SOLVED
Home

Advice on moving from AD Connect with Password Sync to ADFS

%3CLINGO-SUB%20id%3D%22lingo-sub-59155%22%20slang%3D%22en-US%22%3EAdvice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EEnvironment%3C%2FSTRONG%3E%3CBR%20%2F%3EAD%20Connect%20with%20Single%20Sign%20On%20and%20Password%20sync%20and%20Hybrid%20Exchange%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20one%20server%20LAN%20based%20running%20AD%20Connect.%20If%20I%20move%20to%20ADFS%2C%20I%20understand%20that%20I%20will%20need%20the%20following%3A-%3CBR%20%2F%3EDomain%20joined%20server%20with%20ADFS%20services%20and%20a%20SSL%20cert%20installed.%3CBR%20%2F%3EAnother%20server%20on%20the%20DMZ%20(not%20Domain%20joined)%20with%20Web%20Application%20Proxy%20services%20installed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%2F%3CBR%20%2F%3ECan%20I%20using%20my%20existing%20AD%20Connect%20server%20and%20install%20ADFS%20services%20and%20a%20SSL%20Cert%20instead%20of%20building%20a%20new%20server%20with%20ADFS%20installed%3F%20Or%20do%20I%20need%20to%20keep%20the%20AD%20Connect%20server%20as%20it%20is%20and%20build%202%20more%20servers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%2F%3CBR%20%2F%3ECan%20I%20build%20the%20new%20infrastructure%20servers%20on%20Server%202016%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%2F%3CBR%20%2F%3EFor%20backup%2C%20I%20understand%20it%20is%20possible%20to%20add%20Password%20sync%20to%20ADFS%20as%20an%20option.%3CBR%20%2F%3EIn%20the%20event%20of%20a%20building%20loss%20where%20my%20ADFS%20environment%20is%20not%20available%2C%20how%20can%20I%20change%20from%20a%20Federated%20to%20a%20Managed%20Identity%3F%20Once%20I%20restore%20connectivity%2C%20how%20do%20I%20revert%20back%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%2F%3CBR%20%2F%3EIs%20it%20possible%20using%20Access%20Control%20Policy%20Templates%20to%20prevent%20users%20from%20accessing%20Office%20365%20services%20outside%20of%20the%20trusted%20IP%20whitelist%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%2F%3CBR%20%2F%3ECan%20I%20granulise%20the%20above%20to%20allow%20ActiveSync%20is%20always%20work%20irerespective%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20main%20driving%20force%20behind%20the%20change%20is%20to%20negate%20the%20need%20to%20purchase%20AD%20Premium%20licences%20which%20are%20required%20to%20use%20Conditonal%20Access%20to%20prevent%20a%20subset%20of%20users%20from%20accessing%20O365%20outside%20the%20Intranet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20ADFS%20is%20feature%20is%20built%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20advice%20would%20be%20grateful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-59155%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69256%22%20slang%3D%22en-US%22%3ERe%3A%20Advice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69256%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20good%20to%20know%20Shane%2C%20I've%20not%20had%20to%20recover%20authentication%20from%26nbsp%3BADFS%20in%20the%20event%20of%20a%20farm%20failure%20so%20never%20hit%20that!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69249%22%20slang%3D%22en-US%22%3ERe%3A%20Advice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69249%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgree%20with%20previous%20comments.%20%26nbsp%3BBut%20be%20careful%20when%20it%20comes%20to%26nbsp%3Bswitching%20from%20federated%20to%20managed%20identity%20when%20ADFS%20is%20unavailable.%20The%26nbsp%3B%3CSPAN%3EConvert-MsolDomainToStandard%20command%20requires%20ADFS%20to%20be%20available.