This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I have a single ADFS on premise using WID. I want to add another adfs to form a farm. I do not have an existing adfs farm as this will be the first.
Can some one point me to a good tutorial on how to do this.
Also, will I need sql database installed for each of the servers or a separate machine housing only the database?
Will I use a wild card certificate? Currently the certificate is adfshost01.mydomain.com.
The ADFS is for internal use only. Not going outside the internet.
Edit: ADFS is running on Windows Server 2016
What version of ADFS are yo using? (what operating system do you currently use on your ADFS server)
Windows server 2016 and using adfs3.0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
In same situation ... we have one ADFS server running on Server 2012 r2
How to add another server to farm, another server 2012 r2 is up but need some direction to add or create a farm to avoid single point of failure.
Using Digicert wildcard SSL.
So first thing first we have export same SSL to second server, and follow wizard to add ?
We are using WID no SQL db.
Since you are using ADFS on Windows Server 2016 (aka ADFS 4.0), you already have a farm. A farm of one :)
So to add nodes to the farm, simply use the Server Manager on that node to add the Active Directory Federation Service role. During the installation you will be asked if you are creating a new farm or joining an existing farm. Just pick that you are joining an existing farm and type the name of your first ADFS server (aka the Primary Server in that situation).
Before doing that though, make sure you install the SSL/TLS certificate on that new server. And also make sure you know the password of the service account used by ADFS (if you do not use a Group Manage Service Account).
Then you will need to implement some sort of Load Balancing. It is recommended to use a hardware load balancer.
If you don't have any, you could use a round-robin in DNS but that's not proper load balancing as the clients cache the answer and the the round-robin* does not allow to check if the service is running.
* * Technically it could with a bit of scripting and if you are using DNS running on Windows Server 2016. Then you could do some DNS policies.*
Please let me about Server 2012 r2 -ADFS
I like to confirm below steps as we are planning to add second adfs server and create a farm.
Currently we have adfs running on server 2012r2 ... with adfs1 yourdomain name
and dns entry as adfs yourdmain name (using for dropbox,zoom, adobe etc etc)
now to add second server build server 2012r2 name adfs2
export communications SSL from adfs1 and import in adfs2
run wizard for new install and add to farm ?
we have WID no SQL db
once its done in dns add point adfs2 also ?
What about Token - encrypting / signing situation ?
For the certificate I think a wildcard certificate is needed for both.
Can you confirm @Pierre Audonnet - MSFT ?
@Pierre Audonnet - MSFT Can windows NLB be used? If so like how do we do it? Create one windows servers as NLB or install NLB for both adfs server? I read somewhere (I cant find it anymore) that WID can be used in the farm but NLB should be used to replicate the wid to the secondary adfs.
If SQL should be used as database, do we need just one separate server housing the database or install the database on each adfs server?
Also for the federation name. Should both adfs servers have the same federation service name and then just add two host A record in DNS having same federation service name but pointing the each of the adfs servers?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
For the certificate I think a wildcard certificate is needed for both.
That is the simplest variant. If you wan to use certificate authentication on the default https port, a wildcard certificate is not enough. Details find you here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication
I prefer to work with multiple SAN Names in the ssl certificate. In common cases the certificate exposed from a internal PKI. So the number of SAN Names have no impact of the pricse compared to a purchased one.
Can windows NLB be used?
No, Windows NLB is not a real hardware/virtual loabalancer for this use case. It give so free products on the market.
The AD FS servers or the WID replicats itself without Windows NLB.
First, if you think about to use SQL Servers, you create a new single point of failure. therefore the sql server should also be redundant. It is recommended to install the SQL Server to dedicated (virtual) servers.
The Federation Name is unique. You configure the hostname on the primary AD FS Server with the cmdlet Set-AdfsProperties. The configuration changes automatically replicats to all other AD FS servers in the farm. If you use a layer 7 load balancer the configured dns hostname points to the ip address of whose. Otherwise you can use the Windows DNS Round Robin. As you wrote you create to host a records with the same Hostname.
Well NLB can be used. But NLB is a very basic solution. It does not check the state of a service before "redirecting" users to it. As long as the host is online we consider it as a part of the NLB cluster. So when you reboot an ADFS node for example, as soon as the IP stack is up and running the users will start using that node even if the ADFS service did not start or will not start (because of an issue). NLB is better suited to just balance the traffic but not to achieve fault tolerance. You could use NLB + some scripting. But you might be better of with a hardware load balancer.