升級到 Windows Server 2016 SQL server 中 AD FSUpgrading to AD FS in Windows Server 2016 with SQL Server

適用於:Windows Server 2016Applies To: Windows Server 2016

Windows Server 2012 R2 AD FS 發電廠從移到 Windows Server 2016 AD FS 陣列Moving from a Windows Server 2012 R2 AD FS farm to a Windows Server 2016 AD FS farm

下列文件將描述您 AD FS Windows Server 2012 R2 發電廠升級到 Windows Server 2016 中的 AD FS,當您正在使用 AD FS 資料庫 SQL Server 的方式。The following document will describe how to upgrade your AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016 when you are using a SQL Server for the AD FS database.

AD FS 升級到 Windows Server 2016 FBLUpgrading AD FS to Windows Server 2016 FBL

新在適用於 Windows Server 2016 AD FS 是發電廠行為層級功能 (FBL)。New in AD FS for Windows Server 2016 is the farm behavior level feature (FBL). 此功能發電廠寬並判斷 AD FS 發電廠可以使用的功能。This features is farm wide and determines the features that the AD FS farm can use. 根據預設,Windows Server 2012 R2 FBL 是在 Windows Server 2012 R2 AD FS 發電廠 FBL。By default, the FBL in a Windows Server 2012 R2 AD FS farm is at the Windows Server 2012 R2 FBL.

Windows Server 2016 AD FS 伺服器新增到 Windows Server 2012 R2 陣列,它會維持 FBL 相同與 Windows Server 2012 R2。A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. 當您有 Windows Server 2016 AD FS 伺服器以這種方式運作時,您發電廠即稱為 「 混合 」。When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be "mixed". 不過,您將無法善加利用 Windows Server 2016 的新功能,直到 FBL 以 Windows Server 2016 提出。However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016. 使用混合發電廠:With a mixed farm:

  • 系統管理員可以新增新的 Windows Server 2016 聯盟現有的 Windows Server 2012 R2 發電廠伺服器。Administrators can add new, Windows Server 2016 federation servers to an existing Windows Server 2012 R2 farm. 如此一來,發電廠 「 混合模式 」 是與 Windows Server 2012 R2 發電廠行為層級的運作方式。As a result, the farm is in "mixed mode" and operates the Windows Server 2012 R2 farm behavior level. 若要確保發電廠一致的行為,Windows Server 2016 的新功能無法設定或使用此模式。To ensure consistent behavior across the farm, new Windows Server 2016 features cannot be configured or used in this mode.

  • 之後,已從農場混合模式下,移除所有的 Windows Server 2012 R2 聯盟伺服器,在 WID 陣列,其中一個新的 Windows 進行 2016年聯盟伺服器已升級至主要節點的角色,系統管理員可以再提高 FBL Windows Server 2012 R2 的 Windows Server 2016。Once all Windows Server 2012 R2 federation servers have been removed from the mixed mode farm, and in the case of a WID farm, one of the new Windows Serve 2016 federation servers has been promoted to the role of primary node, the administrator can then raise the FBL from Windows Server 2012 R2 to Windows Server 2016. 如此一來,任何新 AD FS Windows Server 2016 功能可以再設定及使用。As a result, any new AD FS Windows Server 2016 features can then be configured and used.

  • 如此一來的混合的發電廠功能,AD FS Windows Server 2012 R2 組織想要升級到 Windows Server 2016 不會部署全新發電廠,匯出與匯入設定資料。As a result of the mixed farm feature, AD FS Windows Server 2012 R2 organizations looking to upgrade to Windows Server 2016 will not have to deploy an entirely new farm, export and import configuration data. 他們可以 online 時 Windows Server 2016 節點加入現有發電廠而只會造成參與 FBL 提高相當簡短中斷。Instead, they can add Windows Server 2016 nodes to an existing farm while it is online and only incur the relatively brief downtime involved in the FBL raise.

請注意,在混合的發電廠模式時,AD FS 發電廠不支援的新功能或 AD FS 在 Windows Server 2016 中加入的功能。Be aware that while in mixed farm mode, the AD FS farm is not capable of any new features or functionality introduced in AD FS in Windows Server 2016. 這表示公司想要試用的新功能無法執行此動作 FBL 引發直到。This means organizations that want to try out new features cannot do this until the FBL is raised. 如果您的組織期待測試新功能 rasing FBL 之前,您需要部署不同發電廠,若要這樣做。So if your organization is looking to test the new features prior to rasing the FBL, you will need to deploy a separate farm to do this.

其餘部分是文件會提供適用於 Windows Server 2016 聯盟伺服器新增到 Windows Server 2012 R2 環境,然後引發 FBL Windows Server 2016 的步驟。The remainder of the is document provides the steps for adding a Windows Server 2016 federation server to a Windows Server 2012 R2 environment and then raising the FBL to Windows Server 2016. 架構如下圖所要求的測試環境中執行這些步驟。These steps were performed in a test environment outlined by the architectural diagram below.

注意

您可以移至在 Windows Server 2016 FBL AD FS 之前,您必須移除所有的 Windows 2012 R2 節點。Before you can move to AD FS in Windows Server 2016 FBL, you must remove all of the Windows 2012 R2 nodes. 您只是無法升級到 Windows Server 2016 的是 Windows Server 2012 R2 的作業系統,並讓它變得 2016年節點。You cannot just upgrade a Windows Server 2012 R2 OS to Windows Server 2016 and have it become a 2016 node. 您必須將它移除,並更換新 2016年節點。You will need to remove it and replace it with a new 2016 node.

