Skip to main content
A single TAMS instance is a potential single point of failure for all unlock operations within the environment. The recommended deployment pattern is to run two or more TAMS instances across separate Windows Server hosts and expose them behind an internal DNS record. Because TAMS is stateless (no session or in-memory state is shared between instances), round-robin DNS is sufficient. No dedicated load balancer appliance is required. Image (9) 2
1

Deploy multiple TAMS hosts

Install TAMS on two or more Windows Server hosts (for example, tams-server-1.corp.example.com, tams-server-2.corp.example.com).
2

Create an internal DNS record

Create an internal DNS A record (for example, tams.corp.example.com) with multiple address entries, one per host. This gives round-robin DNS load distribution at no additional infrastructure cost.
3

Point the Windows Authenticator at the DNS name

Configure the TruU Windows Authenticator (v26.1.0 or later) to target the DNS FQDN (tams.corp.example.com:<WebServerPort>) instead of a single host IP. Any instance can then serve the request, and hosts can be replaced or taken offline without reconfiguring agents.
4

Standardize configuration and certificates

Each instance must be configured with the same registry settings and must hold a valid TRUU-HTTPS TLS certificate. The certificate must cover the shared FQDN as a Subject Alternative Name, or you can use a wildcard certificate.

Benefits

  • Resilience — agent unlock requests succeed even when one TAMS host is unavailable (patching, reboot, hardware failure).
  • Maintenance without downtime — instances can be updated or restarted one at a time.
  • Horizontal scalability — add capacity by registering a new host and appending its IP to the DNS record.
  • Geo-located services — with DNS entries and localized DNS servers, TAMS can be positioned to provide low network latency and connectivity to localized AD instances.