Share via

ADFS Promote secondary to primary

Gopalakrishnan N 46 Reputation points
2022-10-31T04:04:32.977+00:00

Hi,

Am planning to promote secondary ADFS to primary ADFS, as stated here I can change using PS commands https://hippidikki.wordpress.com/2016/04/19/changing-adfs-primarysecondary-federation-serverin-a-farm

But thing is will this also move the token signing certificates, Relying party trusts and Claim issuance as well?

Thanks in advance.

Regards

Microsoft Security | Active Directory Federation Services
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments
Accepted answer
  1. Amit Singh 5,306 Reputation points
    2022-11-03T10:40:59.683+00:00

    Run this PowerShell command on the Secondary AD FS server that you want to make the Primary AD FS server. 

    Set-AdfsSyncProperties -Role PrimaryComputer

    This will now move the Primary role to the server where the command was run. If you have two or more Secondary servers on the farm, you need to update the other Secondary servers.

    Run this PowerShell command on the other Secondary AD FS server(s) so that they now sync with the new AD FS Primary server 

    Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN_ADFS_Primary>

    Also, check this detailed MS article for more insight - https://itworldjd.wordpress.com/2014/10/22/how-to-move-a-secondary-adfs-to-primary/

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,776 Reputation points
    2022-11-03T09:12:04.557+00:00

    Hello there,

    The Token signing certificates will not be moved. It is common to think that a specific Enhanced Key Usage (EKU) is needed for the token-signing certificate, but this is, in fact, not correct. The only requirement for usage is that Key Usage (KU) must contain at least Digital Signature.

    You can follow this article to move the certificates or create new ones

    https://social.technet.microsoft.com/wiki/contents/articles/2311.ad-fs-1-0-and-1-1-how-to-replace-the-ssl-token-signing-and-federation-server-proxy-certificates.aspx

    --------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments
  2. Gopalakrishnan N 46 Reputation points
    2022-11-03T13:50:06.16+00:00

    Yes it worked fine on one of the test machine.

    In production I tried to install Federation service, I stuck in SPN account creation. I tried to setspn -Q http/einvpdssoadfs and got the results as one service user and used that in the secondary server to configure the ADFS service but got failed with SPN account.

    Attaching screenshot of the same.

    I tried creating SPN in primary server, but looks like it already created and not able to create new one. Any help would be much appreciated.256825-hilton-spn-issue.jpg

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.