none
Multiple ADFS Farms single domain. RRS feed

  • Question

  • Hi,

    I have a situation where I have an existing ADFS 2.0 farm running and working fine.  This farm is servicing requests for multiple O365 tenancies.

    I would like to know, if I can build multiple ADFS 3.0 farms within the same domain, and move each a single Tenancy onto its own ADFS 3.0 Farm.

    The reason I am doing this is we plan on splitting the AD into 16 separate but identical domains over the next 12 months.

    Has anybody had any experience of this?  Can I have multiple certificates in the certificate store?

    If I can have multiple farms are there any key points to be aware of?

    Cheers

    Micah.

    Thursday, May 19, 2016 3:06 PM

Answers

  • First of all, if you just want to migrate your existing ADFS 2.x to ADFS on Windows Server 2012 R2 (aka ADFS 3), you just have to follow this:

    You'll see that it is in fact quite straight forward.

    Regarding your plan to split your domain into 16 different domains... I am really curious why you would go to that level of complexity. Nowadays, we rather see consolidation project. Much easier to manage... And cheaper...

    From a pure ADFS perspective now, there is no limitation on the number of farm you can have in a single domain. I guess the administrative overhead will be the limit. The only caveat is about the Device Registration Service. Because the DRS configuration is stored in the configuration partition, you can only have one instance of DRS per forest. So all the ADFS farm of the forest will have to share this.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 19, 2016 9:52 PM
    Owner

All replies

  • First of all, if you just want to migrate your existing ADFS 2.x to ADFS on Windows Server 2012 R2 (aka ADFS 3), you just have to follow this:

    You'll see that it is in fact quite straight forward.

    Regarding your plan to split your domain into 16 different domains... I am really curious why you would go to that level of complexity. Nowadays, we rather see consolidation project. Much easier to manage... And cheaper...

    From a pure ADFS perspective now, there is no limitation on the number of farm you can have in a single domain. I guess the administrative overhead will be the limit. The only caveat is about the Device Registration Service. Because the DRS configuration is stored in the configuration partition, you can only have one instance of DRS per forest. So all the ADFS farm of the forest will have to share this.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 19, 2016 9:52 PM
    Owner
  • Thanks very much, the reason we want to do it is a bit political, but a local council had us build a single domain for many schools about 7 or 8 years ago.

    The council is no longer going to manage those schools, they will be physically separated from each other and it was considered easier than building 16 new domains to simply calve the domains from each other.  The shared services that were in the datacentre will now be recreated at each local site.

    Each school will be required to manage there own site (or pay a managed services company to do so).

    The political part of this is when the government changed, the incoming government scrapped the funding that allowed the local council to create the setup in the first place, and gave more autonomy to the schools.

    Cheers

    Micah.

    Friday, May 20, 2016 10:15 AM