Solved

AD FS DNS

Posted on 2016-10-10
4
47 Views
Last Modified: 2016-10-10
Hi,

I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.

Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com

Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record

My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?

Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address

Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.

So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?


Thanks,
Andy
0
Comment
Question by:Andy
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:footech
ID: 41836471
Internal DNS: 'A' record for adfs.company.net pointing to VIP
This is not needed.

Internal DNS: new zone of adfs.company.com with blank 'A' record
Point this at the IP of your VIP.

If you want access from the internet, use a proxy.

...adfs.company.com or adfs.company.com? Which is correct?
Those are the same thing (and both are correct).

You only need a single public IP.  Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies.  In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41836475
Thanks footech.

So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?

Thanks,
Andy
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 41836490
Looks like I answered a similar question from you before.  There's not much I can add.
I know there are some authentication scenarios where there is no communication to the ADFS initiated from the internet, but I don't know exactly when things would fail if you don't have a proxy.

If you want things to always work, set up a proxy.
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41836596
OK thanks footech, probably just confusing myself the more I think about it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now