Forum Discussion
Solved
ADFS 2016 Requierements Schema
Hi, I have a question.
Can anyone tell me if it is required to extend the schema to implement ADFS 2016?
According to this link yes:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-2016-requirements
Schema requirements
New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).
But I've installed it in a lab with a Windows Server 2012 Domain Controller without updating the schema, and it works OK.
I think the requirement is if you wants to use Device Registration.
Thanks!!
There is known issue with that.
The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you install a brand new farm from scratch using Windows Server 2016 it will show as the FBL is already 2016 regardless of the ADDS schema version. This, hopefully, should be corrected.
If you want to use the FBL 2016 you need ADDS 2016 Schema. So we cannot guarantee that the new features will be working as expected.
If you were doing an upgrade from an existing ADFS 2012 R2 farm, you would have not been able to upgrade the FBL until the ADDS schema is 2016.
13 Replies
- Pié
Microsoft
There is known issue with that.
The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you install a brand new farm from scratch using Windows Server 2016 it will show as the FBL is already 2016 regardless of the ADDS schema version. This, hopefully, should be corrected.
If you want to use the FBL 2016 you need ADDS 2016 Schema. So we cannot guarantee that the new features will be working as expected.
If you were doing an upgrade from an existing ADFS 2012 R2 farm, you would have not been able to upgrade the FBL until the ADDS schema is 2016.
So is i have an ADFS 2012 R2 with 2012 R2 AD
and want to add a completely separate ADFS 2016 Farm to the same AD (Different farm name ) then i could? it would be ok with the 2012 schema level? it would just think its running a higher schema level?
thanks
Jay
- Pié
You can install several farms in the same domain/forest. As long as they have different FQDNs and IDs, they do not conflict from an federation perspective. You might consider using a different service account (or gMSA) though. Then if you need to do an operation on the service account itself, it does not impact the two farms.
However, all farms of the ADDS forest will share the same Device Registration Service (DRS)configuration as it is a forest wide setting (stored in the configuration partition). If you do not use DRS, or plan to use it only on one farm, they you don't really mind.
Regarding the schema requirement, it is the same as previously mentioned. In other words, you need the 2016 ADDS schema to use the FBL 2016 of your farm. You do not need Windows Server 2016 domain controllers but you need the schema. If you do not have the schema, some of the feature that come with the 2016 FBL will not work. To be on a supported 2016 FBL, you need a 2016 ADDS schema.
Hope this helps!
- I'm a little confused about that statement as well.
I agree It is a litle confusing, and yes it could be for some features like VasilMichev said before.
That doesnt seem right, probably they meant to say it's a requirement for *some* features.
