This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGY%3C/text%3E%3C/svg%3E)
Hi,
I need to upgrade ADFS from windows 2008 R2 to Windows 2019. We have 10+ Relying party trust on the old ADFS. To minimize the impact, I plan to prepare a new ADFS so I can migrate them one by one to reduce the down time. Below are my questions.
If this isn't a right way to migrate Relying party trust, please advise the best way.
Thanks in advance!
One WAP server can only use one ADFS farm.
Is your ADFS on Windows Server 2008 R2 a farm deployment or a stand alone deployment?
If that's a farm deployment, you can actually do a parallel run upgrade. It is the same process as in: https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486815(v=ws.11)
If that's a stand alone deployment, you will have do an actual migration. In that case you will need to bring a new infra with WAP and ADFS. And if the challenge is that you just have one public IP for the WAP, you could in theory publish the new WAP in a pass-through rule on the old WAP. DNS will have to follow, it will also break certificate based authentication (just in case you are using it).
Hi Piaudonn,
Thank you very much for your reply. We have only one ADFS server. I guess we don't have a farm deployment, but I am not sure. I have searched up online, but I couldn't find the way to verify it. Can you tell me how I can determine if I have a farm development or not?
In case we have the standalone deployment, and public IP and DNS is not an issue, should I just set up another infra with WAP and ADPS (new IP, new DNS, new ADFS proxy), and then move the Relying party trust over one by one?
Please advise!
Thanks a lot!
Open the Services console. If you see the ADFS service running as Network Service you have a standalone deployment. If it uses a service account, you have a farm deployment.
Hi Piaudonn,
OK, It is running as Network Service, so I have a standalone development. My plan is below. Please advise if it looks fine.
Thank you in advance!
Yeah, looks about right.
If your organization is using Azure AD you could also just create an Enterprise Application in Azure AD instead of Relaying Party Trusts in ADFS. Then no need to have ADFS anymore on-premises (you can still have SSO with Azure Active Directory Seamless Single Sign-On) and you can leverage Conditional Access Policies (CAP) and other nice security features in Azure AD (CAP requires Azure AD Premium licenses).
Hi Piaudonn,
We do have Azure AD, unfortunately we have Office 365 basic Azure AD version, which doesn't come with Group Access Management.
I have another idea which seems to make the upgrade easier. Can you help me to review it?
I am thinking this should have much less work such as creating a new DNS server, new ADFS proxy server.
Please let me know if it is feasible. Please help!
Thank you very much!