locked
ADFS on a Domain Controller RRS feed

  • Question

  • This is more of a design question and I am not sure if I will go with Windows 2003 r2 or 2008.  We have several Domain Controllers and we want to start playing around with ADFS.  I am going to build a seperate Federated Services Proxy server in our DMZ, but it is alright to installed Federated services on a domain controller?  Every slide or video always shows a seperate internal federated services server, but everywhere I have always worked(not massive companies) we have always been fine installing additional services on the DCs like DHCP and DNS.  If anyone has and good experience with putting ADFS on a DC let me know as we already have about 9 DCs for 6 sites any only 3000 users and the federated authentication would not even be used that often.

    Thanks,

    Dan
    Dan Heim
    Friday, February 12, 2010 12:14 AM

Answers

  • Hello,

    it is possible but:

    "Because ADFS requires the installation of Internet Information Services (IIS), we strongly recommend that you not install any ADFS components on a domain controller in a production environment."

    See: http://technet.microsoft.com/en-us/library/cc778681(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Wednesday, August 18, 2010 8:36 PM
  • Howdie!
     
    Am 18.08.2010 22:21, schrieb Roy Mayo:
    > According to Microsoft's MCTS Self Paced Training Kit for 70-640 page
    > 691 AD LDS will run on a DC.
     
    Yeah, I agree with Meinolf here. Technically, you can run that as the AD
    LDS instance is going to pick a different port to run on - other than
    standard LDAP 389. If I remember right, it opts for 50000 and 50001 for
    SSL but lets the user choose.
     
    Again, it's a security "bad practice" to do that. You don't want to have
    IIS or other internet-facing services running on your DC. So nah, set up
    a different box for that.
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Wednesday, August 18, 2010 8:38 PM
  • DO NOT install ADFS on your DCs as:

    * ADFS requires IIS (at least prior to W2K12R2)

    * to manage ADFS you need local administrator equivalent permissions. On DCs that would mean being a domain admin

    just do not do it! install ADFS on separate member servers


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Sunday, July 7, 2013 9:58 PM

All replies

  • According to Microsoft's MCTS Self Paced Training Kit for 70-640 page 691 AD LDS will run on a DC.
    Roy Mayo | MCTS • MCSE | USA
    Wednesday, August 18, 2010 8:21 PM
  • Hello,

    it is possible but:

    "Because ADFS requires the installation of Internet Information Services (IIS), we strongly recommend that you not install any ADFS components on a domain controller in a production environment."

    See: http://technet.microsoft.com/en-us/library/cc778681(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Wednesday, August 18, 2010 8:36 PM
  • Howdie!
     
    Am 18.08.2010 22:21, schrieb Roy Mayo:
    > According to Microsoft's MCTS Self Paced Training Kit for 70-640 page
    > 691 AD LDS will run on a DC.
     
    Yeah, I agree with Meinolf here. Technically, you can run that as the AD
    LDS instance is going to pick a different port to run on - other than
    standard LDAP 389. If I remember right, it opts for 50000 and 50001 for
    SSL but lets the user choose.
     
    Again, it's a security "bad practice" to do that. You don't want to have
    IIS or other internet-facing services running on your DC. So nah, set up
    a different box for that.
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Wednesday, August 18, 2010 8:38 PM
  • this depends on what you are trying to achieve. Which means

    a) are the users who will be accessing applicaitons are remote users but belong to corporate ?

    b) are you providing access to the external organization to your application ?

    c) are you providing multi tenancy ?

    based on this you have

    a) web sso

    b) federated

    c) federated trust designs.

     

    make sure you isolate the adfs desing with respect to your corporate design.

    Tuesday, October 5, 2010 10:14 AM
  • ADFS is NOT AD LDS.  You guys are confusing two technologies.
    Thursday, June 27, 2013 8:36 PM
  • DO NOT install ADFS on your DCs as:

    * ADFS requires IIS (at least prior to W2K12R2)

    * to manage ADFS you need local administrator equivalent permissions. On DCs that would mean being a domain admin

    just do not do it! install ADFS on separate member servers


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Sunday, July 7, 2013 9:58 PM
  • As of server 2012 r2 it looks like its ok to put on a DC.  I was looking for the answer to this question and in this article it is stated as a feature of the simplified deployment experience: https://technet.microsoft.com/en-us/library/hh831502.aspx
    • Proposed as answer by Studiollama Friday, February 6, 2015 11:00 PM
    • Unproposed as answer by Mahdi Tehrani Sunday, March 15, 2015 4:36 PM
    Friday, February 6, 2015 11:00 PM
  • the question is about ADFS not ADLDS. To different technologies!

    although possible from technology standpoint, adfs should go on its own server. do not mix it with dcs.


