ADFS 4.0 RRS feed

  • Question

  • Hello,

    We're in the process of rolling out ADFS 4.0 along side of ADFS 2.0 in the same root domain space.  v2.0=federation.domain.com and v4.0=adfs.domain.com.  From my research, this is acceptable and shouldn't be a problem.  Currently, ADFS 2.0 roles are installed on two of our older domain controllers with a hardware load balancer to direct the traffic and will keep running until our v4.0 environment is up and running and then we'll transition everything over to the v4.0 farm.

    From what I've been researching, it's best to use the ADFS Proxy server to fully support all functionalities of ADFS 4.0.  With that said, would it suffice for 1 ADFS server (non-DC) and then 1 ADFS Proxy for a total to 2 servers in the farm using WID?  Or is it recommended to have at least 2 ADFS servers + 1 ADFS Proxy?

    We have around 750 users and have three outside services that will take advantage of ADFS externally.  O365 is currently utilizing ADSync/ADConnect and not ADFS, but we would eventually like to switch O365 over to ADFS.  What are your recommendations?

    Thank you.


    Rory Schmitz

    Tuesday, October 16, 2018 6:08 PM

All replies

  • It is recommended to have at least 2 ADFS servers and 2 WAP servers (ADFS proxies) for fault tolerance.

    That said, you can just use one and afford down time when they are not available. It is totally up to and your High Availability strategy. 

    Now, if you are deploying ADFS just for Office 365 access, not that you can also NOT DEPLOY ADFS at all! And use Azure AD Connect Seamless SSO: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 18, 2018 5:50 PM
  • Hi, 

    Thank you for the information on server counts.  I believe we'll be set for now with one ADFS and one WAP.  I think as we grow, adding additional will likely happen.  The O365 access with ADConnect is interesting.  We already have an ADConnect server 'syncing' the accounts now, but didn't realize there was an extra SSO portion to it.  I appreciate that extra bit of info.  We've been having some many users fall for these phishing attempts that we've had to start forcing MFA onto their accounts.

    I believe I have ADFS and the WAP installed and mostly configured.  Will need to work with a vendor and give it a test.

    Thanks for your help!

    Rory Schmitz

    Monday, October 22, 2018 6:01 PM