How To Upgrade ADFS 3.0 To AD FS Server 2016 - Part One

We will see how to upgrade from ADFS 3.0 which is the Server 2012 R2 version of AD FS 2016, now available with Windows Server 2016 Operating System.

Nowadays, ADFS is one of the very critical infrastructures since it is used for Identity service which is used by Office365, Azure applications. It is created/developed in terms of SaaS, PaaS, and On-premises. I have seen the scenarios where when the ADFS is down, the company’s major applications are also down. So, we need to carefully plan and upgrade the ADFS infra. Any wrong command or wrong execution of plan may mislead the infra causing complete ADS infra going down.

Please refer to this article to know how to install ADFS 3.0 on Server 2012 R2 with SQL Databases; and refer this article to know how to deploy ADFSProxy(WAP) Servers on Server 2012 R2.

Okay, let’s get started.

Why do we need to upgrade?

The answer is simple - to get the new features and taste of AD FS 2016.

How can we upgrade to AD FS 2016

In previous versions, if you wanted to upgrade from ADFS 2.0 to ADFS 3.0, you needed to install separate ADFS 3.0 farm and move the ADFS databases, relay party configurations and other stuffs by exporting and importing on the ADFS 3.0. We needed to have proper downtime and approvals from all the application teams and business folks to upgrade. This permission process is really time consuming and risky way as there are chances ADFS can go down for longer time if there is any problem in between.

But ADFS 3.0 to AD FS 2016 is very simple and does not require any downtime.

You can do it with Zero Impact to any applications. How? - Add AD FS 2016 Server in to the existing ADFS 3.0 farm (like how we add ADFS 3.0 Servers 2012 in the farm) and remove the ADFS 3.0 one by one post implementing AD FS 2016 servers in the ADFS farm. It is very simple.. isn’t it??. ADFS WAP servers also follows the same procedure.

What is Farm Behaviour Level (FBL) Feature?

FBL is the ADFS farm working mode in the mixed mode to identify the ADFS infra working in ADFS 3.0 or AD FS 2016.  Since both are different versions and having some own functionalities and features.

If you add AD FS 2016 servers in the Existing ADFS 3.0 farm, by default, FBL will be in the mode of Server 2012 R2 and AD FS 2016 will act with ADFS 3.0 mode functionalities. Adding the AD FS 2016 Servers in the ADFS 3.0 is called mixed mode and you will not get any new features of AD FS 2016 as long as you have server 2012 R2 servers in the farm and FBL is on Server 2012 Mode.

FBL in the Server 2012 R2 mode is 1 and FBL in the Server 2016 mode is 3. 

You cannot change the FBL to 3 which is Server 2016 mode until and unless you have moved all the ADFS servers and WAP servers to Server 2016. Once you have moved to FBL 3 ADFS farm, You cannot add Server 2012 in the ADFS and ADFSProxy(WAP) Farms anymore. So ensure you’re concluded and tested before moving into the FBL 3.

Note

If you want to test the features of AD FS 2016 before upgrading from ADFS 3.0 to AD FS 2016, I strongly recommend to setup new ADFS 2016 in the test infra and do test all the features and upgrade the Production ADFS 3.0 Infrastructure.

Shown below the Best Practices to upgrade ADFS Infra from ADFS 3.0 to AD FS 2016. 

I have divided this activity into three phases so that our activity will get easier to understand and complete without any issues.

Consider you have 4 nodes in the ADFS Farm, 4 Nodes in the ADFSProxy Farm (WAP) and two databases for HA those all are running on Server 2012 R2.

Phase 1

Collect the complete ADFS Infra details and take a complete backup of ADFS Databases, Relay party details, and certificates.

Server
Phase 2

Add Server 2016 ADFS Server in the ADFS 3.0 farm and test the connections and same way introduce Server 2016 WAP Servers for ADFS Proxy and do the connection flow tests. Post verification, you can remove one Server 2012 R2 from the ADFS form and ADFSProxy farms and do follow the same procedure till you removed all the server 2012 Servers
Server
Phase 3

Post upgraded and removed all the Server 2012 R2 servers from the ADFS and ADFS Proxy Farms, invoke the FBL from 1 to 3 and test the ADFS Functionalities from both Intranet and Extranet networks.

Server
Now we will get into the practical way of doing it.

Phase 1 Adding First Server 2016(AD FS 2016) in the Existing Server 2012 R2(ADFS 3.0) Farm

Step 1

Before we start adding the server, we need to import the ADFS Certificate in the new Server 2016 Servers. To do this, Export the certificate from the existing ADFS Servers with Private key in the format of PFX and store it in the secured shared path.

Open MMC–Personal–Certificates– Right Click--All Tasks–Click on Import

Server

Select Local Computer and Click Next

Server

Now browse the certificate which you exported and click Next

Server

Enter the password for the certificate and click on Next

Server

Select Personal and Click on Next

Server

Click on Finish

Server

Server


Now Certificate has been imported successfully and now we are good to add the ADFS Server 2016 in the ADFS server 2012 Farm

Step 2 Installing AD FS 2016

Login in to Server 2016 and open Server Manager–Manage--Click on Add Roles and features

Server

Click on Next

Server

Select Role-Based or features-based installation and Click on Next

Server

Click on Next

Server

Select Active Directory Federation Services and Click on Next

Server

Click On Next as we don’t required any features for ADFS

Server

Click on Next

Server

Click on Next

Server

Once role installation completed, Click on Configure the federation service on this server

Server

Step 3 Adding Server 2016 in the ADFS Farm

Click on Add  federation server to a federation server farm

Server

Enter the credentials for the Domain Admin permissions for the Federation service configuration and click on Next..

Note

You can select the federation service account or any other domain admin accounts here.

Server

Enter any one of the existing ADFS Server 2012 hostname to connect and configure the  ADFS in this node and click on Next

Server

Select the certificate and Click on Next

Server

Select the ADFS Service account and password and Click Next

Server

Click on Next

Server

Click on Configure

Server

Now you can see that ADFS is installed and required a restart. Also it is giving DRS Error which you can safely ignore for now as we are focused in ADFS Upgrade here and restart the computer.

Server

Next Recommended Readings