ADFS 3.0 SQL Merge Replication - RRS feed

  • Question

  • Hello,

    I am running ADFS 3.0 across multiple datacenters, and trying to implement the SQL geo-redundancy. 

    Configuration per datacenter on active active with F5 load balancing. : 

    • F5 LB
    • 2 WAP
    • F5 LB
    • 2 ADFS
    • MS SQL server on Merge replication (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server)

    So far, everything is working well except for the following aspect : 

    When i set Datacenter 1 to use it's corresponding SQL server, Datacetner two also picks up the configuration, so essentially i'm only using 1 active SQL server at a time. Ideally, each ADFS cluster should use the SQL in the corresponding datacenter.

    Any thoughts would be appreciated as to what is being synced that changes the configs on all datacenters from any ADFS server when setting it's SQL server.

    The design stems is almost exactly like the visio at the bottom of this article :https://blogs.technet.microsoft.com/askpfeplat/2014/11/23/adfs-deep-dive-planning-and-design-considerations/

    Hopefully you guys can help me see where i have a bad config, let me know if you need more details. 

    Best regards,


    • Edited by Iberiatum Monday, October 2, 2017 12:55 PM
    Monday, October 2, 2017 8:40 AM


  • Hi,

    so an update on this one, i managed to figure out what was going on.

    In my scenario, we originally had SQL cluster with the ADFS databases in one datacenter, and wanted an active active scenario with geo redundancy across two datacenters. We use F5 to use GTM for geo-loadbalancing internally and externally, so not all traffic goes via WAP's, our internal users attack ADFS VIP directly, externals on External go via the WAP vip. Health checks ensure that the site is up, no advanced health checks apart form IDP log in page being present, but we're working on that.

    To achieve this, we implemented SQL Merge replication, but the ADFS servers in the new datacenter (Datacenter 2)kept pointing to Datacenter 1.  Turns out, if you use an existing SQL installation something is replicated across in the database that points them there. We removed the SQL replication, and recreated using the scripts and setting permissions, then proceeded to re-implement merge replication. Running "Get-WmiObject -namespace root/ADFS -class SecurityTokenService " now shows the ADFS servers connected on each datacenters corresponding SQL server, we now have the ADFS datacenters geo redundant, and operating on active active. I expect my scenario to be a rare one as i already had one SQL server up, and implemented Replication after the fact.

    The only setting that isn't geo-redundant that i can see is "artifactdbconnection" which is stored in an xml file in the SQL Database, so even with geo redundancy, adfs will only use one location for that paramter which is a shame.

    Also, if you're preparing a 2016 upgrade from 2012 on SQL, note that the domain admin account has to have access to the SQL database too now, not just the service account. THere's a new switch in Add-ADFSFarmNode for the Installation Credentials, as well as the Service Account Credentials which wasn't present in 2012.

    BR, Carlos

    • Marked as answer by Iberiatum Friday, October 6, 2017 9:06 AM
    Friday, October 6, 2017 9:06 AM