We rely on AD FS to perform authentication for Office 365.

To guard against local network outages we built an ADFS stack in Azure that includes load balanced edge servers, load balanced ADFS hosts and a domain controller (full DC, *not* a RODC).

We experienced a network outage to our corporate data canter and expected the Azure installation to handle authentication.  The Azure based servers were unable to perform the authentication returning an event 342, "There are currently no logon servers available to service the logon request."

It appears that the ADFS hosts were not using the local domain controller and were attempting to authenticate with a domain controller at corporate which was unreachable due to the network outage.  When the network service was restore these hosts were able to authenticate.

How do I configure these ADFS hosts to use the Domain Controller on their subnet?

We have set AD up so that the Azure site and servers are on their own "site".
I checked %logonserver% on the adfs hosts and each pointed to the local DC, not one at corporate.

TIA for any help!

Hi,

It appears that the ADFS hosts were not using the local domain controller and were attempting to authenticate with a domain controller at corporate which was unreachable due to the network outage.  When the network service was restore these hosts were able to authenticate.

According to your description, ADFS hosts and a Domain Controller are deployed within Azure, while there was a network issue within on-premises AD, those ADFS hosts in Azure were still trying to authenticate using on-premises DC instead of the DC deployed within Azure.

Please ensure that AD sites are configured correctly, so that a local (nearest) DC would be contacted first to process authentication requests.

If sites are configured correctly, I suggest you check the DC within Azure by running DCdiag.exe to examine its health, please also test network connectivity between ADFS host and the DC within Azure.

Best Regards,

Amy

That is NOT the answer.....

The purpose of this configuration is to provide authentication in the event the corporate network connection is down.  The original post shows that all of the suggested tests had been completed.  At the time of the failure the corporate network connection WAS down.

The %logonserver% variable shows that the ADFS cluster servers authenticated against the local domain controller, the problem is that ADSF requests are being sent to the DC's in the corporate network.

Is there a way to specify that the requests should be processed by the on-site or "closest" DC??  

Hi,

As far as I know, DC Locator would try to find a Domain Controller within the local site to handle authentication requests; only when DCs within the local site are not available, a DC from other sites would be contacted.

The %logonserver% variable shows that the ADFS cluster servers authenticated against the local domain controller, the problem is that ADSF requests are being sent to the DC's in the corporate network.

Is there any configuration in ADFS which specifies DC from the corporate network?

If there isnt any, please use Network Monitor to capture network traffic on ADFS servers to find out exactly which kind of traffic was sent to DC in the corporate network

Is there a way to specify that the requests should be processed by the on-site or "closest" DC??  

We can enable clients to locate a Domain Controller in the Next Closest Site from GP Management or registry.

More information for you:

Network Monitor 3 Usage Videos

http://blogs.technet.com/b/netmon/p/usagevideos.aspx

Enabling Clients to Locate the Next Closest Domain Controller

https://technet.microsoft.com/en-us/library/cc733142(v=ws.10).aspx

Enable Clients to Locate a Domain Controller in the Next Closest

https://technet.microsoft.com/en-us/library/cc772592(v=ws.10).aspx

Best Regards,

Amy