Demoting Active Directory from a server that has Active Directory Federation Services version 2...

  • Last Post 16 November 2015
imprise posted this 15 November 2015

Hi all;
I have a server (with Windows Server 2008 R2) that have Active Directory Federation Services version 2.o, installed. Now I want to upgrade the domain to Windows Server 2012 R2. So I need to demote the Active Directory from the server with AD FS role. If I do this action, does it effects the functionality of the AD FS? If the answer is yes, how can I move AD FS role to another server?

Order By: Standard | Newest | Votes
barkills posted this 16 November 2015

I’m a little confused by your question, and I imagine others are too.


You talk about upgrading the domain and seem to be implying that ADFS is a blocker to doing that. Do you have ADFS installed on a domain controller? If so, that’d

make your question make more sense. If not, then I think you’ve got a misunderstanding.


Assuming you have ADFS installed on a domain controller, then the answer to your question depends entirely on whether you have an ADFS farm with multiple ADFS

servers. If this is the only ADFS server, then yes, it’ll be impactful to remove it. If there are other ADFS servers, then your load balancer should be configured to remove this ADFS server prior to your removal of the ADFS role.


Let’s assume this is the only ADFS server. If you have special configurations in your WS2008R2 ADFS (e.g. home realm page customizations, special code running

in IIS via ISAPI, etc) then you’ll need to research how to replicate that configuration in WS2012R2 then bring up a new WS2012R2 ADFS server. You’d then move each relying party over to the new ADFS server. And then finally you could remove the ADFS role on

the WS2008R2 server.



ZJORZ posted this 16 November 2015

Demoting a DC with IIS on it may impact IIS. If I were you I would:

* install an additional DC (w2k12r2) next to the existing one

* install an additional Adfs server (w2k12r2) next to the existing one

* migrate adfsv2 config to adfsv3 using export and import (adfsv2 and adfsv3 should the exact same federation fqdn, the same federation uri, the same certificates)

* retarget the load balancer or adjust dns (whatever applies) to target the new adfsv3 instead of adfsv2 through the federation fqdn

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto

E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx

Tel.: +31-(0)6-

(+++Sent from my mobile device +++)

(Apologies for any typos)