none
Manually change adfs server in AADConnect while in upgrade?

    Question

  • I upgraded the ADFS server from 2012 R2 to 2016 by migrating it to a new server.

    Now I wanted to update AADConnect from 1.1.380 to 1.1.443 and get stuck in the wizard.

    It is in the step "Create Federated AAD Trust" and tried to connect to the old server.

    [18:34:14.979] [ 11] [ERROR] Microsoft.Online.Deployment.PowerShell.PowerShellInvocationException: An error occurred while executing the 'Set-MsolAdfsContext' command. The connection to OLDSERVERNAME Active Directory Federation Services 2.0 server failed due to invalid credentials. ---> Microsoft.Online.Identity.Federation.Powershell.FederationException: The connection to OLDSERVERNAME Active Directory Federation Services 2.0 server failed due to invalid credentials.

    I don't have the old server, I tried a dns resolution from the old server name to the new server (no success). I don't have the old installer to try downgrade. I searched the registry, the file system and the sql db and I did not find the OLDSERVERNAME mentioned anywhere.

    What can I do without having to reinstall everything (don't want to lose my custom rules).

    I can't open the wizard to reconfigure the trust because it jumps right into this upgrade thing without any option to change the adfs server.

    Thursday, March 16, 2017 5:49 PM

Answers

  • AADConnect stores its state in %PROGRAMDATA%\AADConnect\PersistedState.xml. The list of AD FS servers is stored in a 'PersistedStateElement' node in this file, with 'Key' node set to 'IAdfsContext.TargetAdfsServers'. The 'Value' node for this element contains a list of all the servers that AAD Connect knows about. Each server is stored in the list as "{Server FQDN (base-64 encoded)},{Is Primary AD FS},{Is Configured}", and if there are multiple servers in the list, they are separated by a ";" character.

    If you have already added the new server to the farm using AAD Connect prior to starting the upgrade, you should be able to do the following:

    1. Ensure the new server is the primary AD FS server in the farm, by running the ‘Get-AdfsSyncProperties’ Powershell cmdlet on it.
    2. Close AAD Connect.
    3. Backup the PersistedState.xml file.
    4. Find the old server in the list by searching for the base-64 encoded FQDN, and remove it.
    5. Find the new server in the list by searching for the base-64 encoded FQDN, and mark it as primary, by changing the {Is Primary AD FS} field from 'False' to 'True'.
    6. Start the upgrade process again by opening AAD Connect.

    The following Powershell command will give you the server FQDN from a base-64 string (replace <BASE64STRING>):

    [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("<BASE64STRING>"))

    The following Powershell command will convert the server FQDN to base-64 string (replace <SERVERFQDN>):

    [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("<SERVERFQDN>"))

    If you have manually configured ADFS on the new server without using AAD Connect to deploy it, then you might have missed out some of the AAD Connect configuration steps. In theory you could just replace the old server name with the new one instead of steps 3 & 4. However we would discourage you from doing the same, as AADConnect will assume all of the necessary configuration steps have been performed.

    • Marked as answer by Sven Bürger Tuesday, March 21, 2017 11:51 AM
    Tuesday, March 21, 2017 10:43 AM
    Moderator

All replies

  • AADConnect stores its state in %PROGRAMDATA%\AADConnect\PersistedState.xml. The list of AD FS servers is stored in a 'PersistedStateElement' node in this file, with 'Key' node set to 'IAdfsContext.TargetAdfsServers'. The 'Value' node for this element contains a list of all the servers that AAD Connect knows about. Each server is stored in the list as "{Server FQDN (base-64 encoded)},{Is Primary AD FS},{Is Configured}", and if there are multiple servers in the list, they are separated by a ";" character.

    If you have already added the new server to the farm using AAD Connect prior to starting the upgrade, you should be able to do the following:

    1. Ensure the new server is the primary AD FS server in the farm, by running the ‘Get-AdfsSyncProperties’ Powershell cmdlet on it.
    2. Close AAD Connect.
    3. Backup the PersistedState.xml file.
    4. Find the old server in the list by searching for the base-64 encoded FQDN, and remove it.
    5. Find the new server in the list by searching for the base-64 encoded FQDN, and mark it as primary, by changing the {Is Primary AD FS} field from 'False' to 'True'.
    6. Start the upgrade process again by opening AAD Connect.

    The following Powershell command will give you the server FQDN from a base-64 string (replace <BASE64STRING>):

    [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("<BASE64STRING>"))

    The following Powershell command will convert the server FQDN to base-64 string (replace <SERVERFQDN>):

    [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("<SERVERFQDN>"))

    If you have manually configured ADFS on the new server without using AAD Connect to deploy it, then you might have missed out some of the AAD Connect configuration steps. In theory you could just replace the old server name with the new one instead of steps 3 & 4. However we would discourage you from doing the same, as AADConnect will assume all of the necessary configuration steps have been performed.

    • Marked as answer by Sven Bürger Tuesday, March 21, 2017 11:51 AM
    Tuesday, March 21, 2017 10:43 AM
    Moderator
  • This worked great.

    Thanks a lot!

    Tuesday, March 21, 2017 11:51 AM
  • +1, saved the day.
    Wednesday, April 19, 2017 4:55 PM