Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Do we need a Federated Server Farm

Posted on 2013-11-12
Medium Priority
Last Modified: 2013-11-20
   We will be setting up ADFS for Office 365 in our office. The office has about 80 people in total. I am familiar with the process and have setup a small office using just one server for the Federated role. However, I am reading more and more that I should at least think about setting up a server farm. Is it necessary at this level of users?
Question by:JesusFreak42
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39642949
The reason to set up a farm isn't just load, but also resiliency. Nothing is more frustrating than losing access to most of your productivity suite just because of a single point of failure in your authentication infrastructure.

I am of the mindset that if you have enough users to benefit from ADFS, you have enough users that you want a farm. And if you don't think you have enough users to justify a farm, chances are you should probably reconsider ADFS, where DirSync would suffice for smaller organizations. For me personally, I've found that tipping point to be around 150 users before ADFS becomes worth the hassle of the added infrastructure costs and management.
LVL 43

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 400 total points
ID: 39642993
What he said, farm gives you both HA and LB. You can spin the AD FS servers in VMs, so the cost difference will not be that big. And it's not that difficult to set up, you just use the other radio button in the wizard.

So, if you indeed NEED the benefits of AD FS, follow the best practices. If you simply want 'same credentials' experience, stick to dirsync with password sync.

Author Comment

ID: 39643017
Hmmm.... Quick question. It seems like AD FS might be a convenience, though this company is growing quickly. However, isn't ADFS really easy to deactivate through the powershell if the server were to go down?
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 43

Expert Comment

by:Vasil Michev (MVP)
ID: 39643054
Deactivating AD FS means generating new passwords for every federated user, have fun distributing those to people that cannot even access their email :)

Author Comment

ID: 39643098
Is that true even if Directory Synching remains active?
LVL 59

Accepted Solution

Cliff Galiher earned 1600 total points
ID: 39643140
Yes, that is still true. DirSync in an ADFS infrastructure syncs the directory objects, but NOT credentials. Password syncing wasn't even a part of DirSync in its initial release and was only added much later because of popular demand. Enabling ADFS still disables password sync (by necessity) and so you end up with the same problem.

...like I said, managing ADFS is not trivial. While what the other expert said is true...that is is not "difficult" to set up, there is still background knowledge and ongoing maintenance and disaster recovery concerns that aren't technically part of the setup process, but still need to be considered.

So I stand by my initial assertion that you may not be at a place where ADFS makes sense, just based on your line of questions. That isn't an indictment. I am *good* at ADFS and Azure in general, and I don't do it for my smaller clients. The cost/benefit just isn't there.

Author Closing Comment

ID: 39664331
I have proposed that we put in two ADFS machines IF we are going to go that route. Thank you

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
With its various features, Office 365 can not only help you with your day-to-day business tasks, it can also do wonders for your marketing campaign.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question