下列架構圖表顯示用來驗證及錄製下列步驟進行安裝。To following architectural diagram shows the setup that was used to validate and record the steps below.

架構

加入 Windows 2016 AD FS 伺服器至 AD FS 陣列Join the Windows 2016 AD FS Server to the AD FS farm

  1. Windows Server 2016 上使用伺服器管理員安裝 Active Directory 同盟服務的角色Using Server Manager install the Active Directory Federation Services Role on the Windows Server 2016

  2. 請使用 AD FS 設定精靈,加入現有的 AD FS 發電廠新的 Windows Server 2016 伺服器。Using the AD FS Configuration wizard, join the new Windows Server 2016 server to the existing AD FS farm. 歡迎畫面上按一下On the Welcome screen click Next. 加入農場

  3. 連接至 Active Directory Domain Services畫面,請指定管理員的權限來執行同盟服務設定,按一下 [下一步On the Connect to Active Directory Domain Services screen, specify an administrator account with permissions to perform the federation services configuration and click Next.
  4. 指定發電廠畫面中,輸入 SQL server,而且執行個體的名稱,然後按一下On the Specify Farm screen, enter the name of the SQL server and instance and then click Next. 加入農場
  5. 指定 SSL 憑證畫面中,指定的憑證,按一下 [On the Specify SSL Certificate screen, specify the certificate and click Next. 加入農場
  6. 指定服務 Account畫面中,指定服務帳號,按一下 [On the Specify Service Account screen, specify the service account and click Next.
  7. 檢視選項畫面中選項,按On the Review Options screen, review the options and click Next.
  8. 必要條件檢查畫面上,確認所有必要條件檢查已經過了,按一下 [設定On the Pre-requisites Checks screen, ensure that all of the pre-requisite checks have passed and click Configure.
  9. 結果畫面,確定已成功設定伺服器,按關閉On the Results screen, ensure that server was successfully configured and click Close.

Windows Server 2012 R2 AD FS 伺服器中移除Remove the Windows Server 2012 R2 AD FS server

注意

您不需要設定使用 AdfsSyncProperties 設定為主要 AD FS 伺服器-時使用資料庫 SQL 角色。You do not need to set the primary AD FS server using Set-AdfsSyncProperties -Role when using SQL as the database. 這是因為所有節點視為主要此設定。This is because all of the nodes are considered primary in this configuration.

  1. 在 Windows Server 2012 R2 AD FS 伺服器在伺服器管理員使用移除角色與功能管理On the Windows Server 2012 R2 AD FS server in Server Manager use Remove Roles and Features under Manage. 移除伺服器
  2. 在您開始之前畫面中,按一下 [On the Before you Begin screen, click Next.
  3. 伺服器選取畫面上,按一下 [On the Server Selection Screen, click Next.
  4. 伺服器角色畫面上,移除旁邊的核取Active Directory 同盟服務並按下一步On the Server Roles screen, remove the check next to Active Directory Federation Services and click Next. 移除伺服器
  5. 功能畫面上,按On the Features Screen, click Next.
  6. 確認畫面上,按移除On the Confirmation Screen, click Remove.
  7. 一旦完成後,請重新開機伺服器。Once this completes, restart the server.

提升發電廠行為 (FBL)Raise the Farm Behavior Level (FBL)

這個步驟之前,您需要確保 forestprep 及準備網域有已執行 Active Directory 環境並 Active Directory 有的 Windows Server 2016 結構描述。Prior to this step you need to ensure that forestprep and domainprep have been run on your Active Directory environment and that Active Directory has the Windows Server 2016 schema. 開始使用 Windows 2016 網域控制站這份文件,並不需要執行這些因為他們已執行安裝 AD 時。This document started with a Windows 2016 domain controller and did not require running these because they were run when AD was installed.

  1. 現在在 Windows Server 2016 伺服器開放 PowerShell 並執行下列命令:$cred = 取得認證並輸入叫用。Now on the Windows Server 2016 Server open PowerShell and run the following: $cred = Get-Credential and hit enter.
  2. 輸入認證對 SQL Server 中的系統管理員權限。Enter credentials that have admin privileges on the SQL Server.
  3. 現在在 PowerShell,輸入下列項目:叫用-AdfsFarmBehaviorLevelRaise-認證 $credNow in PowerShell, enter the following: Invoke-AdfsFarmBehaviorLevelRaise -Credential $cred
  4. 出現提示時,輸入Y。這將會開始提高層級。When prompted, type Y. This will begin raising the level. 一旦完成後您已成功地提高 FBL。Once this completes you have successfully raised the FBL.
    完成更新
  5. 現在,如果您移至 [AD FS 管理,您將會看到 AD fs Windows Server 2016 中已加入新節點Now, if you go to AD FS Management, you will see the new nodes that have been added for AD FS in Windows Server 2016
  6. 同樣地,您可以使用 PowerShell cmdlt: 取得-AdfsFarmInformation 來顯示您目前 FBL。Likewise, you can use the PowerShell cmdlt: Get-AdfsFarmInformation to show you the current FBL.
    完成更新