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Saturday, February 7, 2015 7:14 AM
  • I disagree with the comments made in this forum thread.  Microsoft recommends customers under 1,000 seats deploy the AD FS role on existing domain controllers to reduce the number of virtual machines in the environment.

    https://msdn.microsoft.com/en-us/library/azure/dn151324.aspx?f=255&MSPPError=-2147217396

    Direct Quote:

    For the federation servers, use two existing Active Directory domain controllers (DCs) and configure them both for the federation server role. To do this, first select two existing DCs, and then:

    1. Install AD FS on both domain controllers.
    2. Configure one as the first federation server in a new farm.
    3. Join the second one to the federation server farm.

    Regards,


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx6, Dip Network Engineering
    Perth, Western Australia

    Blog: http://clintboessen.blogspot.com
    Employer: http://www.avantgardetechnologies.com.au

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Clint Boessen Thursday, October 22, 2015 2:48 AM
    Thursday, October 22, 2015 2:48 AM
  • Clint is correct.

    However, I believe this ONLY applies to ADFS 2012 R2. This version no longer needs IIS and does run on DCs correctly.

    Prior versions of ADFS including ADFS 2012 are not supported on DCs.

    Cheers

    Andrew Duggan

    Tuesday, November 3, 2015 5:00 AM
  • Do be careful, if you are going to setup a load balancer like NLB, definitely do not install that on your DC!

    In most cases, the load balancer is at the proxy rather than ADFS server, so it should be ok.

    The question of whether you want to install ADFS on the domain controller that comes down to operational requirements as these domain controllers are now very different from the other domain controllers in the environment, and may require more patching/changes as compared to other domain controllers.

    So while it can work, an organization has to decide if the license/VM savings will outweigh the possible increased operational issues and procedures. 

    Thursday, January 7, 2016 1:33 AM
  • LloydLim I disagree with your statement. It is perfectly fine to install NLB on Domain Controllers, I have done this many times - just be aware of this registry key change needed for DNS if your putting NLB on a DC:

    http://clintboessen.blogspot.com.au/2011/12/nlb-installed-on-dns-servers-issues.html

    If you are under 1000 users, the best deployment is AD FS on your two domain controllers and two AD FS Proxy servers in your DMZ (workgroup).

    This allows you to reboot your DC's for patching purposes without disrupting AD FS - as well as your AD FS Proxy servers.

    If you are over 1000 users as per Microsoft recommendations on TechNet, do not put AD FS on your DC's.

    Regards,


    Clint Boessen MVP - Exchange Server, MCSE, MCITPx6, Dip Network Engineering

    Blog: http://clintboessen.blogspot.com
    Employer: http://avantgardetechnologies.com.au


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, May 9, 2017 4:41 AM
  • Wow, after reading all these posts I feel more confused than before I started.  I am guessing that it is okay to use a Windows 2012 R2 DC as an AD FS server.  That means it is not on a DMZ and seems to be the easiest way to run AD FS.  We have 350 users and are planning an Office 365 roll out in about a year.  Any red flags with this reasoning? Thanks.
    Wednesday, August 30, 2017 6:54 PM
  • For 350 users, put your AD FS role on your Domain Controller and an AD FS proxy server (workgroup) in your DMZ.

    Clint Boessen MVP - Exchange Server, MCSE, MCITPx6, Dip Network Engineering

    Blog: http://clintboessen.blogspot.com
    Employer: http://avantgardetechnologies.com.au


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 3, 2017 7:30 AM
  • HI

    The same users count i had and going to implement 365, my question is,

    im trying to install ADFS role on same server ,which i used PDC but finally one Amber error came end of the conficuration.

    Please set SPN manually "The SPN required for this Federation Service is already set on another Active Directory account. "

    How to Solve this  please help, feel free mail to me murugamatrix@hotmail.com 

    Please share your experience its so help to me 

     
    Thursday, June 7, 2018 2:31 PM