One of our application teams chose to use SecureAuth to facilitate single sign-on (SSO) for user portal authentication. The process makes an LDAP call on specific Active Directory attributes on user accounts. One of the AD attribute requirements in the LDAP call was departmentNumber which is not natively in the global catalog replication set. Continue reading Add Attribute To Global Catalog Replication
One of our domains was inadvertently left at Windows 2000 functional level after a rebuild from Windows 2003 domain controllers to Windows 2008 R2. We remediated this situation by raising the forest and domain functional levels to Windows 2008 R2. As a best practice, domain replication needed to be updated to DFS replication as well.
I recently completed the Understanding Active Directory course at the Microsoft Virtual Academy. This course is presented by Christopher Chapman. Continue reading Understanding Active Directory MVA Course
I recently completed the Using PowerShell for Active Directory course at the Microsoft Virtual Academy. This course is presented by Ashley McGlone and Jason Helmick. Continue reading Using PowerShell for Active Directory
A new project was put in place to upgrade our VOIP system. This involved contracting with a new managed service provider. The provider built 50 new VMware hosts in two redundant locations resulting in 50 new IP addresses to be added to DNS. Continue reading Add Multiple IP Addresses to DNS
New to Active Directory? Just want some basic information? A refresher? Let’s start with some Active Directory basics.
What is Active Directory?
Active Directory is a collection of services used for centralized identity and access management for and to resources on a network. Active Directory stores and manages information about network resources. Continue reading Active Directory Basics
Our security team implemented a rule that all vendor user accounts must be reviewed and renewed every 30 days. To facilitate this process, I created a script to automate retrieval of the expiration date of the vendor accounts based on the description and/or title fields which is where the company name of the vendor was stored. The resulting .csv file was then used to review the accounts and to open a ticket for renewal of the current accounts. Continue reading Get User Account Expiration Date
As part of our disaster recovery exercise, we cut off connection to a currently replicating domain controller to be used in the exercise. This requires that we seize FSMO roles on the domain controller to be used in the exercise after the connection has been cut. Continue reading Seize FSMO Roles
The AD FS SSO Web page may be used by Relying Parties when providing access to users who are not on the organization’s network. In support of this, the AD FS SSO Web page can be customized with the organization’s preferred look. Continue reading AD FS SSO Web Page Customizations
- Active Directory Federated Services (AD FS) is a server role for Windows Server 2008 (AD FS 1.1); AD FS v2 is a separate download.
- No Schema update is required.
- There is no additional licensing charge to use the product on top of the Windows Server license.
- Deployment of AD FS requires at least two servers; one AD FS server in your environment and one AD FS server in the partner organization’s environment.
- AD FS has fairly minimal usage requirements; the documentation calls for a single core 1GHz CPU with 1GB of RAM and 50MB of disk space.
- AD FS also leverages certificates to establish its trusts and encapsulate the authentication information being exchanged with SSL.
Federating with Office 365
AD FS version 2.0 must be used with Office 365 – earlier versions are not supported. The big differentiator for AD FS configuration in an Office 365 environment is that AD FS federation proxies must be used to allow clients to connect from outside the corporate network. Microsoft recommends multiple servers in the AD FS configuration making up what’s referred to as an AD FS farm.
Microsoft Example of Federation
AD FS 2.0 Architecture
Microsoft IT achieves high availability in the AD FS 2.0 architecture through the implementation of mirrored systems located in cities on two different continents: Redmond, Washington in North America and Dublin, Ireland in Europe. This approach provides several advantages, including continuous service in the event of a server outage. For example, if something happens to servers in Redmond, users are redirected to the Dublin cluster and vice versa.
Figure 1 shows the AD FS 2.0 architecture.
Note: The server requirements for an organization depend on the organization’s enterprise environment.
The AD FS infrastructure includes the following components:
- Hardware load-balancer. The hardware load-balancer optimizes geographical load balancing among servers.
- AD FS federation proxy servers. The AD FS federation proxy servers host the Federation Server Proxy role. These servers sit in the perimeter network in front of the AD FS federation servers. They allow users to access AD FS federation servers without requiring the federation servers to be exposed to a perimeter network or the Internet.
- AD FS federation servers. The AD FS federation servers host the AD FS Federation Server role. These servers authenticate users against an account store and issue claims to the RP.
- SQL Server database. Prior to AD FS 2.0, configuration data was stored in an XML file. With AD FS 2.0, the SQL Server database stores the AD FS configuration data. Microsoft IT leverages the AD FS SQL Server configuration database as a data source to provide overall metrics reporting for the service.
- Automatic Failover. Automatic failover is accomplished by using SQL Server Synchronous Database Mirroring between the two clusters. In the event of a complete failure of the primary SQL Server cluster, the mirror automatically takes over as the primary database.
For more information about Active Directory Federation Services, visit the AD FS page at the Microsoft Technet site.