Name Resolution Requirements for AD FS-Enabled Web Servers

  • Article

Applies To: Windows Server 2008

Before a Web browser client can contact an Active Directory Federation Services (AD FS)–enabled Web server over the Internet, the Web browser must first use Domain Name System (DNS) to resolve the Web server’s host name to the actual IP address for an AD FS-enabled Web server that is located in a perimeter network. The following standard DNS "tree-walking" processes accomplish name resolution to federated applications:

  1. The browser client contacts a top-level-domain DNS server on the Internet to resolve the fully qualified domain name (FQDN) of the target Web site that was typed into the browser.

  2. The top-level-domain (TLD) DNS server resolves the FQDN by providing the client with the IP address for the DNS server that is authoritative for the DNS domain that is specified in the Web site address.

Note

In the federated world of AD FS, this DNS server is the DNS server that is located in the perimeter network of the resource partner organization.

  1. Using values that are stored in preconfigured host (A) resource records, the perimeter DNS server resolves the target FQDN to the IP address of the AD FS-enabled Web server and then provides that information back to the client.

For more information about how DNS processes work, see How DNS Works (https://go.microsoft.com/fwlink/?LinkId=74637).

Configuring perimeter DNS

DNS is required for successful name resolution across the Internet to an AD FS-enabled Web server. DNS must be configured for a new host (A) resource record that will resolve the IP address of the Web server cluster (if the Web servers are farmed) to a single Web server IP address and DNS host name. You configure DNS in the perimeter network of the resource partner.

In the following illustration, you can see how to configure the perimeter DNS so that it contains a single host (A) resource record for ws (ws.treyresearch.net) and so that it points to the IP address of the AD FS-enabled Web server cluster in the perimeter network. In this scenario, Network Load Balancing (NLB) provides a single, cluster FQDN name and a single, cluster IP address for an existing AD FS-enabled Web server farm.

For more information about how to configure a cluster IP address or a cluster FQDN using Microsoft NLB technology, see Specifying the Cluster Parameters (https://go.microsoft.com/fwlink/?LinkId=74651).

For more information about how to configure perimeter DNS, see Add a Host (A) Resource Record to Perimeter DNS for an AD FS-Enabled Web Server.