Multiple AD FS servers linked to same domain

Mark Bavington 60 Reputation points
2023-11-15T16:03:36.2066667+00:00

Hi

We have an existing AD FS 2012 R2 server that is federated with a custom domain in Azure AD, lets say "MyDomain.com" used to perform Office 365 licensing via Citrix.

I have built a new AD FS 2019 server and a Web Application Proxy (WAP) server to replace the current solution and I need to plan a cutover to test.

The new AD FS server is configured a second ADFS farm, can I federate this new AD FS server with the custom domain "MyDomain.com" and have both servers federated to the same domain in Azure AD?

If not can anyone suggest a cutover plan that I can use to test the new solution using a timeboxed test so the solution can be rolled back easily if required?

Any advise would be greatly appreciated.

Thanks

MB

Microsoft Office Online Server
Microsoft Office Online Server
Microsoft on-premises server product that runs Office Online. Previously known as Office Web Apps Server.
608 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,214 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,044 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 15,336 Reputation points Microsoft Employee
    2023-11-16T08:44:35.76+00:00

    @Mark Bavington

    Thank you for posting this in Microsoft Q&A.

    You cannot federate single domain with 2 different ADFS farms.

    There are 2 ways to test your new ADFS 2019 farm.

    • You can test this by removing the domain federation from ADFS 2012 R2. And you can federate it with ADFS 2019.
    • Or you can add ADFS 2019 server to ADFS 2012 R2 farm and route the traffic only to ADFS 2019 using host files in ADFS 2019 servers.

    If you want to follow the step 1 then there will be a downtime that needs to be informed to all users.

    If you are using step 2 then follow below steps,

    • Since you have already created the ADFS 2019 farm, you can add this ADFS 2019 server to ole ADFS 2012 R2 farm.
    • Once you add the 2019 server to the farm you can route all the authentication requests to ADFS 2019 using host files modifications in ADFS 2019 server.
    • This will allow you to test the new server which you have deployed.
    • Post testing you can prompte new ADFS 2019 server as primary and old ADFS 2012 R2 server to secondary.
    • Increase the farm behavior level to ADFS 2019. below are the farm level behaviors for different ADFS farms.

    User's image

    • Once this is done you can add other ADFS 2019 servers the same farm and remove ADFS 2012 R2 servers from the farm.
    • This will cause Zero impact in user authentications.

    You can also look into below article for reference,

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful