Hi,
I'm trying to migrate from 2008 R2 + ADFS 2.0 to 2012 R2 PTA + SSSO.
But, ofcourse, I run into problems, otherwise I wouldn't be here haha.
I inherited this configuration and I have no idea how the current configuration has been setup. No documentation whatsoever.
Setup:
2008 R2 server with ADFS 2.0 installed (no farm, standalone server, no WAP). AD Connect has already been installed on the 2012 R2 server and runs in staging mode.
The volumes on the server are being back-upped automatically. AD FS Rapid Restore Tool is not compatible with 2008 R2. ADFS is only being used by Office 365.
If we perform the migration (2012 R2 + PTA SSSO), the ADFS server (2008 R2) remains untouched besides this change.
Because AD FS Rapid Restore Tool has not been used, below command has been used and the result has been saved on our share.
(Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform") | Export-CliXML "C:\temp\O365-RelyingPartyTrust.xml"
Our wish:
Remove the 2008 R2 server from our environment and use the 2012 R2 server with PTA + SSSO.
Problems:
1. There are two ways to configure Microsoft 365 to migrate to PTA, coming from ADFS.
- Use AD Connect and change authentication to PTA, but this can only be done if AD Connect has been used to setup ADFS in the first place.
- Manually change MSOL Domain authentication by using this command: Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name>
Problem: AD Connect does recognize that Federation is enabled, however, it does not recognize the server which has ADFS 2.0 installed as primary server. So I don't
know which method has been used.
2. Looking at the "ArtifactDbConnection" entry after entering the Get-ADFSProperties command, we use a SQL database which can be found but couldn't be loaded in
SQL server 2014 to perform a back up.
Questions:
1. What happens if I use AD Connect to switch to PTA if it has been setup manually or what happens if I manually change the MSOL domain authentication if AD
Connect has been used to configure ADFS?
2. Is it possible to just disable ADFS (outside office hours ofcourse) and configure PTA on the AD Connect instance on the 2012 R2 server?
3. What are the consequences if the ADFS server crashes. Besides users not being able to login? In other words, what needs to be done if migration to PTA fails besides
using the "Convert-MSOLDomainToFederated" command. As stated earlier, the old server remains untouched besides this change so reverting back should be easy
right?
I've been searching for information for the past three weeks but most information is not fully applicable to our situation. Therefore, this thread.
Sorry in case of bad english, not my native language.
And maybe this isn't as hard as I think it is, but I can't afford to mess this up.
Kind regards,
Gary