DirSync & ADFS Best Practices

I am looking for a list of "Best Practices" for using & administrating DirSync & ADFS that I can give my customers after we set up their Cloud environment for access to Office 365 & other Azure services.

Any suggestions?

I have so far:

In the On-premise Active Directory every user needs a UPN which is resolvable from the internet. So if your on-premise domain is ‘domain.local’ your users need an UPN like: user@domain.com

The DirSync server should have the same physical access security as a Domain Controller.

Make sure Microsoft Online Services Identity Federation Management tool is installed in the on-premise environment. This tool installs a set of PowerShell commands that are used to create and configure federation between on-premise and #Office365. The commands that can be used for this are: Set-MSOLContextCredential, Add-MSOLFederatedDomain and/or Convert-MSOLDomainToconverFederated.

To check the federation setup, the Get-MSOLFederationProperty –DomainName <domain> can be used. This will show all settings for the ADFS2.0 and Microsoft Federation Gateway for the domain entered.

The Windows Azure Active Directory Sync Tool can be installed on a computer if all the following conditions are true:
      •Windows PowerShell 1.0 is installed on the computer.
      •You are logged on to the computer as a member of the local Administrators group.
      •The computer has a 64-bit processor.
      •The computer is running one of the following operating systems:
            Windows Server 2003 x64 with Service Pack 2 (SP2) or a later version
            An x64-based version of Windows Server 2008

      •The computer isn't a domain controller.
      •The computer is joined to an Active Directory domain and is located in the forest that you want to sync with Windows Azure Active Directory (Windows Azure AD).
      •The Microsoft .NET Framework 3.5 or a later version is installed on the computer.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
DirSync is 'set it and forget it' appliance, you rarely should have to worry about it. The best practice I can think of is to use a Office 365 account with the 'password never expires' option, or if you see this as a security risk, to put some reminder to make sure you regularly rerun the setup wizard to reflect on password changes. Filtering certain sensitive accounts is also a good idea.

AD FS is way more important, so make sure to review at least some of the information available on TechNet. The service itself is designed to be very reliable and in the default configuration (at least two servers in a farm), you should rarely encounter an outage, if any. Avoid using multiple federated domains if possible.

As the list of group membership is included in the auth token, you might run into issues with 'header too long' replies if the user is member of too many AD groups. So following the best AD practices will help on that. In a perfect world, switching to 2012 and DAC is the best option to clear the group clutter.

Browser support is another common problem. While certain browsers with versions in their twenties claim to be the best, they do not support important technologies so you might have to make changes in the AD FS configuration. Or better, advise them to switch to IE 9/10 where possible.

Make sure you have configured logging to collect the needed troubleshooting information:


You can also restrict access to certain applications if needed:


Another good idea is to educate the users what SSO means:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.