Deploy AD DS or AD FS and Office 365 with single sign-on and Azure Virtual Machines

  • Article

 

Applies to: Office 365

Summary: Contains guidance for virtualizing and deploying Active Directory Domain Services for Office 365 with single-sign on and Azure Virtual Machines.

We're listening to your feedback and consolidating all our Office 365 deployment content. On July 1st, 2015, all information in this guide will be moved to https://support.office.com/, and these pages will be removed from TechNet. As you review the content still on TechNet, you'll notice many have links pointing to the new content already on https://support.office.com/.

To explore content available on https://support.office.com/, start with the Office 365 for business - Admin Help page.

Deploying Windows Server Active Directory on Azure Virtual Machines is subject to the same guidelines as running on-premises in a virtual machine or in most cases on a physical computer. The same best practices typically apply to virtual domain controllers in Azure.

Deployment guidelines for Azure

Detailed guidelines for virtualizing and deploying Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS) on Azure are maintained in Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.

We recommend that you use these guidelines for general guidance about deploying domain controllers on Virtual Machines.

The following principles should be observed:

  • You must deploy read/write domain controllers. Read-only domain controllers aren’t supported for use with directory synchronization.

  • If your Active Directory forest contains more than one user domain, you must deploy at least one domain controller for each domain into Azure. This ensures uninterrupted access to the service and reduces the authentication traffic that traverses the cross-premises virtual private network (VPN) connection.

  • We recommend that you deploy at least two AD FS servers and two AD FS proxy servers to achieve the best availability of the AD FS service.

  • Domain controllers and AD FS servers should never be exposed directly to the Internet and should only be reachable through the VPN connection.

  • AD FS proxies must be used to publish AD FS servers to the Internet.

  • We recommend that you deploy domain controllers and AD FS servers as a single affinity group to reduce latency between components. For more information, see Affinity Groups.

Active Directory sites, subnets, and replication traffic

To optimize your deployment, consider fine-tuning the domain-controller–locator and intersite topology generator (ISTG) and intersite messaging service (ISM) traffic:

  • Define and connect Active Directory subnets and sites correctly.

  • Ensure that the link cost between any on-premises site and the site corresponding to the Azure Virtual Network is higher than the on-premises site link costs. A higher link cost means that on-premises computers are less likely to traverse the VPN connection to connect to a domain controller in Azure for on-premises operations.

  • Ensure that replication is scheduled as opposed to being notification-driven.

  • Ensure that replication traffic is using the appropriate amount of compression. Domain controllers offer a variety of replication traffic compression tools. For more information, see Active Directory Replication Tools and Settings.

  • Align the replication schedule with latency-tolerance. Domain controllers replicate only the last state of a value. Slowing replication down saves costs if there are a lot of smaller object changes.

AD FS publishing

AD FS endpoints are used to provide clients with access to federated applications and services. Endpoints issue authentication tokens to clients after successful client authentication. You manage these endpoints on your AD FS servers, and securely publish them individually through an AD FS proxy server.

To allow basic authentication clients to connect (including Outlook), your AD FS infrastructure must be accessible from the Internet through an AD FS proxy. If not, no Outlook clients can authenticate—not even from their internal organization’s network.

To ensure that the AD FS proxies running on Azure Virtual Machines are reachable, you must configure endpoints that allow incoming AD FS authentication traffic to the AD FS proxy virtual machines. For more information, see Set up endpoints on a virtual machine in Azure.

To learn more about AD FS endpoints, see Plan your AD FS deployment.