Planning a Migration to AD FS 2.0

Applies To: Active Directory Federation Services (AD FS) 2.0

Planning Your Migration to AD FS 2.0

If Active Directory Federation Service (ADFS) 1.0 (installed with Windows Server 2003 R2) or AD FS 1.1 (installed with Windows Server 2008 or Windows Server 2008 R2) is already deployed in your organization, you can take advantage of more simplified administration, Security Assertion Markup Language (SAML) 2.0 interoperability, and many other new features by migrating your previous deployment to AD FS 2.0.

If you plan to migrate from AD FS 1.x to AD FS 2.0, you do not necessarily have to change your existing federated identity infrastructure based on your decision to move to AD FS 2.0. Using the information in this section of the AD FS 2.0 Design Guide and in the related topics in the AD FS 2.0 Deployment Guide that are linked to from this guide, you can learn about the issues and considerations that your migration may present for your existing environment and you can determine whether you must change your AD FS infrastructure.

About this migration content

This migration content provides guidance for migrating AD FS 1.x from an x86-based or x64-based server, running either Windows Server 2003 R2 or Windows Server 2008, to a clean installation of Windows Server 2008 or Windows Server 2008 R2 on a different computer.

This migration content describes best practices for the migration of federation servers and federation server proxies running AD FS 1.x from old hardware to new hardware. The elements of an existing installation that are migrated are entirely up to the server administrator. However, along with the server role, these elements usually include their configuration, data, system identity, and operating system settings.

This document makes no assumptions about potential dependencies that exist between server roles. Instead, it is assumed for the purpose of this migration content that you are migrating AD FS 1.x installed on one computer to another computer on the network without changes to topology, Federation Service settings, Domain Name System (DNS) resource records, Network Load Balancing (NLB), or subnet settings.

What this migration content does not provide

The following information is not provided in this migration content:

  • Details of an in-place upgrade of an existing AD FS 1.x federation server or federation server proxy to AD FS 2.0. This upgrade has not been tested by Microsoft. Instead, we recommend that you migrate certificates and Federation Service settings from existing AD FS 1.x federation servers and federation server proxies to other computers running either Windows Server 2008 or Windows Server 2008 R2 where AD FS 2.0 can be installed.

  • Instructions for upgrading from Windows Server 2003 R2 or Windows Server 2008 to Windows Server 2008 R2.

Unsupported features in AD FS 2.0

The following are the AD FS 1.x features and scenarios that are no longer supported in AD FS 2.0:

  • AD LDS used as an account store

  • The Windows NT token–based Web agent

  • The AD FS 1.x claims-aware Web agent configured for Microsoft Office SharePoint Server 2007

  • The Federated Web Single-Sign-On (SSO) with Forest Trust scenario is no longer supported

Getting started

You can use the Migrating from AD FS 1.x to AD FS 2.0 content in the AD FS 2.0 Deployment Guide to start your migration.