Unsolved AD FS 2016 requires AD DS 2016 schema, minimum version 85?

---

Hello ITPro. I ran across a question that discusses deploying AD FS for "device registration" and which functional level of the AD DS Forest is required. It appears that AD FS is supported all the way back to a forest functional level of 2003, but if you want to use certificate authentication you have to upgrade to 2008R2. For "Device Registration" it appears the minimum is 2012 R2.

That is all well and good, but I also ran across this article:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_4

It states the following:

"Schema requirements

New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).

Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85)."

I even went as far as to deploy a new domain in the lab using a functional level of 2008R2.. AD FS installed just fine using 2016 servers. It didn't support Device Registration, but my guess is that if I upgraded the forest to 2012 R2 it would have worked.

So that leaves the question, what is an AD FS 2016 installation and how does it differ from what I deployed in the lab? I just installed the role using the standard install-windowsfeature command and ran through the post setup process with a self signed certificate. I never got an error stating that a forest functional level of 2016 was required before installing or configuring.

Regards,
Adam Tyler

Okay, now I am totally confused.. I took this lab a step further and enabled "Device Registration".. It asked me for a privileged AD account cred during the process, I assumed because it would force the upgrade of the existing AD DS forest from 2008 R2 to 2012 R2, but it didn't...! Take a look at the forest/domain levels after device registration is enabled. So what about device registration requires a level of 2012 R2?

I did find this PowerShell tool called "test-adfsFarmBehaviorLevelRaise". It seems the default install of ADFS isn't version 2016 Farm Behavior Level (FBL)? Or if ADFS was deployed into a domain where the forest functional level was 2016 already, perhaps it would have been FBL 2016?

And.. If it weren't confusing enough, there is this link which states the following.. Now it is only talking about a domain functional level, not forest.
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-requirements

So, follow up questions....

1. What are the forest and domain functional level requirements for each feature of AD FS? Ie.. Device registration, certificate authentication, etc...
2. What is the default Farm Behavior Level of newly deployed AD FS installs? Does it matter what the existing forest/functional levels are?
3. Is workplace join the same as device registration?

Regards,
Adam Tyler

Adam,

I hope all is well. Mighty TALL order you have tasked me with here, let's see what we can do to whittle this down to a manageable size, shall we?

I will take them in the order that you asked them in:

1. What are the forest and domain functional level requirements for each feature of AD FS? Ie.. Device registration, certificate authentication, etc...

Check out the following to get the Low-Down across the Feature set for ADFS:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements

2. What is the default Farm Behavior Level of newly deployed AD FS installs? Does it matter what the existing forest/functional levels are?

AD DS requirements - This is where it gets CRAZZZZZZZZZZZZY ...

Domain controller requirements:

AD FS requires Domain controllers running Windows Server 2008 or later.

At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.

Domain functional-level requirements:

All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.

A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user's account in AD DS.

Schema requirements:

New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).

Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

Service account requirements:

Any standard domain account can be used as a service account for AD FS. Group Managed Service accounts are also supported. The permissions required at runtime will be added automatically when you configure AD FS.

Group Managed service accounts require at least one domain controller running Windows Server 2012 or higher. The GMSA must live under the default 'CN=Managed Service Accounts' container.

Sooooooo... what does all that actually mean?

Well several things actually, but take a look at the following as, it explains the FBL concept, versioning and how it all comes together:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

If interested in what Server 2019 does to the mix, check out the following:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server

3. Is workplace join the same as device registration?

No. Although a little dated, the following gives you a good overview idea of the differences:

https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/

Hope that helps to put things in perspective and move you in the right direction(s).

Let me k now if you have any follow up questions.

Cheers,

Adam

Wow... Thank you Adam G.

Initially I think I just have one follow up question. Could you define what a "New installation of AD FS 2016" is? Based on my testing this is different than simply installing the AD FS role on a Server 2016 Domain Member. I was able to do that much with a Domain and Forest functional level of 2008R2 in the lab.

Regards,
Adam Tyler