locked
Windows AD, ADFS and O365 RRS feed

  • Question

  • Hi,

    we currently have a scenario with two sites (the live office and a redundancy office (for disaster recovery). We replicate all important VMs and data daily to the offsite office so in case something happens, we can easily be up and running again.

    Now we are planning to move to O365, using also SSO so users will not be asked for their credentials every time the need to log in. The challenge we are facing is, how will O365 work with such scenario. I mean if we cutoff the live office and turn on the recovery office, the AD will be the one of the previous day. How will O365 tell that the second AD is genuine?

    Because of license costs, we cannot afford to have two sites running at the same time. We only can have the main office working and switch on the recovery office only for testing and disaster recovery.

    Any help will be appreciated!


    Tuesday, January 26, 2016 8:09 AM

Answers

  • You can have SSO by using ADFS and configure the load balancer so that it can redirect the second site if the primary site is down.

    In your second site, you need to have at least one DC/DNS/GC server and one ADFS server. The failover mechanism depends on the load balancer itself.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 26, 2016 10:14 AM
  • Typically this is done by having parallel AD FS infrastructure in both locations. You would then use a site-aware load balancer (DNS based generally) to direct clients to the active location(s). Citrix and F5 make these, or you could look at using Azure Traffic Manager if you don't have a hardware solution already.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, January 26, 2016 3:30 PM

All replies

  • Hello,

    I think the best option is to have at least one domain controller online (working and replicating with other DCs) all the time in the disaster recovery site. All other machines can be replicated by using i.e. Hyper-V Replica.


    My LinkedIn profile

    Tuesday, January 26, 2016 8:30 AM
  • Hi

    Like Robert says, it's crucial to operate a second domain controller just for the sake of disaster recovery. For that reason I'd say an active one needs to be included in the DR budget, otherwise DR is not complete.

    However, when you say you're migrating to Office 365 with SSO enabled you probable have Azure AD Connect in place. So depending on how you work (only cloud resources) it is maybe already enough to sustain in an disaster scenario. But if you're talking about a hybrid environment where you need on prem resources switched over to the disaster recovery site to ensure business continuity you'de anyway also need a ADFS infrastructure for SSO of Office 365 with on prem credentials. This can be protected with Hyper-V Replica just as Robert mentioned.

    Good Luck

    Lyndon


    Lyndon Frei innobit ag, Basel, Switzerland

    Tuesday, January 26, 2016 10:04 AM
  • You can have SSO by using ADFS and configure the load balancer so that it can redirect the second site if the primary site is down.

    In your second site, you need to have at least one DC/DNS/GC server and one ADFS server. The failover mechanism depends on the load balancer itself.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 26, 2016 10:14 AM
  • Typically this is done by having parallel AD FS infrastructure in both locations. You would then use a site-aware load balancer (DNS based generally) to direct clients to the active location(s). Citrix and F5 make these, or you could look at using Azure Traffic Manager if you don't have a hardware solution already.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Tuesday, January 26, 2016 3:30 PM