Two or more AD FS Farms?

  • 2.2K Views
  • Last Post 22 November 2015
  • Topic Is Solved
Dima Razbornov posted this 21 November 2015

Hello,
I'm new in ADFS and would like to ask a couple of questions:
Our company merged with another, which has set up ADFS 2.0 and Dirsync (very old, 2013). Do I'm right understand that I can not connect to the existed cloud  tenant different (new) ADFS farm, and it can be only one? I think that in such a scenario, the request from the cloud will not understand where it's needs to be routed. I would like to create a completely new farm ADFS 3.0 and the new AAD connect to begin the migration of users to the new environment, but I would like to do it with minimal losses.
--
Dima

Order By: Standard | Newest | Votes
ZJORZ posted this 22 November 2015

You can have,multiple ADFS farms, as long as every farm only services one verified federated domain in azure ad



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)








show

  • Liked by
  • Dima Razbornov
ZJORZ posted this 22 November 2015

Remember that 1 adfs farm can service multiple forests, as long as every forest has a two way forest trust with the forest of the adfs farm



https://jorgequestforknowledge.wordpress.com/2013/09/24/ad-user-accounts-for-which-the-adfs-sts-can-generate-security-tokens/



https://jorgequestforknowledge.wordpress.com/2014/10/28/you-have-multiple-ad-forests-and-you-also-need-adfs-what-are-the-possibilities/



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto

  • Liked by
  • Dima Razbornov
joe posted this 21 November 2015

Have you decided yet what you want to do with their users? For example, do you intend to keep their existing forest (with or without trusts) or do you want to merge their users into your existing forest? A lot of this will determine what your options are in terms of what to do with the users and ADFS.
You'll also probably need to decide what you want to have happen with their existing O365 resources as well in terms of how that migration would work.
Joe K.


show

joe posted this 21 November 2015

Have you decided yet what you want to do with their users? For example, do you intend to keep their existing forest (with or without trusts) or do you want to merge their users into your existing forest? A lot of this will determine what your options are in terms of what to do with the users and ADFS.
You'll also probably need to decide what you want to have happen with their existing O365 resources as well in terms of how that migration would work.
Joe K.


show

Dima Razbornov posted this 22 November 2015

Users in "old" environment are synced with office 365 and ADFS works too, but I would like to leave it like it is, and to build a new environment that would be able to work simultaneously with the old. There are now three federated domeins and migration will be only two. That's why there was a question about the possibility of the coexistence of two farms adfs

ZJORZ posted this 22 November 2015

Hi,



Every Azure AD tenant can:


• only have 1 sync server


• have multiple verified domains (either managed or federated), and for every verified federated domain you can connect a single federation system.



In every case/scenario you need to take into account which attribute you will use for the immutableID and which for the upn. In a single forest scenario that is quite easy. In a multiple forest it really depends on how your users are represented in every forest.

Remember that you CANNOT change the immutableID afterwards of an Azure AD account



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)








show

ZJORZ posted this 22 November 2015

Hi,



Every Azure AD tenant can:


• only have 1 sync server


• have multiple verified domains (either managed or federated), and for every verified federated domain you can connect a single federation system.



In every case/scenario you need to take into account which attribute you will use for the immutableID and which for the upn. In a single forest scenario that is quite easy. In a multiple forest it really depends on how your users are represented in every forest.

Remember that you CANNOT change the immutableID afterwards of an Azure AD account



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)








show

ZJORZ posted this 22 November 2015

You can have,multiple ADFS farms, as long as every farm only services one verified federated domain in azure ad



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto



E-Mail: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


Tel.: +31-(0)6-26.26.62.80



(+++Sent from my mobile device +++)


(Apologies for any typos)








show

ZJORZ posted this 22 November 2015

Remember that 1 adfs farm can service multiple forests, as long as every forest has a two way forest trust with the forest of the adfs farm



https://jorgequestforknowledge.wordpress.com/2013/09/24/ad-user-accounts-for-which-the-adfs-sts-can-generate-security-tokens/



https://jorgequestforknowledge.wordpress.com/2014/10/28/you-have-multiple-ad-forests-and-you-also-need-adfs-what-are-the-possibilities/



Met vriendelijke groet / Kind regards,


Jorge de Almeida Pinto

Close