1
00:00:03,080 --> 00:00:08,180
I'm on my Windows ten management VM and this time it's joined to a different environment where I have

2
00:00:08,180 --> 00:00:14,810
the Windows Server 2016 domain controller and adds first running on a Windows Server 2016 VM.

3
00:00:15,650 --> 00:00:22,010
There's also a Windows Server 2019 VM that's joined to this environment, but it doesn't have ad fs

4
00:00:22,010 --> 00:00:22,910
installed yet.

5
00:00:23,810 --> 00:00:29,750
The only additional configuration I've done is to create a file share on the 2019 server, so we'll

6
00:00:29,750 --> 00:00:35,720
be able to copy the SSL certificate onto it that's used by the ADF's 2016 service.

7
00:00:36,620 --> 00:00:44,030
So first let's make sure ADF's is working by logging into the ADF's test page in the 2016 environment.

8
00:00:44,930 --> 00:00:51,530
The URL is exactly the same as it was in our 2019 environment because I'd use the same domain name company

9
00:00:51,530 --> 00:00:55,910
dot PRI and the path to this page is the same on every ADF's version.

10
00:00:56,810 --> 00:01:02,000
So I'll log in with my account because I have form based authentication enabled and I'm able to sign

11
00:01:02,000 --> 00:01:02,300
in.

12
00:01:03,170 --> 00:01:08,300
Okay, we're going to do some of the configuration in PowerShell and some using server manager.

13
00:01:09,230 --> 00:01:13,550
I have two PowerShell windows open, and I've opened both as an administrator.

14
00:01:14,470 --> 00:01:20,440
In the first window, the blue one I'm going to remote into the ADF's 2016 server.

15
00:01:21,350 --> 00:01:24,470
And you can do that with the Enterprise Session Command.

16
00:01:25,370 --> 00:01:30,500
Now it shows we are connected remotely so we can run PowerShell commands on that computer.

17
00:01:31,400 --> 00:01:31,900
Next.

18
00:01:31,910 --> 00:01:35,810
Let's do the same thing in the other PowerShell window, but this time all remote.

19
00:01:35,810 --> 00:01:41,660
Enter the Windows Server 2019 computer that we're going to use for ADF's 2019.

20
00:01:42,530 --> 00:01:47,300
Now let's go back to the remote session to the ADF's 2016 computer.

21
00:01:48,210 --> 00:01:54,090
The first thing we need to do is to get a reference to the SSL certificate used by the ADF's service.

22
00:01:55,050 --> 00:02:00,000
So I'll create this variable thumbprint and use the command get child item with the path to the local

23
00:02:00,000 --> 00:02:04,410
machine, personal certificate store and pipe that into a where clause that searches for the common

24
00:02:04,410 --> 00:02:08,580
name of the certificate, which I already know is that Scott Company dot PRI.

25
00:02:09,390 --> 00:02:14,760
All this PowerShell is in the course downloads, by the way, so you don't need to copy it down as we

26
00:02:14,760 --> 00:02:15,150
go.

27
00:02:16,020 --> 00:02:19,980
Now let's see the value in that variable with the right output command.

28
00:02:20,910 --> 00:02:21,390
Good.

29
00:02:22,320 --> 00:02:27,270
Now we need a password variable to use when we export the certificate with its private key.

30
00:02:28,110 --> 00:02:33,480
We do that with convert to secure string and I'll give it a value that's easy to remember and add these

31
00:02:33,480 --> 00:02:34,200
parameters.

32
00:02:35,100 --> 00:02:37,170
Now let's export the certificate.

33
00:02:38,070 --> 00:02:41,580
We do that by getting a reference to the certificate with get child item.

34
00:02:41,700 --> 00:02:45,780
The path to the certificate and use the thumbprint to identify the certificate.

35
00:02:45,780 --> 00:02:50,730
And we'll pipe the result of that into export certificate and we'll just place this on the route of

36
00:02:50,730 --> 00:02:51,480
the C drive.

37
00:02:51,510 --> 00:02:57,240
So it's easy to find and I'll name the file the same as the common name, but with the extension x and

38
00:02:57,240 --> 00:02:58,950
add the password we just created.

39
00:02:59,790 --> 00:03:00,420
Great.

40
00:03:01,320 --> 00:03:01,830
Now.

41
00:03:01,860 --> 00:03:08,160
I said at the beginning of the demo, I've already created a shared folder on the ad FS 2019 server.

42
00:03:08,280 --> 00:03:12,090
So let's map that to this 2016 VM using PowerShell.

