Upgrading AD FS to Windows Server 2016 FBL


This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016.

Prerequisites:

  • ADFS Role in Windows Server 2016
  • Administrative privilege in both ADFS 2012 R2 and ADFS 2016 Server
  • Local Admin rights in both ADFS 2012 R2 and ADFS 2016 Server
  • WAP role in Windows Server 2016
  • Generate new certificate and signed by public certificate authority for new installation
  •   To use existing certificate, export the certificate from ADFS 2012 R2 with private key and import into ADFS 2016 server.

Mixed Mode Farm: A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016.

Installation of ADFS Role

  1. Open the Windows Server 2016, Add Roles and Features Wizard and add the Active Directory Federation Services server role
  2. Proceed through the wizard. Click Configure the federation service on this server.
  3. On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click Next
  4. Proceed through the wizard. To join to existing farm, specify the farm name and import the certificate or to create a new farm, click create new farm and provide the details. On the Specify Service Properties page, select your TLS/SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name
  5. Proceed through and complete the Active Directory Federation Services Configuration Wizard. Close the Add Roles and Features Wizard
  6. If you have not created a host record in DNS for the federation server name you specified in Step 4 previously, do so now.

Upgrade ADFS 2016

To Upgrade to ADFS 2016, Once you have joined the new ADFS server to existing farm, on the Windows Server 2016 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role PrimaryComputer

On the original AD FS Windows Server 2012 R2 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName Server2012R2.domain.com

To use ADFS 2016 functionality, you have prepare AD with ADFS 2016 Schema. Mount Windows Server 2016 installation media on a domain controller, open a command prompt and navigate to support\adprep directory. Run the following:

adprep /forestprep

adprep/domainprep

Now Raise farm behavior level to ADFS 2016, Invoke-AdfsFarmBehaviorLevelRaise  PowerShell Cmdlet on the ADFS 2016 primary server.

To test ADFS 2016 signin page, Enable IdP initiated Sign On and RP initiated Sign on using the following cmdlets to ADFS 2016 Server.

Set-ADFSProperties -EnableIdpInitiatedSignonPage $True

Set-ADFSProperties -RelaystateForIdpInitiatedSignonEnabled $True

Open a browser and type https://sts.domain.com/adfs/ls/idpinitiatedsignon

Removing Legacy ADFS and WAP

  • Remote into the servers and uninstall ADFS and Remote Access Role

Installing Federation Proxy

  • Install Windows Server 2016
  • Rename the server
  • Setup IPv4 on the WAP server
  • Install WAP Role using the below PowerShell Cmdlets.
  • Add a host a record of STS in the C:\Windows\systems32\drivers\etc\hosts file of WAP server

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy –CertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’ -FederationServiceName sts.domain.com

Firewall Rules for WAP Servers

Add firewall rules for WAP servers if WAP servers are placed behind firewall. You must allow inbound and outbound rules on port 443 from WAP servers to internet.

Firewall Rules for ADFS servers

ADFS servers are domain joined and placed in internal network but WAP servers are place in different VLANS or DMZ  to secure ADFS servers. You must allow port 443 between ADFS and WAP in both direction.

Firewall Rules for ADFS 2016 with MFA

If your ADFS 2016 servers are behind firewall specially going via Azure Express Route , add the below firewall rules in Azure Network Security Group (NSG) for ADFS 2016 MFA.

10.xx.0.0/24 23.99.10.4 HTTPS (TCP/443) Allow
10.xx.0.0/24 23.99.10.4 HTTPS (TCP/443) Allow
10.xx.0.0/24 168.63.89.78 HTTPS (TCP/443) Allow
10.xx.0.0/24 168.63.89.78 HTTPS (TCP/443) Allow
10.xx.0.0/24 40.77.21.104 Custom (TCP/Any) Allow
10.xx.0.0/24 104.42.126.253 Custom (TCP/Any) Allow
10.xx.0.0/24 40.84.187.178 Custom (TCP/Any) Allow
10.xx.0.0/24 52.161.23.17 Custom (TCP/Any) Allow
10.xx.0.0/24 40.87.57.9 Custom (TCP/Any) Allow
10.xx.0.0/24 134.170.116.0/25 Custom (TCP/Any) Allow
10.xx.0.0/24 134.170.165.0/25 Custom (TCP/Any) Allow
10.xx.0.0/24 70.37.154.128/25 Custom (TCP/Any) Allow

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
Gallery | This entry was posted in Azure, Identity and Access Management and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s