You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.
This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.
I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.
On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:
At line:1 char:1
Trying to update the database from 1 to 2,3 will also fail with the following error:
Invoke-AdfsFarmBehaviorLevelRaise
Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.
If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String
Open Windows PowerShell
and hit Enter
and hit enter.
Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv
Run SQL Server 2017 Database Engine Tuning Advisor as an administrator
Use the Server name as this
\\.\pipe\MICROSOFT##WID\tsql\query
As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.
After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.
After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?
Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).
So the steps to fix this issue is
\\.\pipe\MICROSOFT##WID\tsql\query
Leave the Authentication as it is and logon.
This might take about 5 minutes to finish.
When this process is done, You should see the following message indicating the success of the Database Upgrade.
To double check, We will run the cmdlet Get-AdfsFarmInformation
After this success, I am going to run the cmdlet below to replace the current certificate with the new one
Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff
And here we go. It works perfectly fine
References:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql
Reset and manage your Active Directory users' Passwords Active Directory is one of the most…
Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…
If you're using a Proxy server in your firewall or in your network and have…
Story:I got some clients that have reported some of their users being locked out and…
Delegate Permissions This is a code that I have wrote recently to check if an…
Story: I got a request from a client who constantly gets CVs and have to…