43
00:03:12,990 --> 00:03:16,770
Use the command new drive and the name will be the H Drive.

44
00:03:17,670 --> 00:03:19,860
The PS provider is file system.

45
00:03:20,700 --> 00:03:25,290
The route is the share on the 2019 server, which is called transfer.

46
00:03:26,170 --> 00:03:27,800
And we need to add a credential.

47
00:03:27,880 --> 00:03:29,590
So I'll use my admin account.

48
00:03:30,470 --> 00:03:33,170
In the pop up, I need to supply the password.

49
00:03:34,040 --> 00:03:39,860
And now that file share on the 2019 computer is mapped onto this 2016 computer.

50
00:03:40,730 --> 00:03:45,830
Now let's copy the SSL certificate over to the server 2019 computer.

51
00:03:46,700 --> 00:03:48,230
You do that with copy item.

52
00:03:48,230 --> 00:03:53,270
And since we are scope to the root of the seed drive already, I'll use the backslash and the name of

53
00:03:53,270 --> 00:03:54,440
the certificate file.

54
00:03:55,290 --> 00:04:01,890
And the destination is the route of the drive, which of course is a folder on the 2019 computer.

55
00:04:02,810 --> 00:04:03,350
Okay.

56
00:04:03,360 --> 00:04:08,420
We're done for now on this remote session into the IDF's 2016 computer.

57
00:04:09,290 --> 00:04:14,840
Let's go over to the session to the 2019 computer and import the SSL certificate.

58
00:04:15,780 --> 00:04:21,390
First I'll create that password variable again with the same value we use to export the certificate.

59
00:04:22,290 --> 00:04:28,920
Then let's run this command import certificate with the file path to the folder on the 2019 computer

60
00:04:28,920 --> 00:04:33,360
that the file share maps to, which is this transfer folder at the root of the C drive.

61
00:04:34,230 --> 00:04:38,820
The certificate store we want to install this in is the local machine personal store.

62
00:04:39,690 --> 00:04:45,210
We need to use the password to import the private key and will mark the certificate as exportable from

63
00:04:45,210 --> 00:04:45,900
here also.

64
00:04:46,710 --> 00:04:47,820
Okay, good.

65
00:04:48,720 --> 00:04:55,230
Since we're going to be adding this 2019 server to the load balancer for ADF's, let's install the Nhlbi

66
00:04:55,230 --> 00:04:57,630
Windows feature along with the management tools.

67
00:04:58,530 --> 00:05:04,290
Next, let's install ADF face and we could do that from server manager, but let's do it here with the

68
00:05:04,290 --> 00:05:08,280
install Windows Feature Command and the service is called at Federation.

69
00:05:09,150 --> 00:05:09,720
Okay.

70
00:05:09,750 --> 00:05:13,920
Now we need to configure ADF face on the 2019 computer.

71
00:05:14,790 --> 00:05:18,570
We could do that with PowerShell, but let's do it in the interface.

72
00:05:19,510 --> 00:05:21,520
I'll go over to server manager.

73
00:05:22,460 --> 00:05:27,170
I'm still on this Windows ten management VM and I've already added the two servers.

74
00:05:28,070 --> 00:05:33,590
So if I refresh the interface, we get this message to configure the Federation service, and this is

75
00:05:33,590 --> 00:05:35,780
coming from the 2019 computer.

76
00:05:35,870 --> 00:05:36,860
So let's run this.

77
00:05:37,790 --> 00:05:42,920
This is the same wizard you saw earlier, but this time we're going to add a federation server to a

78
00:05:42,920 --> 00:05:44,420
federation server form.

79
00:05:45,260 --> 00:05:49,290
We need to specify credentials that have domain administrator permissions.

80
00:05:49,310 --> 00:05:50,480
So I'll enter mine.

81
00:05:51,350 --> 00:05:56,690
And now, because we're adding this ADF's server to a farm that uses the Windows internal database,

82
00:05:56,840 --> 00:06:01,760
we need to specify the name of the Primary Federation server, which can't be the server yet.

83
00:06:02,660 --> 00:06:07,280
So I'll specify the RFQ dean of the ADF's 2016 server.

84
00:06:08,200 --> 00:06:12,960
Next, let's select the SSL certificate that we imported using PowerShell.

85
00:06:13,840 --> 00:06:19,360
On the next screen, we need to specify the service account that the ADF's service will run under.

86
00:06:20,260 --> 00:06:27,040
I have a group managed service account created and the ADF's 2016 instance is already using this account.

87
00:06:27,250 --> 00:06:28,330
So let's use that one.

