Solved

Do we need a Federated Server Farm

Posted on 2013-11-12
7
297 Views
Last Modified: 2013-11-20
Hello,
   We will be setting up ADFS for Office 365 in our office. The office has about 80 people in total. I am familiar with the process and have setup a small office using just one server for the Federated role. However, I am reading more and more that I should at least think about setting up a server farm. Is it necessary at this level of users?
0
Comment
Question by:JesusFreak42
  • 3
  • 2
  • 2
7 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
The reason to set up a farm isn't just load, but also resiliency. Nothing is more frustrating than losing access to most of your productivity suite just because of a single point of failure in your authentication infrastructure.

I am of the mindset that if you have enough users to benefit from ADFS, you have enough users that you want a farm. And if you don't think you have enough users to justify a farm, chances are you should probably reconsider ADFS, where DirSync would suffice for smaller organizations. For me personally, I've found that tipping point to be around 150 users before ADFS becomes worth the hassle of the added infrastructure costs and management.
0
 
LVL 38

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 100 total points
Comment Utility
What he said, farm gives you both HA and LB. You can spin the AD FS servers in VMs, so the cost difference will not be that big. And it's not that difficult to set up, you just use the other radio button in the wizard.

So, if you indeed NEED the benefits of AD FS, follow the best practices. If you simply want 'same credentials' experience, stick to dirsync with password sync.
0
 

Author Comment

by:JesusFreak42
Comment Utility
Hmmm.... Quick question. It seems like AD FS might be a convenience, though this company is growing quickly. However, isn't ADFS really easy to deactivate through the powershell if the server were to go down?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Deactivating AD FS means generating new passwords for every federated user, have fun distributing those to people that cannot even access their email :)
0
 

Author Comment

by:JesusFreak42
Comment Utility
Is that true even if Directory Synching remains active?
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 400 total points
Comment Utility
Yes, that is still true. DirSync in an ADFS infrastructure syncs the directory objects, but NOT credentials. Password syncing wasn't even a part of DirSync in its initial release and was only added much later because of popular demand. Enabling ADFS still disables password sync (by necessity) and so you end up with the same problem.

...like I said, managing ADFS is not trivial. While what the other expert said is true...that is is not "difficult" to set up, there is still background knowledge and ongoing maintenance and disaster recovery concerns that aren't technically part of the setup process, but still need to be considered.

So I stand by my initial assertion that you may not be at a place where ADFS makes sense, just based on your line of questions. That isn't an indictment. I am *good* at ADFS and Azure in general, and I don't do it for my smaller clients. The cost/benefit just isn't there.
0
 

Author Closing Comment

by:JesusFreak42
Comment Utility
I have proposed that we put in two ADFS machines IF we are going to go that route. Thank you
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now