Active Directory Federated Services (ADFS) with Redundant Geographic Connections
Q: (from Armand)
We have a client interested in a having a Secondary ADFS DC and Proxy Server in our UK Data Center.
They Currently have their First ADFS 3.0 2012 R2 Server in our US Maine Data Center with a DMZ Proxy and that is linked with Office 365 without any issues.
They also have Custom SSO tied with the First ADFS Server besides Office 365.
Wanted to check in with you in hoping you can provide some possible guidance if a Secondary ADFS DC Server and Proxy Server can be setup in another Region in this Case the UK and tie it in to Office 365.
The Goal is if something happens to the First ADFS DC and Proxy that the Secondary option would become the Primary and continue to service clients and then when the Main Site came back up that it would then become the Secondary.
When setting up ADFS, our best practices encourage the redundant implementation of everything. Redundant DCs, redundant gateways, redundant connections to in Internet. Remember with ADFS, you are now putting the burden of authenticating all of your Cloud services against your hosted AD. So putting another DC out there – on-premises, in our cloud, or yours – is a good architectural plan.
Here’s where I’ve been pointing partners who are new to the Connect/ADFS planning:
But you can jump to the custom stuff because of your experience:
right to the section on ADFS:
Specifically, I think the following applies:
Enter the servers that you want to install AD FS on. You can add one or more servers based on your capacity planning needs. Join all servers to Active Directory before you perform this configuration. Microsoft recommends to install a single AD FS server for test and pilot deployments. Then add and deploy more servers to meet your scaling needs by running Azure AD Connect again after initial configuration.