Question regarding initial config of Disaster Recovery ADFS servers intended for backup ADFS servers
I currently have a production site that uses ADFS for auth to O365 and other online software. These are all on WInServer 2012r2 servers. I need to configure a Disaster Recovery site with ADFS as well as a backup. My intent is to test it periodically (point other software to it temporarily during a scheduled outage to ensure it works) to ensure it works in the event of actual disaster. The configuration process asks "Create the first federation server in a federation server farm" or "Add a federation server to a federation server farm". I would assume i don't want to add a server, as it will "be a standalone" in the event of a disaster, and i ALSO don't want to interfere with my current ADFS system - it provides our enterprise email auth, to name just one critical app in production. Which should i choose, and any other thoughts/considerations?
Vasil Michev (MVP)
The default/recommended configuration for AD FS is 2+2 servers, so it's highly available by design. If you still need a "cold standby" of sorts, I suggest you use the method detailed here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool
ASKER
-- That's some great information. Considering my need to test periodically (every 6 months) would:
1. The 2 +2 be a good route with 2 in prod (currently) and 2 new additional in DR and test by powering down (for instance) my ADFS in prod during a scheduled outage so the DR ADFS would take over/good test, or....
2. Rapid restore just prior to outage using a periodic backup of the config export the URL discusses
-- I would think the 1st solution would be preferred (if i described the proposed solution correctly) as it ensures the network is highly available immediately. Would adding 2 additional ADFS/WAPs in DR location and then powering down both ADFS/WAP servers in prod do the trick to redirect/test my intent from DR site? I know sts.domainname.com and autodiscover.domainname.co
1. The 2 +2 be a good route with 2 in prod (currently) and 2 new additional in DR and test by powering down (for instance) my ADFS in prod during a scheduled outage so the DR ADFS would take over/good test, or....
2. Rapid restore just prior to outage using a periodic backup of the config export the URL discusses
-- I would think the 1st solution would be preferred (if i described the proposed solution correctly) as it ensures the network is highly available immediately. Would adding 2 additional ADFS/WAPs in DR location and then powering down both ADFS/WAP servers in prod do the trick to redirect/test my intent from DR site? I know sts.domainname.com and autodiscover.domainname.co
2+2 refers to 2 AD FS servers + 2 WAP proxies. It's a HA architecture, not DR one. You can easily test it by redirecting the traffic between the farm members.
ASKER
Ok, so considering i currently have the 2+2 in production site, you'd recommend the rapid restore tool. How might i test it after restore creation during day long outage but be able to cut back to the production site after testing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.