locked
ADFS Why it's not recommended to install and configure with Domain Controller ? RRS feed

  • Question

  • ADFS Why it's not recommended to install and configure with Domain Controller ?

    I read one article that it's not recommended to install and configure ADFS with Domain Controller ...Why????


    AL-Riyami

    Thursday, February 25, 2016 8:44 AM

Answers

  • The IIS issue only pertains to ADFS 2.0. (DC and ADFS on same server not supported)

    ADFS 3.0 does not use IIS. (DC and ADFS supported but not recommended).

    It all depends on the number of users. I've seen many smaller installations that do this to save a server.

    I wouldn't do it for a large enterprise.

    I've never had any issues doing this with IIS wrt. groups but YMMV.

    Also if there is no WAP, it means your DC could be publically accessible. 
    Thursday, February 25, 2016 5:51 PM

All replies

  • One reason is ADFS requires IIS.  IIS on domain controllers is not recommended for the following reasons

    1. By installing IIS on a DC, we will end up increasing the surface attack area on that DC, hence causing a threat to the security database of the domain. This may also effect the servers performance and reliability.<u1:p></u1:p>

    <u1:p></u1:p>

    1. IIS would NOT work correctly as it mainly works with local users and groups which will now become domain users /groups. This would cause permission issues if the ACLs set on different IIS folders and Metabase is not updated correctly.

    Ref:  http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx



    __________________________________________

    Please mark as Answer if this answers your question

    Regards,

    Shane Jackson

    Blog: https://shanejacksonitpro.wordpress.com/

    Twitter: https://twitter.com/shane00jackson

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 25, 2016 11:36 AM
  • The IIS issue only pertains to ADFS 2.0. (DC and ADFS on same server not supported)

    ADFS 3.0 does not use IIS. (DC and ADFS supported but not recommended).

    It all depends on the number of users. I've seen many smaller installations that do this to save a server.

    I wouldn't do it for a large enterprise.

    I've never had any issues doing this with IIS wrt. groups but YMMV.

    Also if there is no WAP, it means your DC could be publically accessible. 
    Thursday, February 25, 2016 5:51 PM