able to configure itself as seen logs below.
That’s a known issue, more information can be found from links below:
- Understanding Proxy CTL issues
- Proxy time out issues
- General troubleshooting
- Web Application Proxy hotfixes and updates for Windows Server 2012 R2
6. To get all benefits of 2016 AD FS FBL Active Directory schema needs to be updated to 2016 ADDS level (85). From W2016 installation media navigate to support\adprep and run following commands (my recommendation has been always to have AD DS disaster recovery plans in place before extending schema but it’s your call)
- adprep /forestprep
- adprep /domainprep
7. Once schema has been updated and all ADFS servers are Windows Server 2016 you can raise AD FS FBL to 2016 level with following command:
I received couple of warnings as seen above.
- SSO lifetime was increased from 60480min to 129600min
- Device usage window was upgraded from 7 days to 14 days
The “Enterprise Key Admins” group will be created, when a Windows Server 2016 based Domain Controller assumes the PDC FSMO role. This same behavior has been seen with other groups before in previous OS versions.
FSMO roles can be moved with powershell or with GUI but I prefer Powershell.
You can view FSMO role owner with these AD-Powershell commands:
Get-ADForest | select SchemaMaster,DomainNamingMaster
Get-ADDomain | select PDCEmulator,RIDMaster,InfrastructureMaster
Transfering all roles, command syntax:
Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator
Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4
After moving PDC role to W2016 Domain Controller the “Enterprise Key Admins” groups was created and I added ADFS Service Account manually to the group.