HELP!!! Can I have multiple ADFS (versions) on one domain/forest?

HELP!!! Can I have multiple ADFS (versions) on one domain/forest?

Currently, I have setup an ADFS 2.0 (Two ADFS servers (primary & secondary) & Two ADFS proxy servers) that is specifically setup for my student body Office365 access.

Recently, I have been tasked to create/add another cloud service access to our SSO (ADFS) setup.

After some research, I am leaning towards just creating new ADFS 4.0 VM's (Two ADFS servers (primary & secondary) & Two ADFS web app proxy servers) for this new cloud service then later migrate my student body Office365 access to it.

My question/concern is, will this create an issue within my AD environment?  Having multiple ADFS setups in the same domain/forest?  Or will it be treated like two separate services at this time?

Lastly, if this is possible, would I setup ADFS 4.0 similar to how I setup my ADFS 2.0, which was setup several years ago utilizing NLB features of the Hyper-V hosts to make a poor man's version of a cluster or something like that.  it works and works well, but just wondering if there is a better way to setup a new ADFS 4.0 services.


Let me know if you need further details / explanations to assist with my questions.


Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Yes, you can. As long as you use a different endpoint/service account there will be no interference between the two farms.
0
rsnellmanIT ManagerAuthor Commented:
Vasil,
Thank you for the quick response.

I found this while waiting...  Building Multiple ADFS Farms in a Single Forest

I will get started building the VM's now and if I have further questions, I will be sure to ask.


Thanks again.


Have a great day.
0
rsnellmanIT ManagerAuthor Commented:
According to this article, AD FS Requirements

I need to extend my schema (AD (DFL) & Forest (FFL)), but I only have Windows Server 2008 R2 DC's at the moment.

Can I use ADFS 4.0 setup within my Windows Server 2003 FFL & Windows Server 2008 DFL?  Or do I need to raise them in order for ADFS 4.0 to work?


Thanks.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

MaheshArchitectCommented:
you need to extend AD schema to 2016 server before you install ADFS 2016, however it not means you need to install 2016 AD server
Once schema extended, you can use adfs 4.0 with 2003 FFL and 2008 DFL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsnellmanIT ManagerAuthor Commented:
This is great news...Thanks Mahesh.  I was hoping to not add one more hurdle to this project.

So, I won't need Microsoft Passport for Work since all my current cloud vendors are asking for is the metadata to the ADFS landing page, correct?


Thanks again.


You all are true life savers.  I am so glad I am a part of this community.
0
MaheshArchitectCommented:
Yeah, that's right
Once schema extended, you can start using adfs, in future if at all you need 2016 Dc servers, you ca always add them later point of time.
0
rsnellmanIT ManagerAuthor Commented:
OK.  Sounds good.  Thanks again for all of your amazing assistance.

Have a great day.
0
rsnellmanIT ManagerAuthor Commented:
One last quick question....

Extending AD Schema, can I jump to Server 2016 or do I need to extend from Windows Server 2008 R2 to Windows Server 2012 then to Windows Server 2012 R2 and finally to Windows Server 2016?


Thanks.
0
MaheshArchitectCommented:
No need
install 2016 member server with adds RSAT tools
then insert 2016 DVD and navigate to adprep folder under support and execute schema updating commands
OR
Same can be achieved from 2008 R2 r/w dc as well (PDC preferably
0
rsnellmanIT ManagerAuthor Commented:
OK.  I was planning to run the required DVD (OS media disc) from my Server 2008 R2 PDC and run the commands via command prompt.

So, if that will still work then I will go that route.

A few articles I have run across refreshing up on extending AD schema, it mentions having a forest recovery to rollback to in case it fails, crashes.

I'll be honest, I have never had to do a forest recovery.  Have you?  If so, what does that all consist of?


Thanks again.
0
MaheshArchitectCommented:
take PDC server system state backup before proceeding
use elevated and
ensure u logon to server with account having domain admins, enterprise admins and schema admins
turn off av protection
I never seen you have to undergo forest recovery after ad schema updation, Ad schema update can be failed from executing due to any reason, however u can run it again and again until u succeed
the forest recovery is the only option to roll back but the reason for forest recovery is very different
when ur ad stops working completely, then only forest recovery is required, your scenario don't need that
I have tested process in lab few years ago
0
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks again for all of your amazing help.

I have the PDC being backed up using Microsoft System Center Data Protection Manager 2012 R2.  So, I should be good, but just to be on the safe side I will go ahead and do a Windows Server Backup system state of the PDC anyways.

As for elevated, you mean elevated command prompt, correct?

Other than that, I think I am good to go and will let you know how it turns out shortly.


Thanks again.
0
MaheshArchitectCommented:
yes that's correct
0
rsnellmanIT ManagerAuthor Commented:
OK.  So, I have ...according to the command prompt responses...successfully extending my forest to (87 = Windows Server 2016).

How can I confirm that this is actually true and how do I check my other DC's have the replicated information?

I opened up regedit and dug down to the NTDS/Parameters and found the Schema Version = 87 (I assume this is the forest schema).

Also, I have checked in ADSI Edit that the revision is 16.


However, when I go to Active Directory Domains and Trusts console and check the forest levels available within the Raise Forest Functional Level", I still only see the two prior to the upgrade (adprep /forestprep), which were Windows Server 2008 & Windows Server 2008 R2, because my FFL is currently at Windows Server 2003.

Shouldn't that have changed and the other FFL options be in the drop-down list too?
0
rsnellmanIT ManagerAuthor Commented:
OK.  So, I just realized that I forgot to turn off my AV protection on my Server 2008 R2 PDC where I was running the adprep / forestprep commands from.

However, the forestprep said it was successful with no issues and the AV protection is very minimal to begin with.


In addition, when I checked all of the DC's registry (i.e. NTDS/Parameters / Schema Version) they all say 87 now.

I am just trying to remember how I can verify they are good to go with the forestprep so I can proceed with the domainprep.


Lastly, I did verify the DC replications are working correctly still via repladmin command that I have scripted to run every 4 hours automagically.


Thanks in advance.
0
rsnellmanIT ManagerAuthor Commented:
Nevermind...I realized what was going on after I finally left work yesterday and could think clearly again.

The reason it won't display in the drop-down list is because I am doing it from a Windows Server 2008 R2 DC and not a Windows Server 2016 DC.

Duh...


Thanks again for all of your amazing help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.