88
00:06:29,170 --> 00:06:31,960
Let's click next and we're ready to configure.

89
00:06:32,900 --> 00:06:35,180
This will take a minute, so I'll speed it up.

90
00:06:36,060 --> 00:06:37,950
And we need to restart the server.

91
00:06:37,980 --> 00:06:43,530
So let's right click on the 2019 server in server manager and choose restart server.

92
00:06:44,460 --> 00:06:46,110
I'll speed this up also.

93
00:06:46,950 --> 00:06:53,400
And once that restarts, I'm going to actually remote into the ADF's 2019 server because we can't use

94
00:06:53,400 --> 00:06:55,620
the ADF's console remotely.

95
00:06:56,540 --> 00:07:02,180
I just want to open it up on the server and show you that it says the computer is not the primary federation

96
00:07:02,180 --> 00:07:08,120
server in the farm and there are no nodes showing in the tree on the left because you can't make changes

97
00:07:08,120 --> 00:07:10,520
to DFS from a secondary node.

98
00:07:11,420 --> 00:07:16,190
So we're going to promote the server to be the primary server in the ADF, RFS farm.

99
00:07:17,060 --> 00:07:24,620
Let's go back to the Windows ten Management VM and first let's add the 2019 server to the network load

100
00:07:24,620 --> 00:07:26,780
balancer for the ad FS service.

101
00:07:27,680 --> 00:07:32,090
I'll go to tools in Server Manager and Open Network Load Balancer Manager.

102
00:07:32,990 --> 00:07:36,710
Right click on the root and let's connect to an existing cluster.

103
00:07:37,620 --> 00:07:42,060
The host for this cluster is currently the ADF's 2016 computer.

104
00:07:42,180 --> 00:07:43,440
So let's connect to that.

105
00:07:44,310 --> 00:07:50,400
And this Nhlbi cluster only has one computer right now and the cluster has the virtual IP that the DNS

106
00:07:50,400 --> 00:07:52,770
entry points to for the ADF's service.

107
00:07:53,670 --> 00:07:57,750
This is different than the single server installation that you saw earlier.

108
00:07:58,700 --> 00:08:02,570
So let's right click on this cluster name and add a host to the cluster.

109
00:08:03,470 --> 00:08:07,520
Take the name of the ad FS 2019 server and connect.

110
00:08:08,420 --> 00:08:13,910
There are two network interfaces on this VM, so let's choose the one that's on the internal network

111
00:08:13,910 --> 00:08:14,900
and click next.

112
00:08:15,800 --> 00:08:17,900
We can just click next and finish.

113
00:08:18,810 --> 00:08:24,690
It can take a few minutes for the Nhlbi to update, so I'll speed this up quite a bit and the configuration

114
00:08:24,690 --> 00:08:25,260
is ready.

115
00:08:26,180 --> 00:08:31,880
So before we go any further, let's just open up the browser again and navigate to the ADF's sign in

116
00:08:31,880 --> 00:08:32,360
page.

117
00:08:33,240 --> 00:08:36,060
And let's just make sure that everything is still running.

118
00:08:36,930 --> 00:08:43,650
We have to ADF's servers right now, but they're still running in ADF's 2016 mode, so we can't use

119
00:08:43,650 --> 00:08:47,310
any of the new 2019 features yet because it's a mixed farm.

120
00:08:48,180 --> 00:08:53,010
Now let's go to the PowerShell window with a remote session to the 2019 server.

121
00:08:53,920 --> 00:08:56,620
We've been logged out because I restarted the VM.

122
00:08:56,740 --> 00:08:58,630
So let's start a new remote session.

123
00:08:59,500 --> 00:09:01,150
Now let's run this command.

124
00:09:01,180 --> 00:09:02,620
Get at Sync Properties.

125
00:09:03,500 --> 00:09:07,400
And it says this ADF's server has the role of secondary computer.

126
00:09:07,520 --> 00:09:13,030
So let's change that by running the command set at sink properties and the role will be primary computer

127
00:09:13,040 --> 00:09:14,600
and let's just verify that.

128
00:09:15,500 --> 00:09:20,210
Now we're not done because we need to make the 2016 computer the secondary.

129
00:09:21,090 --> 00:09:23,250
That doesn't happen automatically.

130
00:09:24,150 --> 00:09:30,660
So let's go back to that remote session to the 2016 server and run the same command set at Sync properties.

131
00:09:30,810 --> 00:09:35,580
But let's make the role secondary computer, and we need to specify a primary computer name.

132
00:09:35,700 --> 00:09:39,870
So I'll enter the RFQ, the end of the ad FS 2019 computer.

