none
Manual Failover ADFS Setup

    Question

  • Hi, we recently implemented ADFS (WID) and have it running at one of our sites for federation of an external partner. This is all working with no problem, and I'm now looking at redundancy. 

    We do have another physical location, and my plan was to setup another ADFS implementation which I could manually fail over to via changing DNS. I know its not the most ideal arrangement, but currently it isn't critical, but as things ramp up, I would like to have some sort of redundancy. Eventually the plan is to have AD in Azure as well as ADFS.

    My questions are:

    Is it possible to setup the ADFS farm, with the new server in a new location, and have them replicate to each other. If our main site goes down, I can log into DNS and redirect our ADFS traffic to the secondary site. Will the secondary just start authenticating with little intervention? 

    Ive been reading that the ADFS farm has one read/write and the rest of the nodes are read only, which is fine for our purposes, just not 100% sure if it will all work as I expect.

    Thanks,

    Nathan


    Thursday, December 6, 2018 12:05 AM

Answers

  • Hello,

    In fact the main problem with manual fail over is DNS cache. Even if you modify your DNS entry, workstations maybe used their own DNS cache...

    But if you want manual : ADFS relies on Windows Integrated Database (WID) where the ADFS configuration takes place.

    Only the primary ADFS server can write to the WID. The WID is replicated very 5 minutes to other secondary ADFS servers.

    If you primary server goes down, you secondary will work for zuthentauthention without any action (of course as you want manual fail over, you have to redirect DNS). This secondary server has to become primary only if ADFS config has to be changed with 

    Set-AdfsSyncProperties -Role PrimaryComputer


    Blog : itpro-tips.com
    itpro_tipscom

    • Proposed as answer by ITPro-tips Thursday, December 6, 2018 10:19 PM
    • Marked as answer by dekkaraa Thursday, December 6, 2018 11:38 PM
    Thursday, December 6, 2018 1:15 AM

All replies

  • Hello,

    In fact the main problem with manual fail over is DNS cache. Even if you modify your DNS entry, workstations maybe used their own DNS cache...

    But if you want manual : ADFS relies on Windows Integrated Database (WID) where the ADFS configuration takes place.

    Only the primary ADFS server can write to the WID. The WID is replicated very 5 minutes to other secondary ADFS servers.

    If you primary server goes down, you secondary will work for zuthentauthention without any action (of course as you want manual fail over, you have to redirect DNS). This secondary server has to become primary only if ADFS config has to be changed with 

    Set-AdfsSyncProperties -Role PrimaryComputer


    Blog : itpro-tips.com
    itpro_tipscom

    • Proposed as answer by ITPro-tips Thursday, December 6, 2018 10:19 PM
    • Marked as answer by dekkaraa Thursday, December 6, 2018 11:38 PM
    Thursday, December 6, 2018 1:15 AM
  • Hi, thanks for the confirmation. The DNS cache will be a pain, but at least its something we have. Our office isnt large, so manually flushing DNS is doable.

    Thanks again.

    Thursday, December 6, 2018 11:39 PM