question

GaryRaboen-6482 avatar image
0 Votes"
GaryRaboen-6482 asked GaryRaboen-9181 commented

Migration: ADFS 2.0 (Server 2008 R2) -> PTA (Server 2012 R2)

Hi,

I'm trying to migrate from 2008 R2 + ADFS 2.0 to 2012 R2 PTA + SSSO.

But, ofcourse, I run into problems, otherwise I wouldn't be here haha.

I inherited this configuration and I have no idea how the current configuration has been setup. No documentation whatsoever.

Setup:
2008 R2 server with ADFS 2.0 installed (no farm, standalone server, no WAP). AD Connect has already been installed on the 2012 R2 server and runs in staging mode.
The volumes on the server are being back-upped automatically. AD FS Rapid Restore Tool is not compatible with 2008 R2. ADFS is only being used by Office 365.

If we perform the migration (2012 R2 + PTA SSSO), the ADFS server (2008 R2) remains untouched besides this change.

Because AD FS Rapid Restore Tool has not been used, below command has been used and the result has been saved on our share.
(Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform") | Export-CliXML "C:\temp\O365-RelyingPartyTrust.xml"

Our wish:
Remove the 2008 R2 server from our environment and use the 2012 R2 server with PTA + SSSO.

Problems:
1. There are two ways to configure Microsoft 365 to migrate to PTA, coming from ADFS.
- Use AD Connect and change authentication to PTA, but this can only be done if AD Connect has been used to setup ADFS in the first place.
- Manually change MSOL Domain authentication by using this command: Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name>
Problem: AD Connect does recognize that Federation is enabled, however, it does not recognize the server which has ADFS 2.0 installed as primary server. So I don't
know which method has been used.
2. Looking at the "ArtifactDbConnection" entry after entering the Get-ADFSProperties command, we use a SQL database which can be found but couldn't be loaded in
SQL server 2014 to perform a back up.

Questions:
1. What happens if I use AD Connect to switch to PTA if it has been setup manually or what happens if I manually change the MSOL domain authentication if AD
Connect has been used to configure ADFS?
2. Is it possible to just disable ADFS (outside office hours ofcourse) and configure PTA on the AD Connect instance on the 2012 R2 server?
3. What are the consequences if the ADFS server crashes. Besides users not being able to login? In other words, what needs to be done if migration to PTA fails besides
using the "Convert-MSOLDomainToFederated" command. As stated earlier, the old server remains untouched besides this change so reverting back should be easy
right?

I've been searching for information for the past three weeks but most information is not fully applicable to our situation. Therefore, this thread.

Sorry in case of bad english, not my native language.

And maybe this isn't as hard as I think it is, but I can't afford to mess this up.

Kind regards,

Gary

azure-ad-pass-through-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amon-2590 avatar image
0 Votes"
amon-2590 answered GaryRaboen-9181 commented
  1. You can only convert from federation to PTA using ADConnect if the Federation was originally set up with ADConnect. Otherwise you must do it manually with powershell. From your description it sound as if Federation was set up manually. This could also be a good thing, it means that you have more granular control over the transition.

  2. Sure, that is a valid option. Remove the role and : Set-MsolDomainAuthentication -DomainName youdomain.com -Authentication Managed.

  3. You don't need to touch you federation server, so while creating a backup is always a very good plan, you will most likely not require the backup even if you decide to revert

Not part of your question, but might be useful:
- How to backup your ADFS
- From documentation: "Don’t shut down your AD FS environment or remove the Microsoft 365 relying party trust until you have verified that all users can successfully authenticate by using cloud authentication."


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe that the documentation which you provided is going to help a lot. I'll keep you posted.

1 Vote 1 ·

Okay, all went fine.. However, now I can only logon to M365 when my global administrator account carries the custom domain name instead of the xxx.onmicrosoft.com.

Why is that?

0 Votes 0 ·