133
00:09:40,760 --> 00:09:41,300
Okay.

134
00:09:41,330 --> 00:09:45,170
Now let's get the sync properties of this 2016 computer.

135
00:09:46,040 --> 00:09:51,680
It says it's the secondary computer and we can see the 2019 computer is the primary.

136
00:09:52,580 --> 00:09:59,450
Now let's remove this ADF's 2016 computer from the load balancer so it won't be receiving any more requests.

137
00:10:00,390 --> 00:10:04,380
All right, click on the 2016 computer and click Delete Host.

138
00:10:05,290 --> 00:10:05,830
Okay.

139
00:10:05,860 --> 00:10:12,340
Let's go back to the remote session into the 2016 computer and let's uninstall the ADF's role from this

140
00:10:12,340 --> 00:10:12,910
computer.

141
00:10:13,830 --> 00:10:18,990
I'll use the Uninstall Windows Feature Command and I need to enter my ad in an account as the credential

142
00:10:18,990 --> 00:10:20,220
and enter my password.

143
00:10:21,120 --> 00:10:25,740
Now we need to restart the 2016 computer for the changes to take effect.

144
00:10:26,610 --> 00:10:29,820
We're almost ready to upgrade the farm behavior level.

145
00:10:30,730 --> 00:10:34,810
Back in the remote session to the ADF's 2019 computer.

146
00:10:34,930 --> 00:10:37,420
Lets run the command get adds far more information.

147
00:10:38,260 --> 00:10:43,720
It shows the current farm behaviour level is three, which is ADF's 2016.

148
00:10:44,590 --> 00:10:50,710
It still shows to form nodes though, even though we uninstalled the service from the 2016 server.

149
00:10:51,640 --> 00:10:53,860
So let's remove this node manually.

150
00:10:54,700 --> 00:10:59,980
We can do that with set at farm information and the remove node parameter and specify the name of the

151
00:10:59,980 --> 00:11:01,330
node we want to remove.

152
00:11:02,230 --> 00:11:04,960
Now let's run get adds, form information again.

153
00:11:05,830 --> 00:11:10,990
Now, before we update the farm behavior level, we can check if there are any potential issues.

154
00:11:11,890 --> 00:11:15,430
Let's first get a reference to a credential that has admin permissions.

155
00:11:15,550 --> 00:11:17,620
So I'll take my account information in.

156
00:11:18,490 --> 00:11:20,230
Now let's run this command test.

157
00:11:20,230 --> 00:11:23,470
That's farm behavior level raise with a credential variable.

158
00:11:24,340 --> 00:11:26,650
It says all the checks passed successfully.

159
00:11:26,770 --> 00:11:28,780
So we're ready to run the update command.

160
00:11:29,680 --> 00:11:34,800
Now, it's possible to run the command from a remote session, but I strongly recommend for this one

161
00:11:34,810 --> 00:11:38,950
to remote into the ad fs 2019 computer and run it from there.

162
00:11:39,880 --> 00:11:45,700
Otherwise you may get this error, which probably relates to a permission issue using remote PowerShell.

163
00:11:46,590 --> 00:11:47,620
Let's do that.

164
00:11:48,580 --> 00:11:55,960
I'll go to the ADF's 2019 VM and first let's close the ADF's console and reopen it from server manager

165
00:11:55,960 --> 00:12:00,520
just to show that we can now manage the service from this VM because it's now the primary node in the

166
00:12:00,520 --> 00:12:00,940
farm.

167
00:12:01,180 --> 00:12:03,910
But let's open up PowerShell and run this last command.

168
00:12:04,810 --> 00:12:08,050
The command is in vulcan's form behavior level res.

169
00:12:08,980 --> 00:12:15,310
You just need to confirm and ADF's is creating a new configuration database and copying the old values

170
00:12:15,310 --> 00:12:15,670
over.

171
00:12:16,550 --> 00:12:19,700
It says the configuration completed successfully.

172
00:12:20,600 --> 00:12:23,390
Let's just run get adds form information again.

173
00:12:24,290 --> 00:12:30,020
Now the current farm behavior level is four, which represents ad FS 2019.

174
00:12:30,890 --> 00:12:35,030
Let's go back to our Windows ten Management VM and let's sign in again.

175
00:12:35,900 --> 00:12:37,790
We're successfully signed in.

176
00:12:38,690 --> 00:12:44,540
So that's upgrading your ADF's 2016 environment to ADF's 2019.

177
00:12:45,440 --> 00:12:48,740
Next, let's look at some utilities for S.