Configuring Windows NLB for AD FS 2.0

When we have two or more AD FS and AD FS Proxy servers we install them into a farm configuration. Even though the AD FS servers are installed in a farm configuration, we still need to network load balance them. This can be done with hardware (recommended for large Enterprise deployments) or with software (recommended for small to medium deployments). This post will cover installing Windows Network Load Balancing on Windows Server 2012.

 

Installing Windows Network Load Balancing Feature

  1. Login to the AD FS server with an Administrative account
  2. Open Server Manager
  3. Click Manage
  4. Click Add Roles and Features
  5. Click Next

  6. Select Role-based or feature based installation
  7. Click Next

  8. Select the AD FS server from the server pool
  9. Click Next

  10. Click Next, not adding any server roles

  11. Select Network Load Balancing from Features

  12. Add the required features by clicking Add Features

  13. Click Next
  14. Click Install

  15. Let the install finish and reboot the server when completed. While you are waiting, complete the same steps on the second AD FS Server

 

Configure Windows Network Load Balancing

Once the feature has been installed on both nodes, make sure that they are both rebooted.

  1. Login to the primary AD FS server with an administrative account
  2. Open Server Manager
  3. Click Tools
  4. Click Network Load Balancing Manager

  5. Click Cluster
  6. Click New

  7. Add the primary AD FS server name
  8. Click Connect

  9. Click Next
  10. Verify that the Priority is set to 1 for the first node and verify the IP address
  11. Click Next

  12. Add and IP address (VIP) for Windows NLB to use
  13. Click Next

  14. Add the Cluster Name – Full Internet Name (matches the AD FS Farm Name)
  15. Change to Multicast
  16. Click Next

  17. Click Edit (we need to limit what we are load balancing to TCP 443)

  18. Change the port range to 443 – 443
  19. Change the protocol to TCP
  20. Click OK

  21. Click Finish

  22. The primary AD FS server is added and the NLB cluster is converged (green is good)

 

Adding the Second AD FS Server to the NLB Cluster

 

  1. While still working on the Primary AD FS server, open Network Load Balancing Manager
  2. Right click the cluster name
  3. Click Add host to cluster

  4. Enter the name for the second AD FS server
  5. Click Connect
  6. Click Next

  7. Verify the priority is set to 2
  8. Verify the IP address matches the second AD FS server
  9. Click Next

  10. Verify the port and protocol match the cluster (TCP 443)
  11. Click Finish

  12. Second AD FS Server is added and converged

 

Update DNS

Now that the AD FS Servers are load balanced, we have to update DNS. Make sure that the A record for the AD FS Farm Name is updated to match the NLB Cluster IP. This will allow for NLB to direct AD FS traffic to the two AD FS Servers.

Type Name IP
A sts.office365supportlab.com 10.0.0.20
A fs01. office365supportlab.com 10.0.0.14
A fs02. office365supportlab.com 10.0.0.17

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

 

 

13 thoughts on “Configuring Windows NLB for AD FS 2.0

  1. Pingback: Configuring Windows NLB for AD FS 2.0 -

  2. Pingback: Configuring Windows NLB for AD FS 2.0 - Office 365 MVPs

  3. Asela De Costa

    HI,

    My Internal Domain Name is company.com and external domain name is domain.com.

    I’m publishing ADFS through TMG 2010 in DMZ.

    ADFS URL for both internal and external is sts.domain.com

    two Adfs servers.

    Thanks,

    As

    Reply
  4. Mike S

    How do you test that it’s working? On either of the two NLB servers I can hit the cluster name, but not from any other host; I get “Page Cannot Be Displayed”
    I can ping the cluster IP but not the ADFS SSO page.

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Use a hosts file on the test workstation and point it at the the new ADFS farm while testing.

      Reply
      1. Mike S

        Thanks, I’ve discovered that it cannot be made to work on VMs on a Cisco UCS because the fabric interconnects cannot be configured with the static ARP and MAC entries required to make it function on a Cisco network.

        Reply
  5. Chris

    I tried NLB but ended up using DNS round robin. My farm (2 fs servers and 2 proxy servers, all running on Server 2008 R2) is split across two datacenters (all servers are in different subnets and the proxy servers are in different DMZs) so using a hardware load balancer (we have F5s at both datacenters) isn’t an option. We set up DNS round robin for the proxy servers and tried to set up NLB following your instructions and was able to get it working…for external clients and clients in the same subnet as the cluster VIP. Internal clients on different subnets than the cluster VIP could not connect. A little research identified several possible solutions: adding NICs to the FS servers to handle cluster traffic, adding static ARP entries on the cluster default gateway, etc.

    So, what are the advantages of NLB over DNS round robin? Is DNS round robin sufficient for HA?

    Is it worth the effort of moving the entire farm to one datacenter so I can leverage an F5? Both datacenters are connected to the same 10gig backbone and with a 1gig direct connection between them, so there’s no real advantage to placing servers in different locations.

    Should I add some NICs to the servers and try NLB again? Should I try NLB on the proxy servers?

    Thanks,
    Chris

    Reply
  6. tycoon

    I have an internal DNS: domain.local and a public domain: domain.com. NLB ist setup as sts.domain.com. How can I include an A record for this in the internal DNS? The forward lookup zone expects the fqdn extension as domain.local.

    Reply
  7. Greg Carson

    I assume this is good for 2012R2? (ADFS 3.0) Can the same be done to the 2 proxy servers for NLB?

    Reply

Leave a Reply