claudiamcse
asked on
ADFS DR Failover for Office 365
Hello,
I am setting up a secondary ADFS server in the DR site. It will be used for Office 365 authentication.
We don’t have load balancer or anything. Will be doing failover using DNS. So, I installed secondary ADFS in the DR site, installed certificate. Do I need to do anything else??
For example, do I need to run the following to add another ADFS server for Office 365??
• Connect-MsolService –Credential $cred
• Set the MSOL ADFS Context server, to the ADFS server
• Set-MsolADFSContext –Computer adfs_servername.domain_nam
Also, if there is nothing else left that I need to prepare now, what is the process for failing over to another ADFS server? Could you please be as specific as possible? We will lose the power next week to the primary site, so what are the steps I need to take to make the secondary ADFS server the primary ADFS server and so that it authenticates users to O365? When do I setup relaying trust with Office 365 for the server? Can I set it up beforehand?
I am setting up a secondary ADFS server in the DR site. It will be used for Office 365 authentication.
We don’t have load balancer or anything. Will be doing failover using DNS. So, I installed secondary ADFS in the DR site, installed certificate. Do I need to do anything else??
For example, do I need to run the following to add another ADFS server for Office 365??
• Connect-MsolService –Credential $cred
• Set the MSOL ADFS Context server, to the ADFS server
• Set-MsolADFSContext –Computer adfs_servername.domain_nam
Also, if there is nothing else left that I need to prepare now, what is the process for failing over to another ADFS server? Could you please be as specific as possible? We will lose the power next week to the primary site, so what are the steps I need to take to make the secondary ADFS server the primary ADFS server and so that it authenticates users to O365? When do I setup relaying trust with Office 365 for the server? Can I set it up beforehand?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, I am talking about ADFS service External Public DNS Host(A) record.
Like I said, you don't have to convert secondary ADFS to primary unless your primary ADFS server gone down permanently.
In your case primary ADFS server shutdown is temporary, hence above command is not required.
Secondary ADFS server will service client authentication request regardless of primary server up or down.
Only secondary ADFS will not be able to make any changes to ADFS database as it is read only, but you also do not require any changes in Database during failover
Hope that clear
Mahesh
Like I said, you don't have to convert secondary ADFS to primary unless your primary ADFS server gone down permanently.
In your case primary ADFS server shutdown is temporary, hence above command is not required.
Secondary ADFS server will service client authentication request regardless of primary server up or down.
Only secondary ADFS will not be able to make any changes to ADFS database as it is read only, but you also do not require any changes in Database during failover
Hope that clear
Mahesh
Just check if you can swap primary ADFS server private IP with secondary ADFS private IP in public IP mapping at primary site. It looks very simple but actually its not possible probably.
Normally Public IP addresses are bound to your data centre firewall and when there is planned shutdown \ WAN link failure of data centre occurs, those IPs also got unavailable.
That's why You need to point another public IP (terminated on DR firewall) to DR ADFS private IP address because first public IP most probably terminated on firewall at primary site and when you shutdown data centre, it no more available for servicing requests.
In that case public DNS will take time for replication (may be 12 HRS) if you switch ADFS service to another public IP address (In turn this Public IP will point to private IP of ADFS server at DR site) at DR location
That is why I give you another option (2nd Method) of having two public IP addresses pointing to two ADFS servers private IP addresses with same Host(A) record with DNS round Robin
Just read my 1st comment to understand 2nd scenario
Let me know if you have any queries please
Mahesh
Normally Public IP addresses are bound to your data centre firewall and when there is planned shutdown \ WAN link failure of data centre occurs, those IPs also got unavailable.
That's why You need to point another public IP (terminated on DR firewall) to DR ADFS private IP address because first public IP most probably terminated on firewall at primary site and when you shutdown data centre, it no more available for servicing requests.
In that case public DNS will take time for replication (may be 12 HRS) if you switch ADFS service to another public IP address (In turn this Public IP will point to private IP of ADFS server at DR site) at DR location
That is why I give you another option (2nd Method) of having two public IP addresses pointing to two ADFS servers private IP addresses with same Host(A) record with DNS round Robin
Just read my 1st comment to understand 2nd scenario
Let me know if you have any queries please
Mahesh
ASKER
What do you mean "change ADFS service URL" to the new IP? Are you are referring to one External DNS record, such as sso.ourdomain.com that points to the external IP of the ADFS server. Correct?
So, all we need to do is change the exteranl DNS to point to the DR ADFS server?
Also, do we need to run this command to set up the backup ADFS as primary ADFS server or it will be working even if we dont run this command? This DR failover is only temporary and we will be switching to the primary afterwards.
Set-AdfsSyncProperties -Role SecondaryComputer –PrimaryComputerName <FQDN>
Thank you so much!!