Solved

ADFS DR Failover for Office 365

Posted on 2013-12-06
4
4,540 Views
1 Endorsement
Last Modified: 2013-12-09
Hello,
I am setting up a secondary ADFS server in the DR site. It will be used for Office 365 authentication.

We don’t have load balancer or anything. Will be doing failover using DNS. So, I installed secondary ADFS in the DR site, installed certificate. Do I need to do anything else??

For example, do I need to run the following to add another ADFS server for Office 365??
•      Connect-MsolService –Credential $cred
•      Set the MSOL ADFS Context server, to the ADFS server
•      Set-MsolADFSContext –Computer adfs_servername.domain_name.com
Also, if there is nothing else left that I need to prepare now, what is the process for failing over to another ADFS server? Could you please be as specific as possible? We will lose the power next week to the primary site, so what are the steps  I need to take to make the secondary ADFS server the primary ADFS server and so that it authenticates users to O365? When do I setup relaying trust with Office 365 for the server? Can I set it up beforehand?
1
Comment
Question by:claudiamcse
  • 3
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
I assume that you will have one ADC at DR location.
1st thing, have you used full SQL server as a ADFS database or you are using Windows Internal Database (WID)?
If you are using SQL full server as database, then all member ADFS servers in farm are primary servers and can change ADFS configuration.

If you have used  WID, then secondary ADFS server will not be able to make any configuration changes to ADFS database.
However it will process authentication request weather primary server remain online or offline.
You can make secondary ADFS server primary only if you got confirmation that original primary server cannot be brought back online. Once you make it primary, then you can add new secondary ADFS servers there.

You don't have to do any thing other than playing with DNS in case of planned shutdown of primary ADFS server.
1st Method:
You can change ADFS service URL public DNS pointer to new IP at DR site secondary ADFS server. But this will take some time (12 HRS approx.) for public DNS replication. You may do this in advance to overcome DNS replication issue.
2nd Method:
You can have two public IPs assigned to ADFS service public URL pointing to two private IP addresses of both ADFS servers primary and secondary respectively.
In case your primary site gone down, after some specific time (TTL) record will be removed from cache and due to DNS round robin ADFS queries will be routed to secondary ADFS server public IP address at DR.
The time to live (TTL) must necessarily be set quite low for this to work at all, since DNS entries are cached aggressively throughout the internet.Please check with your ISP
This is tested scenario for one of my client and it works perfectly

Check below article
http://blog.engelke.com/2011/06/07/web-resilience-with-round-robin-dns/

Mahesh
0
 

Author Comment

by:claudiamcse
Comment Utility
Oh. Thank you so much. We are using Windows Internal Database (WID).

What do you mean "change ADFS service URL" to the new IP? Are you are referring to one External DNS record, such as sso.ourdomain.com that points to the external IP of the ADFS server. Correct?

So, all we need to do is change the exteranl DNS to point to the DR ADFS server?

Also, do we need to run this command to set up the backup ADFS as primary ADFS server or it will be working even if we dont run this command? This DR failover is only temporary and we will be switching to the primary afterwards.

Set-AdfsSyncProperties -Role SecondaryComputer –PrimaryComputerName <FQDN>


Thank you so much!!
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Yes, I am talking about ADFS service External Public DNS Host(A) record.

Like I said, you don't have to convert secondary ADFS to primary unless your primary ADFS server gone down permanently.
In your case primary ADFS server shutdown is temporary, hence above command is not required.
Secondary ADFS server will service client authentication request regardless of primary server up or down.
Only secondary ADFS will not be able to make any changes to ADFS database as it is read only, but you also do not require any changes in Database during failover

Hope that clear
Mahesh
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Just check if you can swap primary ADFS server private IP with secondary ADFS  private IP in public IP mapping at primary site. It looks very simple but actually its not possible probably.

Normally Public IP addresses are bound to your data centre firewall and when there is planned shutdown \ WAN link failure of data centre occurs, those IPs also got unavailable.

That's why You need to point another public IP (terminated on DR firewall) to DR ADFS private IP address because first public IP most probably terminated on firewall at primary site and when you shutdown data centre, it no more available for servicing requests.
In that case public DNS will take time for replication (may be 12 HRS) if you switch ADFS service to another public IP address (In turn this Public IP will point to private IP of ADFS server at DR site) at DR location

That is why I give you another option (2nd Method) of having two public IP addresses pointing to two ADFS servers private IP addresses with same Host(A) record with DNS round Robin
Just read my 1st comment to understand 2nd scenario
Let me know if you have any queries please

Mahesh
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now