Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

Posted by Jorge on 2014-03-19


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know, when using WID, which ADFS STS instance is the primary federation server or any other federation server? Keep reading to find out how to determine that!

How To Find The Primary Federation Server When Using WID?

The concept of a primary federation server and secondary federation servers only exists when leveraging WID. When using SQL all federation servers are equal. In the case of WID, the primary federation server has a read/write copy of the ADFS configuration database.

The primary federation server is always created when you use the ADFS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.

image_thumb[13]

Figure 1: ADFS Leveraging WID – The ADFS MMC On The Primary Federation Server

image_thumb[15]

Figure 2: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is The Primary Federation Server

The secondary federation servers store a read-only copy of the ADFS configuration database from the primary federation server. Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals (5 minutes) to check whether data has changed. It is also possible to force synchronization. The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment. If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. However, no new changes can be made to the Federation Service until the primary federation server has been brought back online OR you have nominated an existing secondary federation server as the new primary federation server.

image_thumb[11]

Figure 3: ADFS Leveraging WID – The ADFS MMC On Any Secondary Federation Server

image_thumb[19]

Figure 4: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is NOT The Primary Federation Server

How to transfer the primary computer role to another ADFS STS when using WID?

Unfortunately, it is not like the olf NT4 PDC/BDC model that by moving the primary computer role to another ADFS STS, the other ADFS STSes become aware of that.

  • On the ADFS STS becoming the new primary computer execute: Set-AdfsSyncProperties -Role PrimaryComputer
  • On all other ADFS STS execute: Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN new ADFS STS With Primary Computer Role>

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not”

  1. […] configure the new ADFS v4.0 STS to become the primary farm member. Follow the steps as mentioned in (2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer …. When using SQL, no need to transfer the primary member role as that only exist when using WID. Now […]

  2. […] When using WID, to find your primary server see: (2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer … […]

  3. […] (2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer … […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: