Making AD FS Highly Available for the NEW Office 365

Since we configured AD FS into a farm configuration, making the solution highly available, is relatively straight forward. We essentially add another server to the farm, then load balance through hardware or software. This will be a two part post; the first part will cover adding another server to the AD FS farm and the second part will detail how to load balance those servers.

 

Prepare the Server for AD FS

 

We are going to jump between a few of my other posts, to prepare the server. Sorry, but I am too lazy to re-write the content.

  1. Domain join the new AD FS server
  2. Use, Prepare the Local AD FS Server, and complete the following sections
    1. Install AD FS Server Role
    2. Install Sign-in Assistant
    3. Install the Windows Azure Active Directory Module for Windows PowerShell
    1. Follow the instructions and import and assign the certificate on the new AD FS server

This will get us to the point where we can add the AD FS server to the existing AD FS Farm

 

Method 1 – Adding a Server to an AD FS farm with the AD FS Configuration Wizard

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Open Server Manager
  3. Click Tools
  4. Click AD FS Management
  5. Click AD FS Federation Server Configuration Wizard

  6. Walk through the wizard and the second server is added.

 

Method 2 – Adding a Server to an AD FS Farm from the Command Prompt

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Get the Thumbprint from the certificate that you imported on the AD FS server. This is located on the certificate.

  3. Open a Command Window as an Administrator
  4. Change the directory to the path where AD FS 2.0 was installed.
    1. Windows Server 2008 C:\Program Files\Active Directory Federation Services 2.0
    2. Windows Server 2012 C:\Windows\ADFS
  5. Add the server with FsConfig.exe

FsConfig.exe JoinFarm /PrimaryComputerName PRIMARY AD FS SERVER /ServiceAccount DOMAIN\SERVICE ACCOUNT /ServiceAccountPassword PASSWORD /CertThumbprint “ff eb 43 bb 8b f9 34 56 4b 45 ec 6f 53 bb 99 7f bf 48 7e”

Now we have the second AD FS server added to the AD FS farm.

 

 

Network Load Balance the AD FS Servers in the Farm

Now that we have two servers in the AD FS Farm, we still have to load balance them. In an Enterprise production environment, I always recommend that you use a hardware based load balancing solution. In non-production and small to medium organizations you can use Windows Network Load Balancing. Regardless of the load balancing solution, you need to make sure that you are load balancing TCP 443 to the AD FS Farm name.

NLB Cluster Name – sts.office365supportlab.com

Nodes –

FS01.office365supportlab.com

FS02.office365supportlab.com

 

If you need help configuring Windows NLB, please use Configuring Windows NLB for AD FS 2.0

 

DNS Configuration

Since we are now using network load balancing, we need to make sure that our A record for sts.office365supportlab.comis updated with the IP address that you assigned as the VIP to the NLB cluster.

Type Name IP
A sts.office365supportlab.com 10.0.0.20
A fs01. office365supportlab.com 10.0.0.14
A fs02. office365supportlab.com 10.0.0.17

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

 

9 thoughts on “Making AD FS Highly Available for the NEW Office 365

  1. Chris

    Do you know when you will have the Exchange Hybrid Deployment written up. I’ve found your guide’s very useful :)

    Reply
  2. Pingback: Making AD FS Highly Available for the NEW Office 365 -

  3. Pingback: Making AD FS Highly Available for the NEW Office 365 - Office 365 MVPs

  4. Michal Necas

    Hello,

    at first – really nice and helpful guides !! 😉

    Please is there any easy way how to make it HA cross two different geo-locations (cities)? Because as was many times written / said SSO (ADFS + ADFS proxy) is the most weak point of the whole solution. It means in case of fail nobody is able to login to Office 365 then :-(

    AD FS proxy and AD FS internal cluster is clear for me.. But we still sometimes face issues with ISP. Is there something like two AD FS Proxy severs in two different locations and in each location will be connecting to its internal ADFS (or member of cluster which is communication cross VPN).

    Many thanks

    Reply
    1. Kelsey EppsKelsey Epps Post author

      It starts to get really complicated when you do that. Currently Windows NLB cannot do this, so you would have to go to hardware NLB.

      You can also look at hosting your servers in Azure. They have an SLA backed uptime.

      The other option that you have is to enable password sync with DirSync and if the ADFS servers go down then flip the domain back to standard and have your users login with cloud accounts. When ADFS is back up and running, then flip back to federated.

      Reply
  5. Pingback: Does Microsoft have FREE training for the NEW Office 365? | Office 365 Technical Support Blog

Leave a Reply