locked
Multiple adfs farms in forest RRS feed

  • Question

  • We have a Windows 2008R2 AD Forest.
    Root domain and 2 childdomains.
    In childdomain B a ADFS farm is installed and configured.
    I'm a sysadmin in childdomain A, so i'm not a ADFS guru
    Both childdomain use the ADFS environment to approach external applications wit SSO at multiple external federation parties
    That works fine.

    We are considering installing/configuring an ADFS farm in childdomain A because of maintenance windows in childdomain B and "political" reasons.
    Is possible to have an ADFS farm in both childdomains? What are the Pro/Cons for such a ADFS environment. Looking forward to some documentation/links about this subject.
    Thanks


    Monday, November 12, 2018 3:33 PM

Answers

  • You can have as many ADFS farms you want in a forest.

    They will all be independent of each other. They will have a different Identifier and different URLs to be reached (and ideally they will have a different service account, so please install at least 1 or 2 2012 DCs in your domain and use gMSA accounts). 

    Because they are independent of each other from a federation perspective, applications will have to decide with ADFS to trust. And eventually trust ADFS with each other. This might be a nightmare to administrate. And because thy all belong to the same forest, they all trust your AD (all users can use all ADFS farms... could be quite confusing).

    All farms will use the same Device Registration Service configuration though. But if you are not using it, you don't really care.

    That said, what I would do is keep only one ADFS farm and use JeA PowerShell to delegate who can modify what in the farm. So define roles and scopes (who need to do what), create your JeA endpoint and end off the story :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Biga_b Monday, November 19, 2018 9:48 AM
    Tuesday, November 13, 2018 5:03 PM

All replies

  • You can have as many ADFS farms you want in a forest.

    They will all be independent of each other. They will have a different Identifier and different URLs to be reached (and ideally they will have a different service account, so please install at least 1 or 2 2012 DCs in your domain and use gMSA accounts). 

    Because they are independent of each other from a federation perspective, applications will have to decide with ADFS to trust. And eventually trust ADFS with each other. This might be a nightmare to administrate. And because thy all belong to the same forest, they all trust your AD (all users can use all ADFS farms... could be quite confusing).

    All farms will use the same Device Registration Service configuration though. But if you are not using it, you don't really care.

    That said, what I would do is keep only one ADFS farm and use JeA PowerShell to delegate who can modify what in the farm. So define roles and scopes (who need to do what), create your JeA endpoint and end off the story :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Biga_b Monday, November 19, 2018 9:48 AM
    Tuesday, November 13, 2018 5:03 PM
  • Thanks Pierre..

    So the ADFS farm in chiddomain B does not cause any restrictions or problems for the accounts in childdomain A?
    What would be the benefit of configuring the ADFS farm in the Root Domain?

    Thanks


    Thursday, November 15, 2018 1:28 PM
  • One ADFS is easier to administrate than more than one ADFS :) that's it.

    All ADFS servers will be able to authenticate any users of the forest (and trusted forest I bidirectional trusts).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, November 17, 2018 2:11 AM