@piaudonn
I will be cutting over to the new cert since everyone has been communicated. Plan is :
- set rollover to true
- update cert
- set rollover to false

A couple of questions:
1. For two adfs in a farm with a SQL database, does this need to be done in each adfs server or would creation in one reflect on the other since it is a single database they are sharing?
2. Since one of the domain is federated in azure ad, will it auto-update based on the fact that we set the rollover to true prior to change? Or Update-MsolFederatedDomain need to be run after the new cert is generated and made primary?

Thank you again!

@piaudonn
Thank you!!

Ours is a self signed cert and expires in about 9 days. We have the following set CertificateGenerationThreshold - 20
CertificatePromotionThreshold - 10 and CertificateCriticalThreshold - 2.

If I were to change to auto-rollover to true, regenerate cert, and then change auto-rollover to false :
1. will the cert change to primary right away since CertificatePromotionThreshold is now 10 and we are past that point (cert expires in 9 days)?
2. Will Azure AD update itself when the cert is generated this way?

A response will be highly appreciated!

Thank you. A few more queries based on your response.

1. To be rid of SQL, do I need to create a new 2012 r2 adfs servers to restore using adfs rapid restore? Or, do i restore on both the existing adfs servers one at a time? A summary of the procedure would be great. Since using wid, one will be primary and the other secondary would that affect the current architecture with load balancer pointing to two wap servers and each wap with local host file pointing to specific adfs server.

2. What becomes of artifact database after moving to wid?

3. Once 2019 servers are introduced (assuming first procedure went fine), I am assuming the existing wap doesn't need to be modified except for the local host file that point to the adfs 3 server?

Thanks again!