{There was a section here on converting Windows 2016 server eval to full version for enterprise customers, but as Windows 2016 is properly out there now it seems pointless. I've pasted what was here into the comments below in case anyone needs it}

Upgrading ADFS

The first question after deciding to roll out a new version of Windows server into your organisation is what to deploy first, and the answer for me, at least, turned out to be ADFS 4.0. We were running a 2.1 system and as we're looking for a few upgrades that will take advantage of some of the things in ADFS 4.0 on Windows Server 2016 this seemed like an easy place to start.

It turns out that there are very few, if any, guides for migrating from ADFS 2 to 4 so I guess this is my attempt at addressing that balance. The good news is that it appears that the guides for ADFS 2.1 to 3.0 are actually still pretty decent guides for 2.1 -> 4.0 migrations, so things shouldn’t be too difficult, and ADFS 3.0 to 4.0 is even easier still.

I will quickly run through the process I used for a 2.1 to 4.0 migration that leaves the ADFS 2.1 server available. I am expecting a certain degree of familiarity with Windows server in this guide (e.g. I’m not going to go into a 20-step process for installing a role or tell you when/how to click ‘Next’) but this should still be useful as a step-by-step guide.

Prerequisites

Firstly, of course, you need to build a Windows Server 2016 server and join it to your domain. Current best practice suggests that ADFS should be sitting on a domain controller, which is something that will complicate a migration like this one, but I will skip around that for now; for the purposes of this article, both the Windows 2012 (ADFS 2.1) server and the Windows 2016 (ADFS 4.0) server are domain members. You will also need the Windows 2016 install media available to be mounted on both the ADFS 2.1 and ADFS 4.0 servers.

Understand that ADFS 4.0 is very different in its requirements from ADFS 2.1; it no longer uses IIS, so this should not be installed as a prerequisite for ADFS on the new server. ADFS 4.0 should be published to the world via a Windows Server Web Application Proxy server, which can work as both a secure/hardened endpoint to publish your ADFS service to the world and also (as the name implies) a reverse proxy for publishing internal servers to the outside world, which gives you the ability to enable SSO for all the services published via the Web Application Proxy fairly painlessly. Windows Web Application Proxy is a component of the Remote Access Windows Server role.

Prepare another server for the Windows 2016 Web Application Proxy role and think hard about how you want to deploy that in line with your current security requirements and policies.

If you’ve managed to give your ADFS 2.1 server the same Windows host name as the federation farm name, you will need to play with hosts records on your new ADFS 4.0 server and its corresponding Windows Application Proxy server to ensure that the new ADFS server and related infrastructure sends all traffic to the ADFS 4.0 server

e.g. if my ADFS 2.1 server has a host name of adfs.thingydo and my ADFS federation farm name is adfs.thingydo.itsalwaysmyproblem.com then I will need to edit c:\windows\system32\drivers\etc\hosts on the server to point all traffic for adfs.thingydo.itsalwaysmyproblem.com to the ADFS 4.0 server, and I will probably also need to check and tidy up SPNs when I decommission the ADFS 2.1 server.

Carry out all the steps below on the ADFS 2.1 server:

Carry out all the steps below on the ADFS 4.0 server:

Adding further servers and going into production

You can now move towards production. Add WAP servers as you require, pointed to the ADFS 4.0 server. You can add additional ADFS 4.0 servers if you need by just starting the ADFS role configuration and adding them as additional ADFS servers into the ADFS 4.0 farm.

When you are ready to go into production, undo all the hosts files edits you’ve made to test the ADFS 4.0 server and update internal and external DNS records to point all requests for ADFS traffic to the new ADFS 4.0 server(s).