We are currently running Office 365 on Campus , We have setup ADFS and DIRSYC (running fine ) , We are currently installing another ADFS server to the farm. Which is duplicating using Windows internal DB. What other software do we need to make this a OFFICE 365 Failover server. as just duplicating the Database is not enough.
We are testing it by altering a Hosts config File on a client to point to the new ADFS02 server, but when trying to login to Office 365 it will not allow single sign on.
Change the Host file back to ADFS01 and it works .
Has anyone installed a second ADFS server for a Office 365 environment?
5 Spice ups
vince-p
(Vince P)
2
We switched from using ADFS with x servers, to getting rid of it altogether and just use Dir Synch.
Life is so much better for everyone now.
2 Spice ups
tobywells
(toby wells)
3
You need geographic diversity, failover DNS and a lot of luck…
Like Jpacella says use Azure DirSync its better positioned to give you failover.
1 Spice up
Why are you running ADFS and DirSync? DirSync is doing nothing in this case - Office365 is sending all of the authentication requests to your ADFS servers.
If you don’t have any specific need for ADFS I would say ditch them and just use DirSync. It is must easier to administrate and your entire infrastructure can evaporate and Office365 can still authenticate you with the last AD password you had.
1 Spice up
vince-p
(Vince P)
5
If I remember the setup options… you must use Dir Synch in conjunction with ADFS (if using ADFS)… So anyone going all the way with ADFS will always have Dir Synch. I could be wrong but i’m pretty sure i’m not.
tobywells
(toby wells)
6
You are right but if I was being pedantic…
…you could use Powershell to set imutableID and not use DirSync but thats not normal behaviour if you have AD or like to sleep at night.
So absolutely if you are using ADFS you will be running DirSync as well (people might not realise it but its happening)
vince-p
(Vince P)
7
I was responding to Christopher’s question “Why are you running ADFS and DS”…
tobywells
(toby wells)
8
I know;-)
Biggest question is why is anyone running ADFS anyway
It can give a slightly better SSO experience to users who are on the internal network, or if you need two-factor authentication or some odd scenarios where you want users to authenticate during working hours but not otherwise, you’ll need ADFS. But in the vast majority of cases DirSync alone is the better solution.
vince-p
(Vince P)
10
We found that in a lot of case, people wanted to log onto other mailboxes (not those of other users but mailboxes we have setup for logical purposes) and with the SSO they had to fight the system in order to be able to use other credentials in the browser.
Or if we were in a meeting and Person A was steering the video projector , and we had to get to Person B’s email… it was another mini struggle …
Yep, I could see that, given how ADFS does the auto-login deal. Might even have to use FireFox or Chrome in those cases…
