Forum Discussion
How to migrate ADFS servers to Azure while keeping a backup setup on-premise?
We currently host our ADFS and ADFS proxy servers on-premise. We want to set up these two servers on Azure, but we would also like to keep our existing on-premise servers offline as a backup. The ide...
Hi David,
I do have experience with several different types of ADFS deployments, including deploying to Azure. You can find some architectural guidance here: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs
I don't think it's a good idea to shutdown the on-premises servers. If these servers are shutdown too long, they will loose their device trust to the domain. Is there a specific reason you want to shutdown the on-premises servers?
Regards,
Ruud
I do have experience with several different types of ADFS deployments, including deploying to Azure. You can find some architectural guidance here: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs
I don't think it's a good idea to shutdown the on-premises servers. If these servers are shutdown too long, they will loose their device trust to the domain. Is there a specific reason you want to shutdown the on-premises servers?
Regards,
Ruud
Hi Ruud,
When I said "offline" I meant that the on premise servers were going to be powered and connected to the network, but not servicing/handling the authentication requests. Can this be done? Can we have two different instances of ADFS servers running on the same domain? One on premise acting as a backup and the other one on Azure acting as the primary?
We want to keep our on-premise servers just in case the Azure environment were to become unavailable. That's all.
When I said "offline" I meant that the on premise servers were going to be powered and connected to the network, but not servicing/handling the authentication requests. Can this be done? Can we have two different instances of ADFS servers running on the same domain? One on premise acting as a backup and the other one on Azure acting as the primary?
We want to keep our on-premise servers just in case the Azure environment were to become unavailable. That's all.
- Hi David,
That can definitely be done. There are several methods for that, depending on your configuration.
Assuming you're using a single dns name for your ADFS environment. Something like sts.domain.com.
If sts.domain.com is behind a load balancer, you can just configure your on-premises servers as passive servers in the load balancer. That way, these will not be used for authentication unless the servers in Azure are down. This would require a load balancer in front of your ADFS Proxy servers for the external authentication and a load balancer for your internal ADFS Servers for the internal authentication.
Another solution would be to do it based on DNS. For the external authentication you would only create A records for your Azure hosted ADFS Proxy server in the public DNS for sts.domain.com. When the Azure hosted ADFS Proxy servers are down, you need to add the on-premises ADFS Proxy servers to the public DNS.
For the internal authentication you would do the same. Only create a records for sts.domain.com that point to your Azure hosted ADFS Servers on your internal DNS servers. When the Azure ones go down, you would add your on-premises servers to sts.domain.com on your local DNS servers.
Let me know if you have additional questions.
Regards,
Ruud
