Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to migrate ADFS servers to Azure while keeping a backup setup on-premise?

Copper Contributor

We currently host our ADFS and ADFS proxy servers on-premise. We want to set up these two servers on Azure, but we would also like to keep our existing on-premise servers offline as a backup. The idea is that if the Azure environment were to become unavailable, we would flip a switch and revert traffic back to the on-premise ADFS. How would we go about achieving this without causing any conflicts with the newly migrated ADFS servers on Azure?

 

I was wondering if someone had any experience with what we are trying to do. I imagine that this shouldn't be too complicated. 

 

By the way, our Azure ADFS setup is not live yet. We would like to do a trial run before we go live. I do have a question about this step and having both ADFS servers and proxies running at the same time. What kind of complications could we run into if we were to run two ADFS servers, with different names and different proxies at the same time, even if it were for a brief period of time?

 

Will redirecting the DNS traffic from the on-premise ADFS proxy to the azure ADFS proxy cause any problems with our on-premise domain controllers and the replica domain controller hosted on Azure?

 

 

Thank you

3 Replies
Hi David,

I do have experience with several different types of ADFS deployments, including deploying to Azure. You can find some architectural guidance here: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs

I don't think it's a good idea to shutdown the on-premises servers. If these servers are shutdown too long, they will loose their device trust to the domain. Is there a specific reason you want to shutdown the on-premises servers?

Regards,
Ruud
Hi Ruud,

When I said "offline" I meant that the on premise servers were going to be powered and connected to the network, but not servicing/handling the authentication requests. Can this be done? Can we have two different instances of ADFS servers running on the same domain? One on premise acting as a backup and the other one on Azure acting as the primary?

We want to keep our on-premise servers just in case the Azure environment were to become unavailable. That's all.

Hi David,

That can definitely be done. There are several methods for that, depending on your configuration.

Assuming you're using a single dns name for your ADFS environment. Something like sts.domain.com.

If sts.domain.com is behind a load balancer, you can just configure your on-premises servers as passive servers in the load balancer. That way, these will not be used for authentication unless the servers in Azure are down. This would require a load balancer in front of your ADFS Proxy servers for the external authentication and a load balancer for your internal ADFS Servers for the internal authentication.

Another solution would be to do it based on DNS. For the external authentication you would only create A records for your Azure hosted ADFS Proxy server in the public DNS for sts.domain.com. When the Azure hosted ADFS Proxy servers are down, you need to add the on-premises ADFS Proxy servers to the public DNS.

For the internal authentication you would do the same. Only create a records for sts.domain.com that point to your Azure hosted ADFS Servers on your internal DNS servers. When the Azure ones go down, you would add your on-premises servers to sts.domain.com on your local DNS servers.

Let me know if you have additional questions.

Regards,
Ruud