Troubleshooting adding a Windows Server 2016 to an AD FS farm running on Windows Server 2012 R2
It did sound like an easy task: I just wanted to upgrade my AD FS farm tha runs on Windows Server 2012 R2 to Windows Server 2016.
That general process is described here for example: https://blog.kloud.com.au/2017/01/23/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-2/
Therefore, after installing the AD FS role, I ran the following command to add the Windows Server 2016 node to the existing farm:
Add-AdfsFarmNode -CertificateThumbprint:"B97FD6B15A31234557D27833487AC76154E2421B" -GroupServiceAccountIdentifier:"Contoso\FSfarm`$" -PrimaryComputerName:"PrimFS.contoso.com" -OverwriteConfiguration:$true
Unfortunately, I received the following error message.
Add-AdfsFarmNode : There were no SPNs set on the following service account 'Contoso\FSfarm$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.
At line:1 char:1
+ Add-AdfsFarmNode -CertificateThumbprint:"B97FD6B15A31234557D27833487AC42 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AdfsFarmNode], DisplayableArgumentException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand
Message
-------
Unable to determine the Service SPN. There were no SPNs set on the following service account 'CGM\FS.farm$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the ser...
Well, in conflict with the error message, the SPN was set correctly on the group managed service account. So while troubleshooting that issue, I ended on those two recommandable web pages:
That general process is described here for example: https://blog.kloud.com.au/2017/01/23/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-2/
Therefore, after installing the AD FS role, I ran the following command to add the Windows Server 2016 node to the existing farm:
Add-AdfsFarmNode -CertificateThumbprint:"B97FD6B15A31234557D27833487AC76154E2421B" -GroupServiceAccountIdentifier:"Contoso\FSfarm`$" -PrimaryComputerName:"PrimFS.contoso.com" -OverwriteConfiguration:$true
Problem 1:
Unfortunately, I received the following error message.
Add-AdfsFarmNode : There were no SPNs set on the following service account 'Contoso\FSfarm$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.
At line:1 char:1
+ Add-AdfsFarmNode -CertificateThumbprint:"B97FD6B15A31234557D27833487AC42 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AdfsFarmNode], DisplayableArgumentException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand
Message
-------
Unable to determine the Service SPN. There were no SPNs set on the following service account 'CGM\FS.farm$'. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the ser...
Well, in conflict with the error message, the SPN was set correctly on the group managed service account. So while troubleshooting that issue, I ended on those two recommandable web pages:
- https://blogs.technet.microsoft.com/joeleo/2016/09/08/spn-and-user-namepassword-errors-when-trying-to-add-an-additional-ad-fs-server-with-a-group-managed-service-account/
- https://ril3y.wordpress.com/2014/08/19/error-when-adding-second-2012r2-ad-fs-server-when-using-gmsa/
- https://secureidentity.se/mystery-with-adfs-and-gmsa/
The scenarios did not match directly to my personal one, but I was pretty sure that the problem was caused by the existing Windows Server 2008 R2 domain controller in the same AD site. While checking the network traces with Microsoft Message Analyzer, I detected, that the FS server always tried to connect the Windows Server 2008 R2 DC, even if a Windows Server 2012 R2 DC was also in the same site. The FS server did connect to the Win 2008 R2 DC's, even when
nltest /SC_VERIFY:DomainName
displayed that the server was authenticating to the 2012 R2 DC.
So, I decided to solve that issue with the windows firewall & added a rule that blocked every inbound & outbound traffic between the FS server and the 2008 R2 while the installation.
That did finally solve that issue.
nltest /SC_VERIFY:DomainName
displayed that the server was authenticating to the 2012 R2 DC.
So, I decided to solve that issue with the windows firewall & added a rule that blocked every inbound & outbound traffic between the FS server and the 2008 R2 while the installation.
That did finally solve that issue.
Problem 2:
Nevertheless, the installation did not run smoothly immediately & I received a new error message:
Add-AdfsFarmNode : MSIS7711: PolicyOperationFault
At line:1 char:1
+ Add-AdfsFarmNode -CertificateThumbprint:"B97FD6B15A33A805A7D2D0704342 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AdfsFarmNode], FaultException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand
Message Context Status
------- ------- ------
Unable to synchronize local database. MSIS7711: PolicyOperationFault DeploymentTask Error
Again, the error message did not point me on the shortcut to the solution: a problem with the local proxy settings on the FS.
Running
netsh winhttp reset proxy
did solve the problem in seconds & I was able to add the FS server running on Windows Server 2016 to the existing farm.
I had the timeout issue "unable to finish the security negotiation within the configured timeout (00:00:00)" it was because of a proxy server being configured.
ReplyDeleteADFS 2019 on Server 2019.
Delete