Managing a Federation Server Farm

Applies To: Windows Server 2003 R2

To provide load-balancing of security services in larger Active Directory Federation Services (ADFS) deployments, you can install additional federation servers. A Federation Service must be able to verify tokens issued by all federation servers in that farm. To accomplish this verification, the Federation Service uses verification certificates. Therefore, implementing a server farm requires you to configure verification certificates in the shared trust policy for every token-signing certificate that is in use by any server in the farm.

The following properties are shared by all federation servers in a server farm:

• TrustPolicy.xml file: This file contains the information for a Federation Service. This file must be accessible to all servers in the server farm, either by location in a shared directory or by using a file distribution method that ensures the replication of updates, such as Distributed File System (DFS).

• Certificate: Federation servers in the farm can each use a different token-signing certificate, or they can all use the same certificate. When using the same certificate, every federation server must have its own local copy of that certificate configured in the certificate store, with access to the private key.

• Account store: All servers recognize the same Active Directory domain or Active Directory Application Mode (ADAM) store for user authentication.

The following tasks for managing a Federation Service server farm are described in this objective.

• Changing the Location of the ADFS Directory

• Implementing a Server Farm of Federation Servers

• Adding a New Federation Server

• Removing a Federation Server

See Also

Other Resources

Distributed File System (DFS)