3

We're using ADFS 2.0 on a windows 2008 server, it's in a farm and has the default polling interval of 5 minutes. We're making a change tonight and would rather sync immediately than wait for the other guy to update, especially as we might be making multiple changes.

This Technet article mentions that I can change the polling interval or do an immediate sync between my servers:

http://technet.microsoft.com/en-us/library/ee913581%28WS.10%29.aspx

I checked the powershell commandlets for ADFS and I can only seem to find one that let's me set the polling interval, but not perform a 1 time immediate sync

Searched the usual suspects, but just can't find a ADFS-SyncMyStuffNow command...

Anyone?

Matt
  • 1,903
  • 13
  • 12

2 Answers2

2

So this isn't the exact answer, but after more reading I realized that if you want immediate synchronization, you need to use the shared SQL server. Once you have a shared server, there is no more "primary" - they can both make changes and are immediately in sync.

There also didn't appear to be a (supported) way to migrate a standalone to the SQL server, it has to be rebuilt.

Matt
  • 1,903
  • 13
  • 12
  • According to http://technet.microsoft.com/en-us/library/ee913581%28WS.10%29.aspx there is a supported way for the migration – ccellar May 12 '11 at 14:57
  • Thanks - they either revised that or I misread. I'm guessing the latter. :) – Matt Jun 14 '11 at 21:51
  • Here is an article on how to migrate the database to SQL. http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx – Matt Jul 21 '11 at 16:51
1

We recently had an issue with an AD FS farm using Windows Internal Databases and Microsoft Network Load Balancing. The secondary server would not synchronize with the primary one causing a lot of intermittent authentication issues. Manual inspection of the SQL databases (\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query) using SQL Server Management Studio confirmed that the policies were not being synchronized. Specifically, if you opened the ServiceStateSummary table, we would notice that the serial numbers remained at zero. Also, the event log showed that 0 objects were added/merged to the database.

The first thing I did was check to see if the primary server's DNS name was resolvable. No dice. So I fixed the DNS settings on the secondary server. Still no dice. Finally, I reran the wizard, this time with the DNS settings fixed I got another error. Something to the effect that the primary federation server appeared to be busy. I noticed that the previous admin had set the primary federation server name to the IDP federation name (external.hostname.com). I changed the primary server name setting to the actual name of the primary server (FS01), stepped through the wizard, and everything worked like a charm!

Moral of the story:

  1. Check your DNS settings make sure the real name of the primary federation server is resolvable.
  2. Rerun the wizard after changing your DNS settings and check the AD FS Admin event log in the event viewer for synchronization status. You should see the merged/added object count equal >0.
  3. Never use the IDP federation name for the primary server name. Use the REAL/host name of the primary federation server, instead.
  4. Cycling the AD FS service will always force a resync.

Good luck and hope this helps!

Nadeem Douba
  • 121
  • 1