Change AD FS 2.0 Primary Server

I was asked today how to decommission the primary AD FS 2.0 server in a farm, minimising any potential interruption. The solution is simple and like all good things uses PowerShell.

The original AD FS 2.0 server was deployed using the WID and Farm options for Office 365.
  • WID is suitable for the majority of deployments (if it is not you will know about it)
  • Choosing WID sets the first server deployed to be the primary
  • Only the primary server can write configuration changes to the database
  • Opting for a Farm provides scope for HA and scale
The AD FS farm had been extended with new highly available nodes load balanced in geographically dispersed data centres. DNS had been updated and the primary server was in effect redundant.

Log on to the new primary server (NEUADFS02) and run PowerShell.

Add-PsSnapin Microsoft.Adfs.PowerShell

Set-AdfsSyncProperties -Role PrimaryComputer

On all other AD FS servers in the farm run the following.

Add-PsSnapin Microsoft.Adfs.Powershell

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName NEUADFS02.EXCHANGEGEEK.COM

On a related note, I also identified that TCP/80 should be open between farm members, despite all resources and configuration identifying only TCP/443 as required. This came up when extending the farm across data center boundaries.
Posted by Daniel Noakes at 11/15/2012 02:52:00 am