Setting up an AD FS Farm with Azure AD Connect is easy when you use Azure AD Connect. Its configuration wizard is able to configure all the required AD FS settings and Web Application Proxy settings on two domain-joined servers you point the wizard to.
This begs the question:
How do you extend the AD FS Farm with additional AD FS Servers?
Let’s answer that question in this blogpost.
To complete the steps below, you’ll need to meet the following requirements:
- One proposed AD FS server. This server may run Server Core. This server needs to be domain-joined.
- The proposed AD FS server needs to be able to communicate to Azure AD to exchange metadata. Configure https://nexus.microsoftonline-p.com as an allowed URL.
- The Azure AD Connect server needs to be able to access the proposed AD FS server using TCP5981.
- You need an account on the Azure AD Connect server that is both local administrator and a member of the local ADSyncAdmins group.
- You need to manage the AD FS farm to which you want to add the proposed AD FS server with Azure AD Connect.
- You need local administrator credentials on the proposed AD FS server and on the primary AD FS server.
- You need to update the A or CNAME record(s) in the internal DNS zone for your organization to point the AD FS farm name (for instance sts.domain.tld) to the proposed AD FS server and the existing (primary) AD FS server. This can best be achieved by implementing a load balancer.
Configuring an additional AD FS server
Perform the below steps to add an AD FS Server to an existing Farm using Azure AD Connect:
- Sign in to the Azure AD Connect server with an account that is both local administrator and a member of the ADSyncAdmins group on the Azure AD Connect server.
- Start Azure AD Connect from the desktop.
The Microsoft Azure Active Directory Connect screen appears.
- On the Welcome to Azure AD Connect page, click Configure.
- On the Additional Tasks page, select the Manage federation task and click the Next button.
- On the Manage federation page, select the Manage servers task and click the Next button.
- On the Server management tasks page, select the Deploy an AD FS server option and click the Next button.
- On the Connect to AD FS page, provide the credentials of an Active Directory account that has local administrator privileges on the primary AD FS server. Click Next when done.
- On the Specify SSL certificate page, click the ENTER PASSWORD button.
The Certificate password dialog screen appears.
- Enter the password for the *.pfx file. This certificate file was previously used to setup the AD FS Farm. As all AD FS servers use the same certificate as the communications certificate, the Azure AD Connect configuration wizard prompts you for the password of the initial certificate. Click OK.
The Certificate password dialog screen closes.
- On the Specify SSL certificate page, click the Next button.
- On the AD FS server page, specify where to install AD FS. Enter the name of the domain-joined server you want to configure as an additional AD FS server, or use the Browse button to search for it using parts of its hostname.
- Click the Add button.
The server’s hostname now appears in the SELECTED SERVER list.
- Click Next.
- On the Ready to configure page, click the Configure button.
- On the Verify federation connectivity screen, click the Exit button.
When you meet the requirements, you can build out your initial AD FS farm with ease, just by using Azure AD Connect.