This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I wonder if anyone here can suggest the steps and procedure to perform an upgrade of current OnPremise Windows Server 2012 R2 ADFS server into Windows Server 2016.
I have found this article for the upgrade: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server
However, what is the caveats and risk if I just clone the ADFS VM (single VM all in one) and then roll back when the change has impacted my SSO login in production?
Since we are a 24x7 global company hence outage or interruptions is not acceptable or must be very minimal.
Your help will be greatly appreciated.
Hello @EnterpriseArchitect
Based on the document link that you have shared, I assumed that you have WID database. I would suggest you to install secondary ADFS Server on Windows Server 2016, in the same farm. Once the installation is done, you can use below command to make the new server as Primary ADFS Server:
Set-AdfsSyncProperties -Role PrimaryComputer
And convert the old ADFS Server to secondary by using below command:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN}
You can then point a few computers to the new ADFS Server by making Host file entries and test if everything is working fine with the new server. Once confirmed, you can decommission the old server and assign the same IP address to the new ADFS Server. Also, raise the farm level, so that you can use the new features available with ADFS 2016.
I don't see any impact of rolling back the VM snapshot If there is no WID replication or WAP servers are there. Rollback may impact WID replication and secure channel with WAP servers. So if you plan to ever roll back, make sure you have only one ADFS Server in place.
Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
Thank you for the confirmation, Yes, I have already deployed the new Windows Server 2016 VM, so I assume, I can just install the ADFS role and then join it to the existing ADFS farm, this can be done during the business hours with no impact?
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName PrimaryADFS1-VM.domain.com
I'm adding the third ADFS 2016 VM as another redundancy VMs.
@EnterpriseArchitect Thank you for sharing the update.
In case of WID with ADFS, if you already have a Primary ADFS Server available in the environment, the new ADFS Server will automatically become Secondary. Which means you don't need to run the Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName PrimaryADFS1-VM.domain.com cmdlet. You can run Get-AdfsSyncProperties to confirm that the Role is Secondary.
The only problem that can occur is, if any authentication request is redirected to the new ADFS server before the completion of its deployment. You need to be careful that the load balancer or DNS round robin is configured to not forward the authentication requests during the deployment of the ADFS. Once the server is up and running, you can then configure LB and DNS with the new ADFS Server.
no worries @amanpreetsingh-msft
I have already added the ADFS role to the newly installed VM, I guess, it is safe to do since it will be just adding it to the existing ADFS 2016 farm.