Share via

AD and ADFS 2016 migration

Gopalakrishnan N 46 Reputation points
2022-10-25T09:32:59.67+00:00

I have an Windows Server 2016 with AD and ADFS running on one AWS Account.

Now I want to change the server from one AWS account to another AWS account due to CIDR limitations.

I have installed same windows Server 2016 AMI in another AWS account and also configured ADFS in the same server on the new AWS accounts.

Both the services AD and ADFS are additionally configured with the primary one.

Now I wanted to migrate from secondary to primary both AD and ADFS.

I have seen some article to change FSMO roles for AD and powershell commands for ADFS to change from secondary to primary.

My question here is,

  1. First I have to migrate AD and then only I need to go for ADFS right?
  2. Or is there any other best practice to do it?

These are the articles I saw for migration of AD and ADFS from secondary to primary

for ADFS - https://hippidikki.wordpress.com/2016/04/19/changing-adfs-primarysecondary-federation-serverin-a-farm/
for AD - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/view-transfer-fsmo-roles

Can someone guide me with best possible option, since am moving the production server.

Thanks in advance.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Active Directory Federation Services
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments
Accepted answer
  1. Limitless Technology 44,751 Reputation points
    2022-10-25T15:02:39.113+00:00

    Hello there,

    You can transfer the FSMO role during business hours there will be no issue assuming that the health of both DCs are good and there is no replication issue.

    The FSMO transfer is much more immediate. Make sure that the DCs are healthy and can communicate with each other. Even though the transfer doesn't have any downtime, make sure that you have proper change control in place, and i would recommend it done by the close of business hours.

    You can find some useful links from this article https://social.technet.microsoft.com/Forums/en-US/5a490fd5-36dc-45a8-851e-00a599ba01d1/can-we-transfer-the-fsmo-roles-during-the-production-hours?forum=winserverDS

    How to Migrate Windows Server 2008 R2 FSMO roles to Windows Server 2019 https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-migrate-windows-server-2008-r2-fsmo-roles-to-windows/ba-p/538377

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gopalakrishnan N 46 Reputation points
    2022-11-01T11:43:37.99+00:00

    I tested with test instance in my AWS cloud and it worked like charm by changing the roles for both ADDS and ADFS.

    Now I have one more issue, this is on production where am trying to configure secondary ADFS server by adding to primary one, I stuck on creating SPN account. I get a error

    "There were no SPNs set on the following service account 'XXXXXXX\serviceadmin'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account."

    I tried creating SPN account with "setspn -U -S http/<domainame> <user account> on primary server, but still its getting failed.

    I checked for any duplicate SPN too, but I didn't find any if I use "setspn -x"

    Trying for more than 24 hrs but couldn't able to find out.

    Thanks.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.