question

admSRM-2816 avatar image
0 Votes"
admSRM-2816 asked admSRM-2816 answered

AD FS stand alone and farm coexistence

I've got a AD FS server running on Windows Server 2012 R2 stand alone. We need to create a farm for HA. I'm understanding that there's no upgrade path so the question is: are there any issues with the legacy AD FS remaining in operation while a new Windows Server 2016 AD FS farm is created and configured?

Thanks

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered piaudonn commented

There is no such a thing as a ADFS in standalone with Windows Server 2012 R2. If you have an ADFS server, it is already a farm. A farm of one server.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn,

I know that's true with 2016+ but 2012R2? Wouldn't I see cluster management or NLB services running?

Thanks

0 Votes 0 ·

I think there is a confusion here.

ADFS standalone deployment does not refer to whether NLB is used. It means that the ADFS service is running under the identity of the ADFS server computer account. As opposed as ADFS farm deployement, where the ADFS service runs under the identity of a service account (either a regular user or a group managed service account).

ADFS standalone deployment cannot be configured anymore since Windows Server 2021 R2 (included).

0 Votes 0 ·

NLB can be used with any version of ADFS. Although it doesn't not make sense to use it for standalone deployment as they just have one server...

When you have a farm, NLB is not a great way to provide high availability either. NLB works as the network level. As long as a host is reachable network wise, the server is in the cluster. So if you have two servers, you stopped the ADFS service on one server, NLB still send traffic to that node. So if a service crashes, or take longer to start, then the user will experience issues.

0 Votes 0 ·

Hardware based load balancers, with service health probes would be the way to go.

In your case, install ADFS on another server, during the install, join the existing farm (your deployement is a farm of one server) and then install and configure proper load balancers.

0 Votes 0 ·
admSRM-2816 avatar image
0 Votes"
admSRM-2816 answered

Thank you. I think my confusion came from when I read in the installation instructions for a farm, that cluster management was going to be use via the NLB to form the farm. I wasn't thinking of using it for actual load balancing for the reasons you mention. Our installation is using a domain account for the AD FS service and also uses a separate SQL Server instance for its' database; symptoms of a farm as far as I can tell.

We're adding a third party MFA for eventual rollout to the entire organization which will make the AD FS services more critical. I didn't want to break the system during the addition of a second server for high(er) availability...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.