This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 65%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGN%3C/text%3E%3C/svg%3E)
Hi,
Am planning to promote secondary ADFS to primary ADFS, as stated here I can change using PS commands https://hippidikki.wordpress.com/2016/04/19/changing-adfs-primarysecondary-federation-serverin-a-farm
But thing is will this also move the token signing certificates, Relying party trusts and Claim issuance as well?
Thanks in advance.
Regards
Run this PowerShell command on the Secondary AD FS server that you want to make the Primary AD FS server.
Set-AdfsSyncProperties -Role PrimaryComputer
This will now move the Primary role to the server where the command was run. If you have two or more Secondary servers on the farm, you need to update the other Secondary servers.
Run this PowerShell command on the other Secondary AD FS server(s) so that they now sync with the new AD FS Primary server
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN_ADFS_Primary>
Also, check this detailed MS article for more insight - https://itworldjd.wordpress.com/2014/10/22/how-to-move-a-secondary-adfs-to-primary/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
The Token signing certificates will not be moved. It is common to think that a specific Enhanced Key Usage (EKU) is needed for the token-signing certificate, but this is, in fact, not correct. The only requirement for usage is that Key Usage (KU) must contain at least Digital Signature.
You can follow this article to move the certificates or create new ones
--------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
Yes it worked fine on one of the test machine.
In production I tried to install Federation service, I stuck in SPN account creation. I tried to setspn -Q http/einvpdssoadfs and got the results as one service user and used that in the secondary server to configure the ADFS service but got failed with SPN account.
Attaching screenshot of the same.
I tried creating SPN in primary server, but looks like it already created and not able to create new one. Any help would be much appreciated.
Hii Gopalakrishnan,
I was facing the same problem while installing the addition ADFS server in UAT environment.
So, I had performed below mentioned solution.
Go to primary server and check which service account is using for ADFS and Device registration service. then add spn host/<service_name/Farm_name> for that specific service account which is using to run above mentioned services then try to install the same with that service account and Thankfully I got the solution.
So kindly check as per your production environment then implement the solution.
I am giving you the rough idea about the same situation.