ADFS Capacity Planning Spreadsheet updated for Windows Server 2016

Good news!

The ADFS Capacity Planning Spreadsheet most of us are familiar with, has been updated to reflect Windows Server 2016 numbers and scaling. While the “old” spreadsheet was still “OK” for Windows Server 2012 R2, apparently there are a number of changes in Windows Server 2016′s ADFS that warranted for an updated version.


The link to the spreadsheet is in the following TechNet article: “Planning for AD FS Capacity”,

You find the link in the second table, “AD FS Capacity Planning Spreadsheet for Windows Server 2016 ” or clicking here:



Upgrading the ADFS farm behavior level

[This blog posting was written with knowledge based on Windows Server 2016 TP4. Things may change in RTM.]

Some more investigations with ADFS in Windows Server 2016 TP4  – you have to start somewhere, right?

There are two ADFS servers that I mean to replace with two new ones on 2016 TP4, and then raise the farm behavior level. Easy enough – or so.

The plan:

  • Swap ADFS servers
  • Use the Test-ADFSFarmBehaviorLevelRaise CMDlet to test the procedure
  • Raise the ADFS Farm Behavior Level with Invoke-ADFSFarmBehaviorLevelRaise

The installation worked identical to installations with 2012 R2, when adding new nodes to an existing farm – in the end, there’s no difference between adding 2012 R2-based ADFS nodes to an existing farm or 2016-based nodes.

  • join to the domain
  • install the Service Communication cert on the new boxes
  • install ADFS role
  • add box to Load Balancer (probing will only activate it, when the service starts responding)
  • join to ADFS farm
  • Verify installation went good, event log is clean, WID replication worked

Read more »

Extranet Lockout in ADFS 2016–require PDC

You know in ADFS on Windows Server 2012 R2, when you enable the “Extranet Lockout” feature for Web Application Proxies and a user’s password is verified, the PDC emulator for the authoritative domain is contacted, to verify it?

Lu Zhao blogged about this in her blog:

In essence, in order to determine whether to extranet-lockout a user, the badPwdCount attribute for the user is determined – by asking the PDC for the value, as the authoritative source. In case ADFS can’t connect to the PDC (firewalls, routing are in the way), ADFS fails and user authentication is not completed.

Lu promised they are looking at changing that feature, to allow for a “local DC” fallback, in case the PDC isn’t available.

It looks like Microsoft delivered on their promise – at least judging from what we can see in ADFS in Windows Server 2016 TP4. My friend Thomas ( did some investigations – and it looks like there’s a new property that one can set in ADFS 2016:


Read more »

Next Page »