Plan your AD FS deployment

Van toepassing op: Windows Intune

Notitie

Dit onderwerp biedt online hulpinhoud die toepasselijk is op vele Microsoft cloud services, inclusief Windows Intune en Office 365.

The first step in planning an AD FS deployment for een cloud service van Microsoft is to select the right deployment topology to meet the single sign-on needs of your organization. AD FS requires that you use either Windows Internal Database (WID) or a SQL Server database to store the AD FS configuration data used by the Federation Service.

The recommended AD FS topology for the majority of Microsoft cloud services customers is to use the federation server farm with WID and proxies topology that follows. There is also an advanced option of creating a federation server farm with SQL Server proxies, mentioned later in this section.

In addition, this section also provides a table for determining the number of AD FS servers to deploy in your organization, as well as information about adding federation servers to increase performance.

  • Recommended topology: Federation server farm with WID and proxies

  • Advanced option: Federation server farm with SQL Server and proxies

  • Estimation table: Determine the number of AD FS servers to deploy in your organization

  • Adding federation servers to increase performance

The default topology for een cloud service van Microsoft is an AD FS federation server farm that consists of multiple servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

The act of creating the first federation server in a farm also creates a new Federation Service. When WID is used as the AD FS configuration database, the first federation server that is created in the farm is referred to as the primary federation server. This means that this computer will be configured with a read/write copy of the AD FS configuration database.

All other federation servers configured for this farm are referred to as secondary federation servers, as they must replicate any changes that are made on the primary federation server to their read-only copies of the AD FS configuration database that they store locally.

Notitie

We recommend the use of at least two federation servers in a load-balanced configuration.

Setting up this base federation server farm topology is the first phase of your AD FS deployment. The second phase consists of determining how to provide access control functionality for external users by deploying federation server proxies.

Phase 1: Deploy your federation server farm

When you are ready to start deploying your farm, you should plan on placing all of the federation servers in your corporate network behind a Network Load Balancing (NLB) host that can be configured for an NLB cluster with a dedicated cluster DNS name and cluster IP address.

Belangrijk

This cluster DNS name must match the Federation Service name (for example, fs.fabrikam.com) and be Internet-routable for the instance of AD FS that you deploy. If the name does not match, the authentication request won’t be routed to the correct DNS server or the correct federation server.

The NLB host can use the settings defined in this NLB cluster to allocate client requests to the individual federation servers. The following diagram depicts how Fabrikam, Inc. might set up the first phase of their deployment using a two-computer federation server farm (fs1 and fs2) with WID and the positioning of a DNS server and a single NLB host wired to the corporate network.

Federatieve serverfarm met WID

Notitie

If there is a failure on this single NLB host, then users will not be able to access de cloud service. Add additional NLB hosts if your business requirements do not allow having a single point of failure.

Phase 2: Deploy your federation server proxies

In general, federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm. For een cloud service van Microsoft customer, deploying federation server proxies to your existing AD FS infrastructure is necessary to enable the following user scenarios:

  • Work computer, roaming: Users who are logged on to domain-joined computers with their corporate credentials, but who are not connected to the corporate network (for example, a work computer at home or at a hotel), can access de cloud service.

  • Home or public computer: When the user is using a computer that is not joined to the corporate domain, the user must sign in with their corporate credentials to access de cloud service.

  • Smart phone: On a smart phone, to access de cloud service such as Microsoft Exchange Online using Microsoft Exchange ActiveSync, the user must sign in with their corporate credentials.

  • Microsoft Outlook or other email clients: The user must sign in with their corporate credentials to access their Office 365 email if they are using Outlook or an email client that is not part of Office; for example, an IMAP or POP client.

To support these user scenarios, this second phase will build on Phase 1 of the deployment discussed previously, by adding two federation server proxies, providing access to a DNS server on the perimeter network, and access to a second NLB host on the perimeter network.

The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address and it must use the same cluster DNS name setting as the previous NLB cluster you configured on the corporate network for Phase 1 (fs.fabrikam.com). The federation server proxies will also be configured with Internet-accessible IP addresses.

The following diagram shows the existing Phase 1 deployment and how Fabrikam, Inc. might provide access to a perimeter DNS server, add a second NLB host with the same cluster DNS name (fs.fabrikam.com), and add two federation server proxies (fsp1 and fsp2) to the perimeter network.

Federatieve serverfarm

Notitie

  • You can use third-party HTTP reverse proxy solutions to publish AD FS to the extranet. For more information about how to do this, see Configuring Advanced Options for AD FS 2.0.

