(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not
Posted by Jorge on 2014-03-19
If ADFS was installed in the past by someone else and there is little to no documentation, how do you know, when using WID, which ADFS STS instance is the primary federation server or any other federation server? Keep reading to find out how to determine that!
How To Find The Primary Federation Server When Using WID?
The concept of a primary federation server and secondary federation servers only exists when leveraging WID. When using SQL all federation servers are equal. In the case of WID, the primary federation server has a read/write copy of the ADFS configuration database.
The primary federation server is always created when you use the ADFS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.
Figure 1: ADFS Leveraging WID – The ADFS MMC On The Primary Federation Server
Figure 2: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is The Primary Federation Server
The secondary federation servers store a read-only copy of the ADFS configuration database from the primary federation server. Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals (5 minutes) to check whether data has changed. It is also possible to force synchronization. The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment. If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. However, no new changes can be made to the Federation Service until the primary federation server has been brought back online OR you have nominated an existing secondary federation server as the new primary federation server.
Figure 3: ADFS Leveraging WID – The ADFS MMC On Any Secondary Federation Server
Figure 4: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is NOT The Primary Federation Server
How to transfer the primary computer role to another ADFS STS when using WID?
Unfortunately, it is not like the olf NT4 PDC/BDC model that by moving the primary computer role to another ADFS STS, the other ADFS STSes become aware of that.
- On the ADFS STS becoming the new primary computer execute: Set-AdfsSyncProperties -Role PrimaryComputer
- On all other ADFS STS execute: Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN new ADFS STS With Primary Computer Role>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########