+ Post New Thread
Results 1 to 6 of 6
Cloud Services Thread, ADFS 3.0 and DirSync - Royally Confused in Technical; Hi all. We're looking over a 365 deployment initially for our staff and students. We'll be using the A2 education ...
  1. #1

    Join Date
    Aug 2013
    Posts
    31
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Unhappy ADFS 3.0 and DirSync - Royally Confused

    Hi all.

    We're looking over a 365 deployment initially for our staff and students. We'll be using the A2 education plans for both (plus Student Advantage), although only the students will be using the Office 365 Exchange, as we'll keep the staff on premises.

    I'm confused when it comes to the use of ADFS (we will use 3.0 on Server 2012 R2) and DirSync.


    • Firstly, we need to support two forests (staff and students are in their own forest). Both of the domains are top level and are publicly resolvable.
    • We don't want to build two ADFS structures and I understand ADFS can deal with multiple forests.
    • I have no idea where DirSync comes into this, and I'm confused by the need for it. It seems once I set up ADFS it will sync the entire domain but see below.
    • It seems I need DirSync to filter the users by OU and we'll need this to overcome the 50,000 object limit for the sync. If we sync the entire student domain we'd have over 75,000 users (mostly alumni, service accounts etc) but the OU we need to focus on (active students) will only return around 14,000.
    • DirSync alone is not an option as SSO wins out for the end-user and we have the infrastructure to support it.


    Would someone be able to try and straighten my mind out for me?

    I'd additionally like to just reverse proxy our ADFS servers through a TMG server and forego the need for the ADFS Web Application Proxy servers - has anyone done this?



    Thanks in advance.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,313
    Thank Post
    901
    Thanked 1,798 Times in 1,549 Posts
    Blog Entries
    12
    Rep Power
    466
    I have no idea where DirSync comes into this, and I'm confused by the need for it. It seems once I set up ADFS it will sync the entire domain but see below.
    ADFS will not sync anything. It will allow for SSO so users inside your network do not need to login. It will be done automatically. DirSync will sync the users. You will need both of these.

  3. Thanks to FN-GM from:

    aceonbass (8th April 2014)

  4. #3

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,075
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Hi,

    These two technologies do two different tasks

    - Directory Sync Tool: Enables you to Synchronise your On-Premise Active Directory to Windows Azure Active Directory so that you can manage your users using your On-Premise Identity store. This allows for better management and control of user accounts etc.

    - Active Directory Federation Services: Allows Single Sign-On Experience, which basically means that your users use the same identity to authenticate to a 3rd Party Application. On-Premise Auth Requests are done seamlessly using Integrated Authentication, Externally you will be asked to enter your corporate credentials into a forms based authentication page or/ basic credential prompt.

    ----

    As you have two separate forests it is currently unsupported to use Directory Sync to Synchronise two separate Forests to 1 Office 365 Tenant (windows azure active directory) and so therefore in order to combat this you would need to look at possibly implementing Forefront Identity Manager 2010 R2.

    see the here {top questions} Multi-forest and Multi-tenant scenarios with Office 365 - Microsoft Education in the Cloud - Site Home - TechNet Blogs

    You can use Federated Identity without Directory Sync, but this means that your user objects are actually managed via Windows Azure Active Directory as oppose to Active Directory On-Premise.

    ----

    be sure to check out the OnRamp Tool which will provide you with all of the information you need when designing such solutions: https://onramp.office365.com/onramp/

    I hope that helps, if you have any further questions be sure to reply.

    James.

  5. Thanks to EduTech from:

    aceonbass (8th April 2014)

  6. #4
    the_dude's Avatar
    Join Date
    Nov 2012
    Location
    SoCal
    Posts
    90
    Thank Post
    0
    Thanked 19 Times in 13 Posts
    Rep Power
    8
    fyi, you can put in a support request to up the object limit in office 365 to whatever you need.

  7. Thanks to the_dude from:

    aceonbass (8th April 2014)

  8. #5

    Join Date
    Aug 2013
    Posts
    31
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for your inputs! If only DirSync is adding users then we'll easily come under the 50,000 user limit.

    For now, maybe we'll have to just stick with students in 365 until we can decide what to do. Hopefully I can convince our Management Team to fund a project to move our prehistoric setup to a single forest, single domain like every other school/college I've spoke to.


    Thanks again.

  9. #6

    Join Date
    Aug 2013
    Posts
    31
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for the responses again. We're up and synced now, but holding off til summer before applying the licenses. We aren't doing any sort of Exchange migration (just changing over to the fresh mailboxes at the start of next academic year) so can't apply the 365 Exchange license until we disconnect the on-premise Exchange mailbox through AD and those changes are synced up to O365.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 25th May 2012, 03:40 PM
  2. [WDS] Just started with this and I'm confused.
    By Stuart_C in forum O/S Deployment
    Replies: 8
    Last Post: 14th June 2011, 05:47 PM
  3. Flash deployment and active X confusion...
    By kennysarmy in forum Windows
    Replies: 1
    Last Post: 5th February 2010, 11:45 AM
  4. Replies: 0
    Last Post: 15th May 2009, 10:13 AM
  5. VPN and IP Confusion
    By mcowley in forum Windows
    Replies: 16
    Last Post: 3rd February 2008, 11:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •