This article is part of AD FS 2.0 Workshop – Complete High-availability platform
1. Installation of the Windows Network Load-Balancing feature
Since we have two AD FS servers, we install them into a farm configuration. Even though the AD FS servers are installed in a farm configuration, we still need to network load balance them.
1.1. Installation of the NLB service
Since the AD FS servers are running on a virtualization technology, we have to verify that the NIC card has a static MAC address assigned. Windows NLB does not support dynamic MAC address assignment.
The following steps have to be done on both AD FS servers.
- Login to the AD FS server with an Administrative account
- Open Server Manager
- Select Network Load Balancing
- Click on Install
- Restart the server
Of, course, all that steps can be replaced by two lines of PowerShell:
Import-Module ServerManager Add-WindowsFeature -Name NLB, RSAT-NLB
1.2. Configuration of the NLB service
- Click Start -> Administrative Tools -> Network Load Balancing Manager
- Click the ‘Cluster’ menu
- Click ‘New’
- Enter the DNS suffix for the first AD FS server and click ‘Connect’
- Connection status should say ‘Connected’ and the ‘Interfaces available for configuring a new cluster’ should show the IP address of the AD FS server. Click ‘Next’
- Verify that the ‘Priority (unique host identifier)’ is set to 1
- Verify that the default state is set to ‘Started’. Click ‘Next’
- Click ‘Add’ on the Cluster IP Address window.
- Enter the IP adress to use for the load-balanced federation service
- Change the ‘Cluster operation mode’ – Multicast and fill in the ‘Full Internet name’
- Click ‘Edit’
- Change the ‘Port range’ – From: 443 To: 443
- Change the ‘Protocols’ – TCP
- Click ‘OK’
- Click ‘Finish’
- This will add the AD FS server to the cluster. Verify that the server was added and the status should be ‘Converged’.
- Add the second AD FS server into the AD FS NLB Cluster
- Add DNS records to the internal DNS zone
Add an internal DNS ‘A record’ for AD FS Service name; which will be the IP address of the NLB cluster; NOT the AD FS server. Keep in mind that the goal is to have multiple ADFS servers that will be load-balanced. We want all traffic to be directed to the cluster IP and then let the cluster decide what AD FS server to send it to.
Ok, but this is a PowerShell blog isn’t it?
Yes it is!
So why the hell the guy is bullshitting us with his screenshots and his ‘click here, click there’!?
You’ve got a point pal… But that could be my point as well: have you seen all the steps to configure this? And what if you want anything else? Ok, let’s use PowerShell script to get the most of it and address different cases (nodes number, port rules, etc.): Create-NLBCluster.ps1