none
Two ADFS 4.0 Farms connected to LDAP Directories in a single domain RRS feed

  • Question

  • Hello,

     

    I'm working for a client with this topology:

    Currently, we have an ADFS farm behind a cluster WAP in ADFS 3.0.

    We are planning to upgrade the ADFS and the WAP to Windows Server 2016 and to add a new perimeter based on LDAP Directory.

     

    • Farm ADFS A : adfsA.mydomain.com
      • 2 ADFS servers
      • 2 WAP
      • 1 AD in the domain as claims provider trusts
      • 1 LDAP Directory A as local claims provider trusts
    • Farm ADFS B : adfsB.mydomain.com
      • 2 ADFS servers
      • 2 WAP
      • 1 LDAP Directory B as local claims provider trusts

     

    Because the farm ADFS B only use a LDAP Directory to authenticate people, we would like to use the same domain as the first farm. So, the configuration of the two farms will be in the same AD.

    Does Microsoft support to deploy a second ADFS farm and WAP in a single domain and is there any best  practices to take care?

     

    I know that this kind of questions (multiple ADFS farms in one single domain) have already been posted.

    But I'd really like to know if the fact that the second farm is only connected to a LDAP Directory is supported by Microsoft and don't need to create a dedicated domain.

     

    Thanks you in advance for your help.

    Tuesday, July 16, 2019 9:02 AM

Answers

  • Hiya,

    1: there is no problem in having two or more ADFS farms for a single domain. They are regarded completely separated and can be configured independently of each other.

    2: That ADFS FarmB does not use Active Directory as a Claim Provider, does not change the fact on the statement 1.

    3: I am not sure if I am misunderstanding something, as the answer sounds too simple and you already state "I know that this kind of questions (multiple ADFS farms in one single domain) have already been posted". Which makes me wonder, what exactly is your concern... :)

    Kind Regards

    Jesper


    • Edited by Jesper Arnecke Wednesday, July 17, 2019 8:50 AM
    • Marked as answer by Cédric D Friday, July 19, 2019 12:26 PM
    Wednesday, July 17, 2019 8:48 AM
  • Uhmmm.. Never stumpled upon it. Really because there is no reason I guess :)

    ADFS is not so heavily integrated into the AD, as say Exchange. It's basically just another server requesting data from the Active Directory.

    It relies on the same as most other domain member applications; LDAP, Kerberos, DNS, HTTPS in basic.

    So basically there are no considerations when creating two ADFS farms for the same domain. It's just two different applications, doing the same thing - Different names, same service :)

    • Marked as answer by Cédric D Friday, July 19, 2019 8:44 AM
    Wednesday, July 17, 2019 1:50 PM

All replies

  • Hiya,

    1: there is no problem in having two or more ADFS farms for a single domain. They are regarded completely separated and can be configured independently of each other.

    2: That ADFS FarmB does not use Active Directory as a Claim Provider, does not change the fact on the statement 1.

    3: I am not sure if I am misunderstanding something, as the answer sounds too simple and you already state "I know that this kind of questions (multiple ADFS farms in one single domain) have already been posted". Which makes me wonder, what exactly is your concern... :)

    Kind Regards

    Jesper


    • Edited by Jesper Arnecke Wednesday, July 17, 2019 8:50 AM
    • Marked as answer by Cédric D Friday, July 19, 2019 12:26 PM
    Wednesday, July 17, 2019 8:48 AM
  • Thanks Jesper for your reply,

     

    About your last point, you understood well.

    I was just wondering if the fact that we will not use Active Directory but only a LDAP Directory as a claim provider change something, because I haven't find this specific topology in the other posts.

    That's why I was looking for a confirmation that Microsoft support this configuration.

     

    Best regards.

     

    Cédric

    Wednesday, July 17, 2019 12:03 PM
  • It's not official, but I wouldn't see any problem in that. For what that is worth :)

    Both from a logical and an experience perspective.

    Wednesday, July 17, 2019 12:10 PM
  • Thanks a lot Jesper. For me, you have clarified the point.

     

    Last question: Do you know if there is some TechNet documentations about the general case "Multiple ADFS in a single domain"? I didn't find any.

    Wednesday, July 17, 2019 1:13 PM
  • Uhmmm.. Never stumpled upon it. Really because there is no reason I guess :)

    ADFS is not so heavily integrated into the AD, as say Exchange. It's basically just another server requesting data from the Active Directory.

    It relies on the same as most other domain member applications; LDAP, Kerberos, DNS, HTTPS in basic.

    So basically there are no considerations when creating two ADFS farms for the same domain. It's just two different applications, doing the same thing - Different names, same service :)

    • Marked as answer by Cédric D Friday, July 19, 2019 8:44 AM
    Wednesday, July 17, 2019 1:50 PM
  • OK, I understand.

    Thank you very much for your help, Jesper.
    Wednesday, July 17, 2019 3:35 PM
  • Your very welcome, do write again should you have any other questions :)
    Wednesday, July 17, 2019 6:42 PM