question

RomanHavrilyuk avatar image
RomanHavrilyuk asked ·

Adding second ADFS

Hello, guys.

I have one on-prem vm, with adfs role installed. On this vm i have already configured azure ad connect, with public ssl installed. ADFS use mssql db. Sync and authorization in office 365 on this adfs server works fine. I want to add another adfs server. How should i add it, just from server manager, just choose "add to existing farm"? Or i should full reconfigure sync in "azure ad connect"?
Is that possible, to use cluster adfs without wap?
And should i have one external ip for this two nodes, or it possible to use dns round robin?

Thanks

azure-active-directoryadfs
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@Roman-7880, To add second ADFS server, you just need to install ADFS Role and add the new server to existing ADFS farm.

Should I reconfigure sync in "azure ad connect"?
No, you don't need to reconfigure AD Connect. However, if you have only one AD Connect server in your environment, you may consider installing AD Connect on the new server and keep it in Staging mode. In Staging mode, AD Connect receives all inbound updates (imports) but doesn't export anything. So, in case if the primary AD Connect goes down, you can turn off the staging mode and use the server as production AD Connect server.

Is that possible, to use cluster adfs without wap?
Yes, you can configure ADFS Cluster without WAP in place. Although, from security perspective it is good to have WAP installed on a non-domain joined computer as it is installed on internet facing machine. With no WAP in place, you will have ADFS Servers facing internet and in case of compromise, malicious user will get access to the domain.

Is it possible to use dns round robin?
Yes, you can use DNS round robin but I always prefer NLB over DNS round robin. The reason is, if one server goes down, DNS doesn't have intelligence to detect that and it will keep resolving every second request to the server which is down. As a result 50% requests will go to the faulty node. However, NLB can detect faulty node and will send request only to the node which is up and running.

Hope I have covered all your questions.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

4 comments Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RomanHavrilyuk avatar image RomanHavrilyuk ·

Thanks, for detailed answer!
Should i use another one mssql db for second adfs server with azure ad connect? Cuz now i have error if i choose db from first server. That says that i have already data in this db and it cannot be overwriting

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft RomanHavrilyuk ·

@RomanHavrilyuk Second ADFS Server should be using same MSSql DB. While configuring the second server the Database instance should be the same instance that your first ADFS is using. If you had WID (Windows Internal Database), you would have to create new WID for second server but in case of SQL, all servers in the farm should be pointed to same SQL DB.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

1 Vote 1 · ·
RomanHavrilyuk avatar image RomanHavrilyuk amanpreetsingh-msft ·

@amanpreetsingh-msft sure, adfs is already use same db, but question is about configuring azure ad connect at second server. Corrent me, if i wrong: azuread connect cant use same database, it should have another db instance?
Thanks!

0 Votes 0 · ·
Show more comments