This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016.
Prerequisites:
- ADFS Role in Windows Server 2016
- Administrative privilege in both ADFS 2012 R2 and ADFS 2016 Server
- Local Admin rights in both ADFS 2012 R2 and ADFS 2016 Server
- WAP role in Windows Server 2016
- Generate new certificate and signed by public certificate authority for new installation
- To use existing certificate, export the certificate from ADFS 2012 R2 with private key and import into ADFS 2016 server.
Mixed Mode Farm: A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016.
Installation of ADFS Role
- Open the Windows Server 2016, Add Roles and Features Wizard and add the Active Directory Federation Services server role
- Proceed through the wizard. Click Configure the federation service on this server.
- On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click Next
- Proceed through the wizard. To join to existing farm, specify the farm name and import the certificate or to create a new farm, click create new farm and provide the details. On the Specify Service Properties page, select your TLS/SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name
- Proceed through and complete the Active Directory Federation Services Configuration Wizard. Close the Add Roles and Features Wizard
- If you have not created a host record in DNS for the federation server name you specified in Step 4 previously, do so now.
Upgrade ADFS 2016
To Upgrade to ADFS 2016, Once you have joined the new ADFS server to existing farm, on the Windows Server 2016 server, open PowerShell and run the following cmdlt:
Set-AdfsSyncProperties -Role PrimaryComputer
On the original AD FS Windows Server 2012 R2 server, open PowerShell and run the following cmdlt:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName Server2012R2.domain.com
To use ADFS 2016 functionality, you have prepare AD with ADFS 2016 Schema. Mount Windows Server 2016 installation media on a domain controller, open a command prompt and navigate to support\adprep directory. Run the following:
adprep /forestprep
adprep/domainprep
Now Raise farm behavior level to ADFS 2016, Invoke-AdfsFarmBehaviorLevelRaise PowerShell Cmdlet on the ADFS 2016 primary server.
To test ADFS 2016 signin page, Enable IdP initiated Sign On and RP initiated Sign on using the following cmdlets to ADFS 2016 Server.
Set-ADFSProperties -EnableIdpInitiatedSignonPage $True
Set-ADFSProperties -RelaystateForIdpInitiatedSignonEnabled $True
Open a browser and type https://sts.domain.com/adfs/ls/idpinitiatedsignon
Removing Legacy ADFS and WAP
- Remote into the servers and uninstall ADFS and Remote Access Role
Installing Federation Proxy
- Install Windows Server 2016
- Rename the server
- Setup IPv4 on the WAP server
- Install WAP Role using the below PowerShell Cmdlets.
- Add a host a record of STS in the C:\Windows\systems32\drivers\etc\hosts file of WAP server
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy –CertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’ -FederationServiceName sts.domain.com
Firewall Rules for WAP Servers
Add firewall rules for WAP servers if WAP servers are placed behind firewall. You must allow inbound and outbound rules on port 443 from WAP servers to internet.
Firewall Rules for ADFS servers
ADFS servers are domain joined and placed in internal network but WAP servers are place in different VLANS or DMZ to secure ADFS servers. You must allow port 443 between ADFS and WAP in both direction.
Firewall Rules for ADFS 2016 with MFA
If your ADFS 2016 servers are behind firewall specially going via Azure Express Route , add the below firewall rules in Azure Network Security Group (NSG) for ADFS 2016 MFA.
| 10.xx.0.0/24 | 23.99.10.4 | HTTPS (TCP/443) | Allow |
| 10.xx.0.0/24 | 23.99.10.4 | HTTPS (TCP/443) | Allow |
| 10.xx.0.0/24 | 168.63.89.78 | HTTPS (TCP/443) | Allow |
| 10.xx.0.0/24 | 168.63.89.78 | HTTPS (TCP/443) | Allow |
| 10.xx.0.0/24 | 40.77.21.104 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 104.42.126.253 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 40.84.187.178 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 52.161.23.17 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 40.87.57.9 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 134.170.116.0/25 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 134.170.165.0/25 | Custom (TCP/Any) | Allow |
| 10.xx.0.0/24 | 70.37.154.128/25 | Custom (TCP/Any) | Allow |
Blog by Raihan Al-Beruni 