• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2223
  • Last Modified:

DirSync & ADFS Best Practices

I am looking for a list of "Best Practices" for using & administrating DirSync & ADFS that I can give my customers after we set up their Cloud environment for access to Office 365 & other Azure services.

Any suggestions?

I have so far:

In the On-premise Active Directory every user needs a UPN which is resolvable from the internet. So if your on-premise domain is ‘domain.local’ your users need an UPN like: user@domain.com

The DirSync server should have the same physical access security as a Domain Controller.

Make sure Microsoft Online Services Identity Federation Management tool is installed in the on-premise environment. This tool installs a set of PowerShell commands that are used to create and configure federation between on-premise and #Office365. The commands that can be used for this are: Set-MSOLContextCredential, Add-MSOLFederatedDomain and/or Convert-MSOLDomainToconverFederated.

To check the federation setup, the Get-MSOLFederationProperty –DomainName <domain> can be used. This will show all settings for the ADFS2.0 and Microsoft Federation Gateway for the domain entered.

The Windows Azure Active Directory Sync Tool can be installed on a computer if all the following conditions are true:
      •Windows PowerShell 1.0 is installed on the computer.
      •You are logged on to the computer as a member of the local Administrators group.
      •The computer has a 64-bit processor.
      •The computer is running one of the following operating systems:
            Windows Server 2003 x64 with Service Pack 2 (SP2) or a later version
            An x64-based version of Windows Server 2008

      •The computer isn't a domain controller.
      •The computer is joined to an Active Directory domain and is located in the forest that you want to sync with Windows Azure Active Directory (Windows Azure AD).
      •The Microsoft .NET Framework 3.5 or a later version is installed on the computer.
1 Solution
Vasil Michev (MVP)Commented:
DirSync is 'set it and forget it' appliance, you rarely should have to worry about it. The best practice I can think of is to use a Office 365 account with the 'password never expires' option, or if you see this as a security risk, to put some reminder to make sure you regularly rerun the setup wizard to reflect on password changes. Filtering certain sensitive accounts is also a good idea.

AD FS is way more important, so make sure to review at least some of the information available on TechNet. The service itself is designed to be very reliable and in the default configuration (at least two servers in a farm), you should rarely encounter an outage, if any. Avoid using multiple federated domains if possible.

As the list of group membership is included in the auth token, you might run into issues with 'header too long' replies if the user is member of too many AD groups. So following the best AD practices will help on that. In a perfect world, switching to 2012 and DAC is the best option to clear the group clutter.

Browser support is another common problem. While certain browsers with versions in their twenties claim to be the best, they do not support important technologies so you might have to make changes in the AD FS configuration. Or better, advise them to switch to IE 9/10 where possible.

Make sure you have configured logging to collect the needed troubleshooting information:


You can also restrict access to certain applications if needed:


Another good idea is to educate the users what SSO means:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now