ADFS disaster recovery

Hi Experts,

 I'm looking at designing an ADFS solution to accommodate 4,500 users to provide SSO with a web application.

I'm thinking of using 2 2012 R2 ADFS servers on my internal network and 2 2012 R2 Web Application Proxies in my DMZ, then load balancing the connections using an F5.

What I'm not sure about is how to achieve DR in another data center. For example is active-active in 2 different data centers supported? I was thinking of replicating my ADFS servers across the Data Centers, then simply performing a failover in the event of a disaster, but I'm not sure how well that would work in reality.

It would be great to hear from someone who's already done this.

Jerry SeinfieldAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
You can join the DR server as a secondary server in the farm.  In the case of a DR event, you would promote the secondary to a primary, and update the NLB to point at your DR site.
Jerry SeinfieldAuthor Commented:
Can you please provide more details? step by step instruction please

Please keep in mind that both internal ADFS servers and both WAP servers in the DMZ are behind a load balancer F5. Why you mentioned the Windows NLB?
Kyle AbrahamsSenior .Net DeveloperCommented:

To promote a primary from secondary:

On the target secondary server:
Add-PsSnapin Microsoft.Adfs.PowerShell

Set-AdfsSyncProperties -Role PrimaryComputer

Open in new window

on all other farm servers:
Add-PsSnapin Microsoft.Adfs.Powershell

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation Server}

Open in new window

I just said update the NLB (Network Load Balancer) . . . not a windows NLB.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Jerry SeinfieldAuthor Commented:
Thanks Kyle, you rock,

One last question, do you know if the same procedure above applies for ADFS farm in a SQL cluster or HA solution?
Kyle AbrahamsSenior .Net DeveloperCommented:
You're asking 2 different things.

SQL Clustering can be implemented with a single ADFS server if you're using SQL databases for the backend.

The HA solution would need to be rolled over (same as above) if you have a primary/secondary server in the same site.
Jerry SeinfieldAuthor Commented:
Hi Kyle,

Sorry for the confusion, please read below

To have ADFS HA and DR, Here is my design:

Site 1 NYC

2 ADFS servers in the internal network
2 ADFS proxy servers in a DMZ
SQL clustering or HA to have the ADFS instance fully available and with an option of DR
F5 between proxy servers and firewall

Site 2 Miami

same as above

To perform a DR scenario, should I follow same article that you posted above?

I was under the wrong impression, that ADFS will be automatically balanced across different sites. Is that assumption correct or not?

Having said that,
Jerry SeinfieldAuthor Commented:
Any updates Kyle to my last question?
Kyle AbrahamsSenior .Net DeveloperCommented:
You're confusing load balancing with HA, SQL Clustering, and DR.

load balancing is when you have multiple servers.  This will happen automatically.
HA is when you have multiple servers at the same location.  If one goes down the other handles all of the requests until the other comes back up.
Sql Clustering is HA but for the databases.
DR is when you lose a site entirely.

In a DR scenario you would need to follow the steps in the article.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sam ObengCommented:

I think you are assuming that the SQL is available at the DR site. Without the SQL DB being at the DR site, how do you let the AD FS servers in the DR site access the SQL or the configuration DB?

I would almost say that in terms of DR WID will be the way to go. especially, if the number of ADFS servers in the farm does not exceed the total number supported by WID (I think it is four). then, you can have two primary site, two DR, and set the DR ones as secondary.
Kyle AbrahamsSenior .Net DeveloperCommented:
This is over a year old . . . but the SQL DBs should be replicated to the DR site on a nightly basis or ideally log shipped for redundancy.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.