  • All AD FS communication that travels through the firewall is based on HTTPS.

  • You can create custom claim rules in AD FS that will limit your users’ access to de cloud service based on the physical location of the client computer or client device through which your user is requesting access. For more information about how to create these rules, see Limiting Access to Office 365 Services Based on Client Location.

Advanced option: Federation server farm with SQL Server and proxies

This is an advanced AD FS deployment topology option that uses federation server proxies and a SQL Server configuration to enable all federation servers in the farm to read and write to a common SQL Server database. Using a SQL Server database as the AD FS configuration database provides the following benefits over WID:

  • High-availability features of SQL Server that administrators can use.

  • Additional performance enhancements, including the ability to scale out using more than five federation servers (WID is limited to five federation servers per farm).

  • Geographic load-balancing to help provide increases for high traffic based on location.

Notitie

Because this topology is an advanced AD FS deployment option, the details for how this topology works and how to deploy it are not covered in this article.

For more information about this topology option, see Configuring Advanced Options for AD FS 2.0.

Estimation table: Determine the number of AD FS servers to deploy in your organization

You can use the following table to help you estimate the minimum number of AD FS federation servers and federation server proxies that you will need to place in a federation server farm configured with WID throughout your corporate network infrastructure based on the number of users who will require single sign-on access, including remote access, to de cloud service.

Notitie

All computers that will be configured for the federation server or federation server proxy role must be running either the Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 operating system.

We recommend that you use one federation server to account for redundancy. The following table follows this recommendation.

Number of users accessing de cloud service Minimum number of servers to deploy Recommendation and steps

Fewer than 1,000 users

0 dedicated federation servers

0 dedicated federation server proxies

1 dedicated NLB server

For the federation servers, use two existing Active Directory domain controllers (DCs) and configure them both for the federation server role. To do this, first select two existing DCs, and then:

  1. Install AD FS on both domain controllers.

  2. Configure one as the first federation server in a new farm.

  3. Join the second one to the federation server farm.

For NLB, configure an existing NLB host or obtain a dedicated server and then install the NLB server role on it and then configure the NLB server.

For the federation server proxies, use two existing web or proxy servers and configure them both for the federation server proxy role. To do this, select two existing web or proxy servers that reside in the extranet, and then:

  1. Install AD FS on both servers.

  2. Configure them for the federation server proxy role.

  3. Install the NLB server role on one of the federation server proxies or configure an existing NLB host.

Notitie

If you do not have two existing DCs and two web or proxy servers or they are not running either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 you should deploy dedicated servers instead, as discussed in the next row of this table.

1,000 to 15,000 users

2 dedicated federation servers

2 dedicated federation server proxies

For the federation servers, obtain two dedicated servers, and then:

  1. Install AD FS on both servers.

  2. Configure one as the first federation server in a new farm.

  3. Join the second one to the farm.

  4. Install the NLB server role on one of the federation servers or configure an existing NLB host.

For the federation servers, obtain two dedicated servers that you can place in the extranet:

  1. Install AD FS on both servers.

  2. Configure them for the federation server proxy role.

  3. Install the NLB server role on one of the federation server proxies or configure an existing NLB host.

15,000 to 60,000 users

Between 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies

Each dedicated federation server can support approximately 15,000 users. Therefore, add an additional dedicated federation server to the base two federation server deployment described previously for every 15,000 users that will require access to de cloud service, up to a maximum of five federation servers in the farm or 60,000 users.

Notitie

An AD FS federation server farm configured to use WID supports a maximum of five federation servers. If you need more than five federation servers, you need to configure a SQL Server database to store the AD FS configuration database. For more information about this option, see Configuring Advanced Options for AD FS 2.0.

The minimum number of users to servers recommendations provided in the previous table are calculated based on the following hardware:

Hardware Specifications

CPU speed

Dual Quad Core 2.27GHz CPU (8 cores)

RAM

4 gigabytes (GB)

Network

Gigabit

Adding federation servers to increase performance

When two or more federation servers are configured in a farm using NLB technology, they can operate independently to help process the load of incoming user requests made to the AD FS Federation Service without degrading the overall performance of the service as a whole. Therefore, there is little overhead involved with adding additional federation servers to your existing production environment after you have deployed your initial federation servers strategically in your network.

Next step

Now that you have planned your AD FS deployment, the next step is to Review the requirements for deploying AD FS.

Zie ook

Concepten

Eenmalige aanmelding implementeren en beheren met AD FS 2.0