Forum Discussion
db_Vanir
Jan 10, 2023Copper Contributor
How to migrate ADFS servers to Azure while keeping a backup setup on-premise?
We currently host our ADFS and ADFS proxy servers on-premise. We want to set up these two servers on Azure, but we would also like to keep our existing on-premise servers offline as a backup. The ide...
db_Vanir
Jan 11, 2023Copper Contributor
Hi Ruud,
When I said "offline" I meant that the on premise servers were going to be powered and connected to the network, but not servicing/handling the authentication requests. Can this be done? Can we have two different instances of ADFS servers running on the same domain? One on premise acting as a backup and the other one on Azure acting as the primary?
We want to keep our on-premise servers just in case the Azure environment were to become unavailable. That's all.
When I said "offline" I meant that the on premise servers were going to be powered and connected to the network, but not servicing/handling the authentication requests. Can this be done? Can we have two different instances of ADFS servers running on the same domain? One on premise acting as a backup and the other one on Azure acting as the primary?
We want to keep our on-premise servers just in case the Azure environment were to become unavailable. That's all.
RGijsbersRademakers
Jan 12, 2023Iron Contributor
Hi David,
That can definitely be done. There are several methods for that, depending on your configuration.
Assuming you're using a single dns name for your ADFS environment. Something like sts.domain.com.
If sts.domain.com is behind a load balancer, you can just configure your on-premises servers as passive servers in the load balancer. That way, these will not be used for authentication unless the servers in Azure are down. This would require a load balancer in front of your ADFS Proxy servers for the external authentication and a load balancer for your internal ADFS Servers for the internal authentication.
Another solution would be to do it based on DNS. For the external authentication you would only create A records for your Azure hosted ADFS Proxy server in the public DNS for sts.domain.com. When the Azure hosted ADFS Proxy servers are down, you need to add the on-premises ADFS Proxy servers to the public DNS.
For the internal authentication you would do the same. Only create a records for sts.domain.com that point to your Azure hosted ADFS Servers on your internal DNS servers. When the Azure ones go down, you would add your on-premises servers to sts.domain.com on your local DNS servers.
Let me know if you have additional questions.
Regards,
Ruud
That can definitely be done. There are several methods for that, depending on your configuration.
Assuming you're using a single dns name for your ADFS environment. Something like sts.domain.com.
If sts.domain.com is behind a load balancer, you can just configure your on-premises servers as passive servers in the load balancer. That way, these will not be used for authentication unless the servers in Azure are down. This would require a load balancer in front of your ADFS Proxy servers for the external authentication and a load balancer for your internal ADFS Servers for the internal authentication.
Another solution would be to do it based on DNS. For the external authentication you would only create A records for your Azure hosted ADFS Proxy server in the public DNS for sts.domain.com. When the Azure hosted ADFS Proxy servers are down, you need to add the on-premises ADFS Proxy servers to the public DNS.
For the internal authentication you would do the same. Only create a records for sts.domain.com that point to your Azure hosted ADFS Servers on your internal DNS servers. When the Azure ones go down, you would add your on-premises servers to sts.domain.com on your local DNS servers.
Let me know if you have additional questions.
Regards,
Ruud