SOLVED

ADFS 2016 Requierements Schema

Copper Contributor

Hi, I have a question.

Can anyone tell me if it is required to extend the schema to implement ADFS 2016?

According to this link yes:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-2016-requirements
Schema requirements
New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

But I've installed it in a lab with a Windows Server 2012 Domain Controller without updating the schema, and it works OK.
I think the requirement is if you wants to use Device Registration.

Thanks!!

13 Replies

That doesnt seem right, probably they meant to say it's a requirement for *some* features.

I'm a little confused about that statement as well.

I agree It is a litle confusing, and yes it could be for some features like @Vasil Michev said before.

best response confirmed by VI_Migration (Silver Contributor)
Solution

There is known issue with that.

 

The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you install a brand new farm from scratch using Windows Server 2016 it will show as the FBL is already 2016 regardless of the ADDS schema version. This, hopefully, should be corrected.

 

If you want to use the FBL 2016 you need ADDS 2016 Schema. So we cannot guarantee that the new features will be working as expected.

 

If you were doing an upgrade from an existing ADFS 2012 R2 farm, you would have not been able to upgrade the FBL until the ADDS schema is 2016.

So is i have an ADFS 2012 R2 with 2012 R2 AD

and want to add a completely separate ADFS 2016 Farm to the same AD (Different farm name ) then i could? it would be ok with the 2012 schema level? it would just think its running a higher schema level?

 

thanks

 

Jay

You can install several farms in the same domain/forest. As long as they have different FQDNs and IDs, they do not conflict from an federation perspective. You might consider using a different service account (or gMSA) though. Then if you need to do an operation on the service account itself, it does not impact the two farms.

However, all farms of the ADDS forest will share the same Device Registration Service (DRS)configuration as it is a forest wide setting (stored in the configuration partition). If you do not use DRS, or plan to use it only on one farm, they you don't really mind.

Regarding the schema requirement, it is the same as previously mentioned. In other words, you need the 2016 ADDS schema to use the FBL 2016 of your farm. You do not need Windows Server 2016 domain controllers but you need the schema. If you do not have the schema, some of the feature that come with the 2016 FBL will not work. To be on a supported 2016 FBL, you need a 2016 ADDS schema. 

Hope this helps!

Thanks Pierre for your help.

 

Issue that i have is that we have one AD on 2012 R2 Schema 69 with ADFS 2012 R2.

He have a new ADFS 2016 server with ADFS and wish to add it to the same AD.

We cant raise the Schema yet, but wondering whether ADFS 2016 would work at all on an AD 2012 R2 schema 69. I think from what i have read in the responses is that it should work, but without the latest features. Im wondering whether ADFS 2016 would think its running at FBL 2016 automatically on a fresh install and whether it would cause any issues

and could i lower the farm level to 2012 on the ADFS 2016 server?

@Jamil Hassan @Pié and all, I am curious of the same thing.  Also, regardless of schema version (older than 2012 etc) would it be okay to not upgrade schema?  Would we simply just miss out out on new features?  Could the schema be upgraded later to gain those new features?

In our case AD FS 2.0 is in place and there will be a new AD FS 2016 to replace it.  A good forest recovery plan is not in place however AD FS 2016 must be installed because of previously agreed upon timeline.

Any ideas would be greatly appreciated.

@Vasil Michev or @Nuno Silva have you guys had luck upgrading straight to AD FS 2016 from AD FS 2.0 without upgrading the schema or know if the schema upgrade can simply be done at a later time (to get full functionality)?

@Javier Andrés Rivas what did you end up doing?

 

Thank you

Kevin

Hello this info I was talking to a colleague Ms

 

Installing ADFS on server 2016 and create a new farm requires Schema of AD 2016
Installing ADFS on server 2016 and join a 2012 R2 farm does not require Schema of AD 2016
•         Raising the farm level to 2016 does require Schema of AD 2016
It’s really simple. AD FS 2016 requires the AD schema to be on the 2016 level. Everything else is not supported

@Javier Andrés Rivas thank you for your reply. 


When you said colleague Ms, do you mean someone that works at Microsoft?

So I completed a project building ADFS 2016 along side ADFS 2012 on the same AD, but different farm names. We had to raise the Schema Level to the 2016 requirement. Microsoft told us ADFS 2016 would not be supported on the 2012 schema level (If built as a separate new farm). So we had a project to raise the Schema level, then installed ADFS 2016. 

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

There is known issue with that.

 

The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you install a brand new farm from scratch using Windows Server 2016 it will show as the FBL is already 2016 regardless of the ADDS schema version. This, hopefully, should be corrected.

 

If you want to use the FBL 2016 you need ADDS 2016 Schema. So we cannot guarantee that the new features will be working as expected.

 

If you were doing an upgrade from an existing ADFS 2012 R2 farm, you would have not been able to upgrade the FBL until the ADDS schema is 2016.

View solution in original post