K B
asked on
Supported / Recommended to install ADFS & DirSync on a 2012 Domain Controller?
We currently have a member server running Windows Server 2012
Running ADFS Role. DirSync is installed and running on that same server.
Forest & Domain Functional Level is at Windows Server 2003 so no problem to have a 2012 DC. My question surrounds the use of ADFS and DirSync on a 2012 Domain Controller.
Q:
Can we promote the 2012 Server to a domain controller with ADFS and DirSync already installed or must we remove the ADFS role and DirSync then promote it to a DC?
Q:
Can we even run ADFS & DirSync together on a Domain Controller?
Thank you for your time in advance!
K.B.
Running ADFS Role. DirSync is installed and running on that same server.
Forest & Domain Functional Level is at Windows Server 2003 so no problem to have a 2012 DC. My question surrounds the use of ADFS and DirSync on a 2012 Domain Controller.
Q:
Can we promote the 2012 Server to a domain controller with ADFS and DirSync already installed or must we remove the ADFS role and DirSync then promote it to a DC?
Q:
Can we even run ADFS & DirSync together on a Domain Controller?
Thank you for your time in advance!
K.B.
Best practice, especially for a production environment, is that a DC should only be used for AD, DNS, and GC purposes.
It would probably work. Still, I wouldn't do it.
You can run it all on the same server and I have done this in a test environment. In a production environment I would not do this but it's supported (at least in R2, it is). With R2 you also have the federation proxy role which sits in your DMZ so there's less of an issue. You can also install another ADFS server on a a member server and join it to your existing farm (for failover purposes).
ASKER
Thank you,
What about non-R2 2012? Is it supported?There will be only one adfs. In fact we are considering eliminating the ADFS role entirely from the environment as DirSync does password synchronization now.
What about non-R2 2012? Is it supported?There will be only one adfs. In fact we are considering eliminating the ADFS role entirely from the environment as DirSync does password synchronization now.
For smaller environments using DirSync with password sync is fine you don't need the full-blown ADFS. DirSync is supported on Domain Controllers and it can also co-exist with the ADFS role.
I would use ADFS mainly for security reasons and because it allows for true single sign-on. DirSync just synchronizes the passwords but it's not instantaneous. If a user changes the password he will have to wait for the next sync before the change takes effect for Offic 365. With ADFS, as soon as you change the password it's effective.
I would use ADFS mainly for security reasons and because it allows for true single sign-on. DirSync just synchronizes the passwords but it's not instantaneous. If a user changes the password he will have to wait for the next sync before the change takes effect for Offic 365. With ADFS, as soon as you change the password it's effective.
ASKER
Great point. Which applications are true single sign-on In office 365? Aside from the fact that you have to wait for synchronization to occur. I am speaking about just being logged directly into the application without typing your username and password?
The way ADFS works is that it presents signed tokens to the Office 365 applications. Since these tokens expire you will have to eventually authenticate again. When Microsoft speaks of SSO they don't mean 'not having to type in the password' but rather the use of the same set of credentials and a single identity provider.
Getting back to your original question, here's a link to a very good FAQ:
http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx
If you want to migrate ADFS away from the current server:
- Install a second ADFS member server in the farm
- Change the primary ADFS server
- Remove ADFS role from the existing server
Getting back to your original question, here's a link to a very good FAQ:
http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx
If you want to migrate ADFS away from the current server:
- Install a second ADFS member server in the farm
- Change the primary ADFS server
- Remove ADFS role from the existing server
ASKER
Thank you.
Can I promote the ADFS server to a domain controller without removing the ADFS role first?
Can I promote the ADFS server to a domain controller without removing the ADFS role first?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your reply David!
Since this is production, how hard is it to remove it and reinstall with all the same settings? Is there a simple process to follow?
Since this is production, how hard is it to remove it and reinstall with all the same settings? Is there a simple process to follow?
ASKER
Thoughts?