Solved

AD FS DNS

Posted on 2016-10-10
4
35 Views
Last Modified: 2016-10-10
Hi,

I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.

Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com

Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record

My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?

Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address

Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.

So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?


Thanks,
Andy
0
Comment
Question by:Andy
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:footech
ID: 41836471
Internal DNS: 'A' record for adfs.company.net pointing to VIP
This is not needed.

Internal DNS: new zone of adfs.company.com with blank 'A' record
Point this at the IP of your VIP.

If you want access from the internet, use a proxy.

...adfs.company.com or adfs.company.com? Which is correct?
Those are the same thing (and both are correct).

You only need a single public IP.  Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies.  In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.
0
 
LVL 6

Author Comment

by:Andy
ID: 41836475
Thanks footech.

So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?

Thanks,
Andy
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 41836490
Looks like I answered a similar question from you before.  There's not much I can add.
I know there are some authentication scenarios where there is no communication to the ADFS initiated from the internet, but I don't know exactly when things would fail if you don't have a proxy.

If you want things to always work, set up a proxy.
0
 
LVL 6

Author Closing Comment

by:Andy
ID: 41836596
OK thanks footech, probably just confusing myself the more I think about it.
0

Join & Write a Comment

Suggested Solutions

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now