Do we need a Federated Server Farm

Posted on 2013-11-12
Medium Priority
Last Modified: 2013-11-20
   We will be setting up ADFS for Office 365 in our office. The office has about 80 people in total. I am familiar with the process and have setup a small office using just one server for the Federated role. However, I am reading more and more that I should at least think about setting up a server farm. Is it necessary at this level of users?
Question by:JesusFreak42
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39642949
The reason to set up a farm isn't just load, but also resiliency. Nothing is more frustrating than losing access to most of your productivity suite just because of a single point of failure in your authentication infrastructure.

I am of the mindset that if you have enough users to benefit from ADFS, you have enough users that you want a farm. And if you don't think you have enough users to justify a farm, chances are you should probably reconsider ADFS, where DirSync would suffice for smaller organizations. For me personally, I've found that tipping point to be around 150 users before ADFS becomes worth the hassle of the added infrastructure costs and management.
LVL 42

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 400 total points
ID: 39642993
What he said, farm gives you both HA and LB. You can spin the AD FS servers in VMs, so the cost difference will not be that big. And it's not that difficult to set up, you just use the other radio button in the wizard.

So, if you indeed NEED the benefits of AD FS, follow the best practices. If you simply want 'same credentials' experience, stick to dirsync with password sync.

Author Comment

ID: 39643017
Hmmm.... Quick question. It seems like AD FS might be a convenience, though this company is growing quickly. However, isn't ADFS really easy to deactivate through the powershell if the server were to go down?
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 42

Expert Comment

by:Vasil Michev (MVP)
ID: 39643054
Deactivating AD FS means generating new passwords for every federated user, have fun distributing those to people that cannot even access their email :)

Author Comment

ID: 39643098
Is that true even if Directory Synching remains active?
LVL 59

Accepted Solution

Cliff Galiher earned 1600 total points
ID: 39643140
Yes, that is still true. DirSync in an ADFS infrastructure syncs the directory objects, but NOT credentials. Password syncing wasn't even a part of DirSync in its initial release and was only added much later because of popular demand. Enabling ADFS still disables password sync (by necessity) and so you end up with the same problem.

...like I said, managing ADFS is not trivial. While what the other expert said is true...that is is not "difficult" to set up, there is still background knowledge and ongoing maintenance and disaster recovery concerns that aren't technically part of the setup process, but still need to be considered.

So I stand by my initial assertion that you may not be at a place where ADFS makes sense, just based on your line of questions. That isn't an indictment. I am *good* at ADFS and Azure in general, and I don't do it for my smaller clients. The cost/benefit just isn't there.

Author Closing Comment

ID: 39664331
I have proposed that we put in two ADFS machines IF we are going to go that route. Thank you

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question