Hi there!
I have been sent here from the Microsoft Office 365 Community, so I'll ask my question again. I still do not know very much about all this Federation stuff, but I'd like to learn.
So, we have two Windows Server 2008 R2 domain controllers allong with federation proxies on AWS, each pair behind a load balancer. In March, our certificates were about to expire, so we looked into this. Not sure any more whether we actually had to do something, or whether automatic rollover was active already. Some days before expiration, new certificates were created automatically, on both primary and secondary servers. We verify this withGet-ADFSCertificate -CertificateType token-signing. Those new certificates were not in use, the old ones still were the primary ones. So far, so good.
Then, on our primary domain controller, the secondary certificate became the primary one - automatically I believe, but I am not entirely sure any more. Just as expected.
But this did not happen on the secondary domain controller. There, I still see both certificates, the old and the new one, and the old, expired one is the primary one. How can this be changed, and why did it not change automatically?
In the ADFS 2.0 Manager on this host I only have the information that 'This computer is not the primary federation server in the farm'. And that 'Changes to AD FS configuration settings can be made only at the primary federation server computer'.
Is there some way to make the secondary certificate the primary? Or to import the new certificate as primary one? But I would not even know how to export it. I looked for it with MMC on the primary server, and atCertificates (Local Computer) -> Personal -> Certificates I expected it to be, like described in one document I found on the net (and which I cannot link to until my account is verified - no idea how this works). There are some, but not the one Get-ADFSCertificate -CertificateType token-signing shows.
When I open the ADFS 2.0 Management on the first server, I see it as token-signing certificate. But I cannot export from there, and the ADFS 2.0 Management on the second server does not allow me to do anything. There, I also see that the last sync with the primary server was on 2014-04-15 - why did that stop? The new certificates were created more than one month earlier already, so this is probably not the cause of the primary/secondary certificates not switching. The Active Directory is still being synced.
Both servers are being restarted regularly due to updates. We removed the secondary domain controller and the secondary ADFS proxy from the load balancers, so for the moment we are fine. But we ned to eventually solve this.
One idea would be to remove the ADFS stuff completely from the secondary server, and set it up again, hoping that it will somehow fetch the certificate from the primary DC then. But I would prefer to actuallyfix this instead of finding a workaround, without ever knowing what the problem was.
Any help with this is greatly appreciated.
Alex