Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Do we need a Federated Server Farm

Posted on 2013-11-12
Last Modified: 2013-11-20
   We will be setting up ADFS for Office 365 in our office. The office has about 80 people in total. I am familiar with the process and have setup a small office using just one server for the Federated role. However, I am reading more and more that I should at least think about setting up a server farm. Is it necessary at this level of users?
Question by:JesusFreak42
  • 3
  • 2
  • 2
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39642949
The reason to set up a farm isn't just load, but also resiliency. Nothing is more frustrating than losing access to most of your productivity suite just because of a single point of failure in your authentication infrastructure.

I am of the mindset that if you have enough users to benefit from ADFS, you have enough users that you want a farm. And if you don't think you have enough users to justify a farm, chances are you should probably reconsider ADFS, where DirSync would suffice for smaller organizations. For me personally, I've found that tipping point to be around 150 users before ADFS becomes worth the hassle of the added infrastructure costs and management.
LVL 40

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 100 total points
ID: 39642993
What he said, farm gives you both HA and LB. You can spin the AD FS servers in VMs, so the cost difference will not be that big. And it's not that difficult to set up, you just use the other radio button in the wizard.

So, if you indeed NEED the benefits of AD FS, follow the best practices. If you simply want 'same credentials' experience, stick to dirsync with password sync.

Author Comment

ID: 39643017
Hmmm.... Quick question. It seems like AD FS might be a convenience, though this company is growing quickly. However, isn't ADFS really easy to deactivate through the powershell if the server were to go down?
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 39643054
Deactivating AD FS means generating new passwords for every federated user, have fun distributing those to people that cannot even access their email :)

Author Comment

ID: 39643098
Is that true even if Directory Synching remains active?
LVL 57

Accepted Solution

Cliff Galiher earned 400 total points
ID: 39643140
Yes, that is still true. DirSync in an ADFS infrastructure syncs the directory objects, but NOT credentials. Password syncing wasn't even a part of DirSync in its initial release and was only added much later because of popular demand. Enabling ADFS still disables password sync (by necessity) and so you end up with the same problem.

...like I said, managing ADFS is not trivial. While what the other expert said is true...that is is not "difficult" to set up, there is still background knowledge and ongoing maintenance and disaster recovery concerns that aren't technically part of the setup process, but still need to be considered.

So I stand by my initial assertion that you may not be at a place where ADFS makes sense, just based on your line of questions. That isn't an indictment. I am *good* at ADFS and Azure in general, and I don't do it for my smaller clients. The cost/benefit just isn't there.

Author Closing Comment

ID: 39664331
I have proposed that we put in two ADFS machines IF we are going to go that route. Thank you

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In-place Upgrading Dirsync to Azure AD Connect
This Experts Exchange lesson shows how to use VBA to loop through rows in Excel.  In order to sort, filter, and use database features, there needs to be a value in each column for every row. When data arrives with values missing, code to copy values…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question