06-05-2017 05:39 AM
06-05-2017 05:39 AM
Hi, I have a question.
Can anyone tell me if it is required to extend the schema to implement ADFS 2016?
According to this link yes:
New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).
But I've installed it in a lab with a Windows Server 2012 Domain Controller without updating the schema, and it works OK.
I think the requirement is if you wants to use Device Registration.
09-15-2017 10:52 AMSolution
There is known issue with that.
The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you install a brand new farm from scratch using Windows Server 2016 it will show as the FBL is already 2016 regardless of the ADDS schema version. This, hopefully, should be corrected.
If you want to use the FBL 2016 you need ADDS 2016 Schema. So we cannot guarantee that the new features will be working as expected.
If you were doing an upgrade from an existing ADFS 2012 R2 farm, you would have not been able to upgrade the FBL until the ADDS schema is 2016.
01-08-2018 07:53 AM
So is i have an ADFS 2012 R2 with 2012 R2 AD
and want to add a completely separate ADFS 2016 Farm to the same AD (Different farm name ) then i could? it would be ok with the 2012 schema level? it would just think its running a higher schema level?
01-08-2018 11:32 AM
You can install several farms in the same domain/forest. As long as they have different FQDNs and IDs, they do not conflict from an federation perspective. You might consider using a different service account (or gMSA) though. Then if you need to do an operation on the service account itself, it does not impact the two farms.
However, all farms of the ADDS forest will share the same Device Registration Service (DRS)configuration as it is a forest wide setting (stored in the configuration partition). If you do not use DRS, or plan to use it only on one farm, they you don't really mind.
Regarding the schema requirement, it is the same as previously mentioned. In other words, you need the 2016 ADDS schema to use the FBL 2016 of your farm. You do not need Windows Server 2016 domain controllers but you need the schema. If you do not have the schema, some of the feature that come with the 2016 FBL will not work. To be on a supported 2016 FBL, you need a 2016 ADDS schema.
Hope this helps!
01-08-2018 01:44 PM
Thanks Pierre for your help.
Issue that i have is that we have one AD on 2012 R2 Schema 69 with ADFS 2012 R2.
He have a new ADFS 2016 server with ADFS and wish to add it to the same AD.
We cant raise the Schema yet, but wondering whether ADFS 2016 would work at all on an AD 2012 R2 schema 69. I think from what i have read in the responses is that it should work, but without the latest features. Im wondering whether ADFS 2016 would think its running at FBL 2016 automatically on a fresh install and whether it would cause any issues
08-26-2018 07:30 PM
@Jamil Hassan @Pierre Audonnet and all, I am curious of the same thing. Also, regardless of schema version (older than 2012 etc) would it be okay to not upgrade schema? Would we simply just miss out out on new features? Could the schema be upgraded later to gain those new features?
In our case AD FS 2.0 is in place and there will be a new AD FS 2016 to replace it. A good forest recovery plan is not in place however AD FS 2016 must be installed because of previously agreed upon timeline.
Any ideas would be greatly appreciated.
08-27-2018 07:02 AM
08-27-2018 07:11 AM
Hello this info I was talking to a colleague Ms
Installing ADFS on server 2016 and create a new farm requires Schema of AD 2016
Installing ADFS on server 2016 and join a 2012 R2 farm does not require Schema of AD 2016
• Raising the farm level to 2016 does require Schema of AD 2016
It’s really simple. AD FS 2016 requires the AD schema to be on the 2016 level. Everything else is not supported
08-28-2018 03:30 AM
So I completed a project building ADFS 2016 along side ADFS 2012 on the same AD, but different farm names. We had to raise the Schema Level to the 2016 requirement. Microsoft told us ADFS 2016 would not be supported on the 2012 schema level (If built as a separate new farm). So we had a project to raise the Schema level, then installed ADFS 2016.