[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


ADFS & ADFS Proxy over multiple sites for SSO on Office 365

Posted on 2014-08-07
Medium Priority
Last Modified: 2014-08-21

We are trying to setup a hybrid setup for exchange 2013 and Office 365 - as well as using SSO.

We would like the ADFS machines to be fault tolerant and spread out over 2 physical sites for extra redundancy.

I have attached a diagram of the server setup over the 2 sites.

My questions are: How do we setup the NLB over 2 sites (with different IP ranges)
What would the Public DNS be pointing too for the STS address
What would the internal DNS be pointing too for the STS address

Please also note that the external domain and internal domain are the same  (eg, domain.com is the public domain, and domain.com is the domain used for AD) - not sure If that makes a difference.


Question by:stevie_dee

Author Comment

ID: 40247030
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 40247093
If your internal and external domain is same , its well and good and your internal ADFS server record and external ADFS server records should be same in that case

you should create host(A) record for ADFS servers NLB such as sts.domain.com
On external DNS server, this FQDN should point to ADFS proxy server and in corporate network this FQDN should points to internal ADFS servers

Now to get redundancy there are multiple ways
1st, u can extend same subnet to another site as well so that you can setup NLB with ADFS servers and ADFS proxy servers
2nd, you could place hardware load balancer at some other 3rd party location such as ISP and add both ADFS proxy servers in Hardware load balancer
3rd, you can have both servers (ADFS and ADFS proxy Servers at same location and create standard NLB
4th, you can have both servers (ADFS and ADFS proxy Servers at same location and take TWO public IP address
Instead of creating NLB, you can point TWO public IP addresses to TWO ADFS Proxy servers
Ex: sts.doamin.com -
      sts.domain.com -

This will also provide redundancy incase your one IP goes down with DNS round robin.
You need to keep record TTL minimum in DNS
LVL 44

Expert Comment

by:Vasil Michev (MVP)
ID: 40247289
True active/active setup between different sites is hard to achieve, costly and in general, not necessary. If you are interested in such, you can review for example this thread: http://social.msdn.microsoft.com/Forums/vstudio/en-US/80220b1c-d024-4f51-af9e-f38c4fe19c31/adfs-high-geo-redundancy?forum=Geneva

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question