none
Active Directory Federation Services

    Question

  • I have recently configured ADFS 2 according to MS guides and have encountered an issues that I just want someone to confirm my suspicions?

    I have configured FS1 and FS2 as DC's with NLB and a separate FS proxy.  The issue I am having is related to DNS resolution in as much as each of the FS machines have IP addresses say 192.168.1.1 and 192.168.1.2 with the FS NLB cluster setup as 192.168.1.3 and are entered in DNS as such.  However FS1 and FS2 also have entries of 192.168.1.3 separately so that the DNS table looks like this:

    fs Host (A) 192.168.1.3

    fs1 Host(A) 192.168.1.1

    fs1 Host(A) 192.168.1.3

    fs2 Host(A) 192.168.1.2

    fs2 Host(A) 192.168.1.3

    This is causing FRS errors as when AD replication occurs to FS2 or FS1 it is resolving to 192.168.1.3 instead of the individual machine IP and as such can't replicate due to machine name inconsistencies.  Question being is am I safe to remove the entries of FS1 and FS2 pointing to 192.168.1.3 (the FS cluster IP) or would it be safe enter the correct IP's into the Hosts file?

    Regards

    Drac

     
    Wednesday, April 11, 2012 8:40 AM

Answers

All replies

  • Please use ADFS forum and ask your question.

    Actually this seems to be more suitable for AD FS forum:

    http://social.msdn.microsoft.com/Forums/en/Geneva/

    Note:Installing ADFS on your domain controllers is NOT a recommended solution. Is this why are you installing NLB on your domain controllers?

    You should install ADFS on member server(s) and then use the NLB feature on those servers so that you can load balance your federation service endpoint.

    DC on NLB cluster is not recommended it results in multiple problem.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Wednesday, April 11, 2012 8:44 AM
  • Hi, Thanks for your reply.  I have reposted on correct forum.

    We ran the install based on MS's own set up guide using this:

    For the federation servers, use two existing Active Directory domain controllers (DCs) and configure them both for the federation server role. To do this, first select two existing DCs, and then:

    1. Install AD FS 2.0 on both domain controllers.
    2. Configure one as the first federation server in a new farm.
    3. Join the second one to the federation server farm.

    For NLB, configure an existing NLB host or obtain a dedicated server and then install the NLB server role on it and then configure the NLB server.

    Surely if this was not a recommended solution then MS have got it wrong?

    I merely ask as I don't want to or need to have issues down the line..

    Drac

    Wednesday, April 11, 2012 9:15 AM
  • Hello,

    ADFS on DCS is NOT recommended for production domains as described in http://technet.microsoft.com/en-us/library/cc778681(v=ws.10).aspx

    "Because ADFS requires the installation of Internet Information Services (IIS), we strongly recommend that you not install any ADFS components on a domain controller in a production environment."

    Further details please ask in the already mentioned Geneva forum for claims based applications.

    Additional should DCs not be installed with clustering or NLB options, use them for AD/DNS/GC that's it, on single machines.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Wednesday, April 11, 2012 9:33 AM
  • Hi

    Thanks for the feedback, I can see why this would not be recommended but being new to ADFS I simply followed what I thought to be the correct method.  Out of interest if I DC promo the ADFS machines down will this mess up my ADFS environment, ie will I have to start again and reconfigure/install ADFS?

    Now we are in a production environment with this setup I am concerned that I am going to get issues down the line so may need to reconfigure this service.

    Regards

    Drac

    Wednesday, April 11, 2012 9:51 AM
  • Hello,

    if you like to remove the DC role you should better remove AD FS first, demote it and install it again.

    Would be nice if you can post the link you have used, so we may get it changed to the recommendation from the article i added?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, April 11, 2012 10:00 AM
  • Hi Meinolf

    This is the link we used:

    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_plandeploy

    under the section 

    Estimation table: Determine the number of AD FS 2.0 servers to deploy in your organization

    We used this guide as we have less than 100 users so not a large scale deployment.

    Regards

    Drac

    Wednesday, April 11, 2012 10:05 AM
  • Hello,

    thanks for the link and one more hint about NLB/Clustering and/or NICTeaming in load balanced option.

    Teaming is ONLY supported on DCs if FAILOVER option is enabled http://support.microsoft.com/kb/908370

    Clustering DCs should be avoided also: http://support.microsoft.com/kb/281662/en-us http://technet.microsoft.com/en-us/library/cc775654(v=ws.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, April 11, 2012 10:26 AM
  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Thursday, April 19, 2012 1:55 AM
    Moderator
  • Hi,

     After i read that ADFS on DCS is NOT recommended for production domains as described in http://technet.microsoft.com/en-us/library/cc778681(v=ws.10).aspx

    i ask if this applies to ADFS 2.0 on Windows 2012 too ?


    Friday, December 21, 2012 5:07 PM
  • Hi,

     After i read that ADFS on DCS is NOT recommended for production domains as described in http://technet.microsoft.com/en-us/library/cc778681(v=ws.10).aspx

    i ask if this applies to ADFS 2.0 on Windows 2012 too ?


    I could not find any recent statement saying that ADFS should not be installed on domain controllers. Since Server 2008 R2 Microsoft recommends installing ADFS on domain controllers in environments where the costs of dedicated servers cannot be justified, I assume the statement you mentioned is outdated.

    An example of such a recommendation is Office 365, as mentioned earlier in this topic.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Proposed as answer by Jetze Mellema Monday, January 21, 2013 10:57 AM
    Monday, January 21, 2013 10:57 AM