ADFS 3.0 and DirSync - Royally Confused
We're looking over a 365 deployment initially for our staff and students. We'll be using the A2 education plans for both (plus Student Advantage), although only the students will be using the Office 365 Exchange, as we'll keep the staff on premises.
I'm confused when it comes to the use of ADFS (we will use 3.0 on Server 2012 R2) and DirSync.
- Firstly, we need to support two forests (staff and students are in their own forest). Both of the domains are top level and are publicly resolvable.
- We don't want to build two ADFS structures and I understand ADFS can deal with multiple forests.
- I have no idea where DirSync comes into this, and I'm confused by the need for it. It seems once I set up ADFS it will sync the entire domain but see below.
- It seems I need DirSync to filter the users by OU and we'll need this to overcome the 50,000 object limit for the sync. If we sync the entire student domain we'd have over 75,000 users (mostly alumni, service accounts etc) but the OU we need to focus on (active students) will only return around 14,000.
- DirSync alone is not an option as SSO wins out for the end-user and we have the infrastructure to support it.
Would someone be able to try and straighten my mind out for me?
I'd additionally like to just reverse proxy our ADFS servers through a TMG server and forego the need for the ADFS Web Application Proxy servers - has anyone done this?
Thanks in advance.