This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 16%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi,
I have been looking at configuring a DR solution to our 2016 ADFS configuration.
Currently 2x ADFS servers and 2x WAP Proxy servers in PROD site. Both of these are load balanced with Windows NLB.
This is backed by the WID database.
While I know we can simply add more servers in the DR site and make them part of the same farm. I also know that we should be able to control the failover with DNS, by pointing ADFS to the second site in the event of a failure at PROD (customer doesn't want to purchase geo load balancing and sites are physically quite close).
My concern is really about failing over the database and failing back.
Is this as simple as just setting one of the DR servers to be primary and telling the rest what the new primary is and that they are secondary now.
Also, what will happen with the PROD site which is down - will we be able to set that to a secondary if it can't see the primary?
Ultimately, is it possible to do this and anything I need to be aware of?
I have done so much reading on this, but can't seem to find anything about doing this like mentioned above. But I also find nothing saying it will not be possible.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi @J Slack , the process you outlined above is correct. The prod site will know of the new primary server as well as long as they have network connectivity to the new primary server. The cmdlets for the same are documented at https://learn.microsoft.com/en-us/powershell/module/adfs/set-adfssyncproperties?view=win10-ps
Thanks for that, unfortunately this doesn't really answer my question for what happens when the link between PROD and DR sites is down.
Under normal conditions as a test, we can easily move the primary server to DR and repoint the PROD servers to see that as primary.
But assume that PROD lost all it's network for a couple of weeks. I can run the command to change the prod servers to look at DR as the primary, but it won't be able to talk to them.
And when I promote the DR server to be primary in a real DR scenario (with PROD being totally down) it won't be able to see the original primary. Would that be a problem?
Also, while PROD is offline, we won't be sending requests to it obviously - but what happens when the network is restored?
I know with the PDC roll on a domain controller for example, we may need to seize that. If we seize it then we have to destroy the old DC. Does anything bad like that happen if you have two primary ADFS servers suddenly reconnect in the same farm?
Hi @J Slack , in case your prod site goes down, you will have to manually make the secondary server in DR site as primary and the primary as secondary. The commands below will force that without the network connectivity. Also, in the case of prod site going down, the DR site will still be able to handle the auth requests and only the ADFS configuration changes would not be possible.
The command to change the secondary ADFS in your farm to Primary is :
Set-ADFSSyncProperties -PrimaryComputerName fs1.fabrikam.com (fs1.fabrikam.com is the name of the secondary pc which you wish to make primary)
Then run Set-AdfsSyncProperties -Role PrimaryComputer
Then run this on the secondary computer which was primary earlier : Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation Server}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 9%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
I am going to piggy back on this thread as its something I'm looking into myself. We have similar setup 2x proxy servers NLB and 2xADFS servers but SQL instance holding the artefact database. This is all in one site and we want to add some DR to this setup.
So we are building out a DR site with 1xproxy server and 1xadfs server and a SQL instance that is a mirror of the databases.
In the case of the first site going down how do we move to the DR instance? I'm guessing that ADFS has a Database connection string somewhere more than likely encrypted.
Is there documentation for this type of scenario anywhere ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 86%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Waiting for the same response. Hope we can have a documentation for it.
Configuration changes in DNS, AD DS, or SQL if any.
Well first of I would get rid of SQL as a backend unless is stricly necessary for some specific ADFS features.
SQL is required if any of the following conditions is met:
With SQL out of the picture, the entire story of making the solution highly available relies on having multiple nodes and a proper load-balancer configuration (NLB is not a great solution for high availability).
There is a documentation explaining how to achieve that using Azure IaaS:
And another one how you extend your ADFS farm delpyement to Azure and use Traffic Manager to load-balance between the IaaS environment and your on-premises environment: