We're looking over a 365 deployment initially for our staff and students. We'll be using the A2 education plans for both (plus Student Advantage), although only the students will be using the Office 365 Exchange, as we'll keep the staff on premises.
I'm confused when it comes to the use of ADFS (we will use 3.0 on Server 2012 R2) and DirSync.
Firstly, we need to support two forests (staff and students are in their own forest). Both of the domains are top level and are publicly resolvable.
We don't want to build two ADFS structures and I understand ADFS can deal with multiple forests.
I have no idea where DirSync comes into this, and I'm confused by the need for it. It seems once I set up ADFS it will sync the entire domain but see below.
It seems I need DirSync to filter the users by OU and we'll need this to overcome the 50,000 object limit for the sync. If we sync the entire student domain we'd have over 75,000 users (mostly alumni, service accounts etc) but the OU we need to focus on (active students) will only return around 14,000.
DirSync alone is not an option as SSO wins out for the end-user and we have the infrastructure to support it.
Would someone be able to try and straighten my mind out for me?
I'd additionally like to just reverse proxy our ADFS servers through a TMG server and forego the need for the ADFS Web Application Proxy servers - has anyone done this?
- Directory Sync Tool: Enables you to Synchronise your On-Premise Active Directory to Windows Azure Active Directory so that you can manage your users using your On-Premise Identity store. This allows for better management and control of user accounts etc.
- Active Directory Federation Services: Allows Single Sign-On Experience, which basically means that your users use the same identity to authenticate to a 3rd Party Application. On-Premise Auth Requests are done seamlessly using Integrated Authentication, Externally you will be asked to enter your corporate credentials into a forms based authentication page or/ basic credential prompt.
As you have two separate forests it is currently unsupported to use Directory Sync to Synchronise two separate Forests to 1 Office 365 Tenant (windows azure active directory) and so therefore in order to combat this you would need to look at possibly implementing Forefront Identity Manager 2010 R2.
Thanks for your inputs! If only DirSync is adding users then we'll easily come under the 50,000 user limit.
For now, maybe we'll have to just stick with students in 365 until we can decide what to do. Hopefully I can convince our Management Team to fund a project to move our prehistoric setup to a single forest, single domain like every other school/college I've spoke to.
Thanks for the responses again. We're up and synced now, but holding off til summer before applying the licenses. We aren't doing any sort of Exchange migration (just changing over to the fresh mailboxes at the start of next academic year) so can't apply the 365 Exchange license until we disconnect the on-premise Exchange mailbox through AD and those changes are synced up to O365.