Solved

ADFS DR Failover for Office 365

Posted on 2013-12-06
4
4,647 Views
1 Endorsement
Last Modified: 2013-12-09
Hello,
I am setting up a secondary ADFS server in the DR site. It will be used for Office 365 authentication.

We don’t have load balancer or anything. Will be doing failover using DNS. So, I installed secondary ADFS in the DR site, installed certificate. Do I need to do anything else??

For example, do I need to run the following to add another ADFS server for Office 365??
•      Connect-MsolService –Credential $cred
•      Set the MSOL ADFS Context server, to the ADFS server
•      Set-MsolADFSContext –Computer adfs_servername.domain_name.com
Also, if there is nothing else left that I need to prepare now, what is the process for failing over to another ADFS server? Could you please be as specific as possible? We will lose the power next week to the primary site, so what are the steps  I need to take to make the secondary ADFS server the primary ADFS server and so that it authenticates users to O365? When do I setup relaying trust with Office 365 for the server? Can I set it up beforehand?
1
Comment
Question by:claudiamcse
  • 3
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39702041
I assume that you will have one ADC at DR location.
1st thing, have you used full SQL server as a ADFS database or you are using Windows Internal Database (WID)?
If you are using SQL full server as database, then all member ADFS servers in farm are primary servers and can change ADFS configuration.

If you have used  WID, then secondary ADFS server will not be able to make any configuration changes to ADFS database.
However it will process authentication request weather primary server remain online or offline.
You can make secondary ADFS server primary only if you got confirmation that original primary server cannot be brought back online. Once you make it primary, then you can add new secondary ADFS servers there.

You don't have to do any thing other than playing with DNS in case of planned shutdown of primary ADFS server.
1st Method:
You can change ADFS service URL public DNS pointer to new IP at DR site secondary ADFS server. But this will take some time (12 HRS approx.) for public DNS replication. You may do this in advance to overcome DNS replication issue.
2nd Method:
You can have two public IPs assigned to ADFS service public URL pointing to two private IP addresses of both ADFS servers primary and secondary respectively.
In case your primary site gone down, after some specific time (TTL) record will be removed from cache and due to DNS round robin ADFS queries will be routed to secondary ADFS server public IP address at DR.
The time to live (TTL) must necessarily be set quite low for this to work at all, since DNS entries are cached aggressively throughout the internet.Please check with your ISP
This is tested scenario for one of my client and it works perfectly

Check below article
http://blog.engelke.com/2011/06/07/web-resilience-with-round-robin-dns/

Mahesh
0
 

Author Comment

by:claudiamcse
ID: 39702387
Oh. Thank you so much. We are using Windows Internal Database (WID).

What do you mean "change ADFS service URL" to the new IP? Are you are referring to one External DNS record, such as sso.ourdomain.com that points to the external IP of the ADFS server. Correct?

So, all we need to do is change the exteranl DNS to point to the DR ADFS server?

Also, do we need to run this command to set up the backup ADFS as primary ADFS server or it will be working even if we dont run this command? This DR failover is only temporary and we will be switching to the primary afterwards.

Set-AdfsSyncProperties -Role SecondaryComputer –PrimaryComputerName <FQDN>


Thank you so much!!
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39702714
Yes, I am talking about ADFS service External Public DNS Host(A) record.

Like I said, you don't have to convert secondary ADFS to primary unless your primary ADFS server gone down permanently.
In your case primary ADFS server shutdown is temporary, hence above command is not required.
Secondary ADFS server will service client authentication request regardless of primary server up or down.
Only secondary ADFS will not be able to make any changes to ADFS database as it is read only, but you also do not require any changes in Database during failover

Hope that clear
Mahesh
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39702779
Just check if you can swap primary ADFS server private IP with secondary ADFS  private IP in public IP mapping at primary site. It looks very simple but actually its not possible probably.

Normally Public IP addresses are bound to your data centre firewall and when there is planned shutdown \ WAN link failure of data centre occurs, those IPs also got unavailable.

That's why You need to point another public IP (terminated on DR firewall) to DR ADFS private IP address because first public IP most probably terminated on firewall at primary site and when you shutdown data centre, it no more available for servicing requests.
In that case public DNS will take time for replication (may be 12 HRS) if you switch ADFS service to another public IP address (In turn this Public IP will point to private IP of ADFS server at DR site) at DR location

That is why I give you another option (2nd Method) of having two public IP addresses pointing to two ADFS servers private IP addresses with same Host(A) record with DNS round Robin
Just read my 1st comment to understand 2nd scenario
Let me know if you have any queries please

Mahesh
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now