This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Move ADFS from on-premise to Azure questions

Question
0

Sign in to vote

Hello!

I'm in process of migration of ADFS Servers to a new version and moving it to Azure.

Now I have on-prem 1 ADFS and 1 WAP server.

I need to move this configuration to Azure with no (or minimal) downtime to users.

My plan is:

1. Deploy 1st ADFS at Azure for redundancy, main question is how to balance it with on-prem server. As I understand I can’t use Internal Azure Load Balancer for this.

2. Deploy 2nd ADFS at Azure and make one of Azure ADFS Servers as primary server.

3. Make forest/domain level upgrade and delete old ADFS Server

4. Deploy 1st and 2nd WAP servers with external load balancing.

5. Make a change in DNS records to point to new external balancing.

Can anybody comment my scenario and make any suggestions?

Thanks!

1

Tuesday, January 2, 2018 3:03 PM

All replies

0

Sign in to vote

Hello,

By migration to Azure, I am assuming Azure VMs as IaaS.

1. Deploy 1st ADFS at Azure for redundancy, main question is how to balance it with on-prem server. As I understand I can’t use Internal Azure Load Balancer for this.

You will need to add this as an additionaly server to the AD FS Farm. Once this is done, you can configure your adfs service name with dns round robin or a third party tool such as F5. I am assuming here that you have a S2S VPN connectivity in place between your On-Prem and Azure.

Just some thought, if you want to consider making your deployment HADR then will put the servers on different Azure regions and use Traffic Manager.

Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

Wednesday, January 3, 2018 5:33 AM
0

Sign in to vote

Thanks, Isaac!

In soon time this it is my goal to implement ADFS in 2 regions, but now I'm looking for ways to switch it without problems to users.
1

Wednesday, January 3, 2018 9:13 AM
0

Sign in to vote

I'd agree with Isaac that you will need to consider a DNS-based round robin - you can actually use for this purpose Traffic Manager (obviously you'd need to point it to the public IP addresses of the WAP servers on-premises and in Azure). As Isaac pointed out, you will need either S2S VPN or ExpressRoute to provide cross-premises connectivity in order to extend your AD to the Azure VNet hosting the AD FS VM.

The migration process is actually described in quite detailed manner at:

https://msdn.microsoft.com/library/azure/jj156090.aspx#BKMK_WhyADFS

hth
Marcin

Wednesday, January 3, 2018 1:37 PM