AD FS High Availability

Since we configured AD FS into a farm configuration, making the solution highly available, is relatively straight forward. We essentially add another server to the farm, then load balance through hardware or software. This will be a two part post; the first part will cover adding another server to the AD FS farm and the second part will detail how to load balance those servers.

 

Prepare the Server for AD FS

 

We are going to jump between a few of my other posts, to prepare the server. Sorry, but I am too lazy to re-write the content.

  1. Domain join the new AD FS server
  2. Use, Prepare the Local AD FS Server, and complete the following sections
    1. Install AD FS Server Role
    2. Install Sign-in Assistant
    3. Install the Windows Azure Active Directory Module for Windows PowerShell
    1. Follow the instructions and import and assign the certificate on the new AD FS server

This will get us to the point where we can add the AD FS server to the existing AD FS Farm

 

Method 1 – Adding a Server to an AD FS farm with the AD FS Configuration Wizard

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Open Server Manager
  3. Click Tools
  4. Click AD FS Management
  5. Click AD FS Federation Server Configuration Wizard

  6. Walk through the wizard and the second server is added.

 

Method 2 – Adding a Server to an AD FS Farm from the Command Prompt

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Get the Thumbprint from the certificate that you imported on the AD FS server. This is located on the certificate.

  3. Open a Command Window as an Administrator
  4. Change the directory to the path where AD FS 2.0 was installed.
    1. Windows Server 2008 C:\Program Files\Active Directory Federation Services 2.0
    2. Windows Server 2012 C:\Windows\ADFS
  5. Add the server with FsConfig.exe

FsConfig.exe JoinFarm /PrimaryComputerName PRIMARY AD FS SERVER /ServiceAccount DOMAIN\SERVICE ACCOUNT /ServiceAccountPassword PASSWORD /CertThumbprint “ff eb 43 bb 8b f9 34 56 4b 45 ec 6f 53 bb 99 7f bf 48 7e”

Now we have the second AD FS server added to the AD FS farm.

 

 

Network Load Balance the AD FS Servers in the Farm

Now that we have two servers in the AD FS Farm, we still have to load balance them. In an Enterprise production environment, I always recommend that you use a hardware based load balancing solution. In non-production and small to medium organizations you can use Windows Network Load Balancing. Regardless of the load balancing solution, you need to make sure that you are load balancing TCP 443 to the AD FS Farm name.

NLB Cluster Name – sts.office365supportlab.com

Nodes –

FS01.office365supportlab.com

FS02.office365supportlab.com

 

If you need help configuring Windows NLB, please use Configuring Windows NLB for AD FS 2.0

 

DNS Configuration

Since we are now using network load balancing, we need to make sure that our A record for sts.office365supportlab.comis updated with the IP address that you assigned as the VIP to the NLB cluster.

Type Name IP
A sts.office365supportlab.com 10.0.0.20
A fs01. office365supportlab.com 10.0.0.14
A fs02. office365supportlab.com 10.0.0.17