ADFS 3.0 & WAP: DNS round robin RRS feed

  • Question

  • Dear,

    A few months ago I've installled ADFS 3.0 & WAP (in DMZ zone) for authentication to Office365.
    This setup works very well.

    For redundancy purposes, I've installed a secondary ADFS & WAP on another (physical) location.
    Both locations have their own domain controller (replicating every 180 minutes) and as from now: their own ADFS3.0 & WAP.
    The additional ADFS is running & WAP configuration is completed. I didn't change the DNS records yet, so they are not live.

    I tried to deploy Windows NLB but this is impossible in this setup:
    - Both locations are physical separated.
    - At each site, they use another subnet. There is an IPSEC between both physical sites to do the replication and other ethernet traffic.
    - Adapting the network configuration is a lot of work: VoIP, RDS, proprietary (production) systems and so on. It would take a few days to change the whole network configuration, with a lot of end user impact.
    - So in my setup, I'm unable to use NLB (please correct me if I'm wrong).

    As an alternative, I would use DNS round robin for the ADFS&WAP redundancy. I can set also the TTL very short to adapt the A record for ADFS manually in case of failover.

    Is this a good approach? What will be the end user experience when there is one site down (for example: physical server is unable to boot for some reason)?
    Will Outlook & ActiveSync automatically look for the second A record in the DNS round robin setup?

    For ISP reasons, I'm unable to use BGP in this setup.

    Kind Regards,


    Saturday, January 9, 2016 8:26 PM

All replies

  • As you pointed out, the issue with round robin is the cache. As long as the client as the record cached in its resolver's cache the access will be broken.

    Ideally you would have a probing on the top of your DNS to make sure the backend is healthy. You can look at this: in Windows Server 2016 DNS policies will enable you to add redirect clients to the healthiest backend.

    For the Internet part of it you can look at Azure Traffic Manager: you can do a round robin with a health check this way too.

    Keep us posted on what you go for!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 11, 2016 2:44 PM
  •  I would recommend you look at KEMP’s VLM for Azure, it includes GEO load balancing Layer 7 health checks.

    David Rendón @DaveRndn

    Tuesday, January 12, 2016 1:39 AM