locked
Live migration of ADFS federation server RRS feed

  • Question

  • Hello all,

    Is it supported to live migrate any ADFS server? We have 2 ADFS proxy in our DMZ and 2 ADFS federation servers internal. Both sets are separately load balanced by a KEMP load balancer. Iam not sure if the time-out generated by the live migration would cause issues for clients.

    Tuesday, December 1, 2015 12:49 PM

Answers

  • There is no specific guidance for ADFS and virtual servers.

    ADFS is a web service. So there is an HTTP session. But most browser will retry automatically if there is a short network glitch.

    ADFS can also be a SQL server (well SQL Express) if WID is installed. And according to the documentation of SQL, Live Migration is a possibility: https://technet.microsoft.com/en-us/library/ff898403(v=sql.105).aspx

    So I'd say why not :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, December 17, 2015 11:24 PM
  • I second that motion :-) If your load balancers are probing at L7 then they should monitor any prospective outage that arises out of a live migration should the node be deemed down. Lync, while an example, is not a good comparison to AD FS, since there's no real-time communication to speak of (RTC), audio/video conf. Instead we're dealing with simpler web services endpoints as Pierre mentioned.

    http://blog.auth360.net

    Saturday, December 19, 2015 10:52 PM

All replies

  • Since you have 2 ADFS servers, nothing prevent you from turning off one node (after taking it out from the HLB), migrate it and turning it back on (and adding it back to the HLB). Then no issue :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Wednesday, December 2, 2015 5:44 PM
  • Hello Pierre, that is actually the point. If it is possible, I want to use live migration. :-) But thanks for taking the time to respond.
    Thursday, December 3, 2015 5:59 AM
  • I am not sure I understand. The farm of ADFS server is here for two things: active load balancing and giving the ability to bring a node down without service interruption. The point of Live Migration is to minimize service disruption which is already taken care of in your environment by your HLB. So yes why not, go for it. I am not sure how the Live Migration behaves when it fails and tries to set back everything like it was before, that needs to be discussed with the folks of the virtualization platform I'm afraid... Sorry if that doesn't help :(

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Friday, December 4, 2015 3:14 PM
  • Hi Pierry

    True, but the reason we want to do this is because we need to shut down machines that cannot be migrated in order to bring a Hyper-V host down. We want to minimize the number of machines we need to bring down. Nowadays we have so many machines running on our hyper-v clusters, that we need to keep an administration on which machines to bring down when a host needs to be shutdown. With say like 250+ machines and 3 people for administration, no one knows every machine role out of the top of their heads.

    Monday, December 7, 2015 6:16 AM
  • Hi Niels,

    Live migrate may introduce a hiccup as you fear that leads to service interruption. That's more an observation of how your infrastructure works (something that can't be qualified here) and how quickly cutover can potentially occur, rather than an AD FS specific thing that can be answered by a simple "yes". 

    Rather, as Pierre mentioned and depending on how the Kemp load balancer (assuming it's configured correctly) coalesces the services concerned, it should mark the services down, when they're taken offline. On the backend load balancer this can be done by probing the /adfs/probe endpoint. On the front-end, it depends on how you are monitoring the health of the WAP nodes via the appropriate load balancer.

    As an aside, are you publishing anything via the WAP on-premise or is it just the O365 relying parties proxied to the AD FS backend?


    http://blog.auth360.net



    Wednesday, December 16, 2015 12:08 AM
  • Hello Mylo,

    Thanks for your time to post a reaction. My question is not so much about the load balancer, but more about how ADFS connections copes with the effect the brief service interruption of the live migration. My load balancer is operating at layer 7 and failover works fine, but my question is more about if clients will notice it if I Live Migrate a virual machine. Maybe to clarify it, I will give some comparisons to other products:

    Lync: Live Migration of a front-end server is not supported, because according to Microsoft, "there are technical challenges with redirecting real-time media traffic without an interruption that can be detected by users".

    Refer to https://www.microsoft.com/en-us/download/confirmation.aspx?id=41936

    Iam looking for an advise on this topic for ADFS, because I cannot find any information from Microsoft on TechNet regarding this subject.

    By the way, we do not publish anything on-premise other than O365.

    Thursday, December 17, 2015 6:35 AM
  • There is no specific guidance for ADFS and virtual servers.

    ADFS is a web service. So there is an HTTP session. But most browser will retry automatically if there is a short network glitch.

    ADFS can also be a SQL server (well SQL Express) if WID is installed. And according to the documentation of SQL, Live Migration is a possibility: https://technet.microsoft.com/en-us/library/ff898403(v=sql.105).aspx

    So I'd say why not :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, December 17, 2015 11:24 PM
  • I second that motion :-) If your load balancers are probing at L7 then they should monitor any prospective outage that arises out of a live migration should the node be deemed down. Lync, while an example, is not a good comparison to AD FS, since there's no real-time communication to speak of (RTC), audio/video conf. Instead we're dealing with simpler web services endpoints as Pierre mentioned.

    http://blog.auth360.net

    Saturday, December 19, 2015 10:52 PM
  • Hi Pierre,

    Thanks for the answer. That is exactly what I was looking for! I couldn't find it anywhere in the TechNet Library. Also, the addition regarding the HTTP/ browsers keep retrying is valuable. Thanks a bunch!

    Monday, December 21, 2015 6:26 AM