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20ADFS%20is%20not%20available%2C%20use%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-MsolDomainAuthentication%20-DomainName%20mydomain.com%20%E2%80%93Authentication%20Managed%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20info%20%3CA%20title%3D%22Active%20Directory%20Federation%20Service%20(ADFS)%20Design%20Considerations%20and%20Deployment%20Options%22%20href%3D%22https%3A%2F%2Fshanejacksonitpro.wordpress.com%2F2015%2F08%2F31%2Factive-directory-federation-service-adfs-design-considerations-and-deployment-options%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60256%22%20slang%3D%22en-US%22%3ERe%3A%20Advice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60256%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Chris%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAbsolutley%20agree%20with%20Vasil%2C%20one%20ADFS%20server%20is%20a%20recipe%20for%20disaster%2C%20even%20though%20a%20single%20ADFS%20server%20can%20handle%20thousands%20of%20logons%2C%20I%20always%20spec%20a%20minimum%20of%202%20using%20hardware%20load%20balancing%20where%20possible%20and%20the%20same%20for%20the%20WAP%20in%20the%20DMZ%2C%202%20with%20hardware%20load%20balancing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20your%20AADConnect%20server%20seperate%20to%20your%20ADFS%20is%20my%20preferred%20practice%20as%20it%20ensures%20that%20the%20ADFS%20servers%20stay%20identicial%20which%20makes%20management%20easier%20in%20the%20future%20and%20keeps%20the%20roles%20sperate.%20(AADC%20may%20also%20self%20update%20depending%20on%20your%20configuration%2C%20so%20less%20risk%20if%20it's%20seperate.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20backup%20option%2C%20you%20can%20leave%20password%20sync%20in%20place%2C%20however%20the%20fail%20back%20in%20the%20event%20of%20you%20losing%20both%20of%20your%20ADFS%20servers%20(You%20did%20split%20them%20between%20virtual%20hosts%2Fdata%20centres%20hopefully..)%20then%20you%20need%20to%20force%20the%20Federated%20domain%20back%20to%20managed.%20This%20is%20a%20simple%20powershell%20command%2C%20BUT%20it%20takes%20about%2030-45%20minutes%20to%20fully%20take%20effect%20because%20of%20the%20number%20of%20logon%20servers%20in%20the%20office%20365%20arena.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EConvert-MSOLDomainToStandard%3C%2FSTRONG%3E%3C%2FEM%3E%20and%20%3CEM%3E%3CSTRONG%3EConvertMSOLDomainToFederated%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFailing%20back%20is%20a%20case%20of%20changing%20the%20domain%20back%20to%20federated%20again%2C%20but%20again%20this%20takes%20time%20to%20take%20effect%2C%20so%20you%20can%20see%20why%20having%20a%20fully%20HA%20ADFS%20farm%20is%20a%20better%20option%20and%20leave%20this%20for%20when%20the%20stuff%20has%20really%20hit%20the%20fan!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20configure%20Client%20Access%20Policy%20(now%20called%20Access%20Control%20Policy)%26nbsp%3Btemplates%20to%20allow%20only%20people%20coming%20from%20trusted%20IP%20ranges%20however%20be%20warned%20if%20you're%20not%20using%20RFC1918%20addresses%20internally%20(e.g.%2010.0.0.0%20etc)%20then%20your%20RegEx%20setup%20for%20the%20policies%20is%20going%20to%20be%20nasty!%20You%20can%20also%20allow%20a%20single%20group%20to%20ignore%20the%20ACP%20and%20get%20in.%20This%20technet%20article%20covers%20some%20of%20the%20common%20scenarios%2C%20including%20allowing%20ActiveSync%20for%20ADFS%202.0%20(%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh526961(v%3Dws.10).aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELimit%20access%20to%20Office%20365%20services%20based%20on%20location%3C%2FA%3E)%2C%20(there%20was%20a%20later%20version%20but%20my%20links%20all%20seem%20to%20redirect%20to%20this%20now.%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fwindows-server-docs%2Fidentity%2Fad-fs%2Foperations%2Fmanage-risk-with-conditional-access-control%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EManage%20risk%20with%20conditional%20access%20control%20-%20Technet%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20luck.%3C%2FP%3E%3CP%3EPaul.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60245%22%20slang%3D%22en-US%22%3ERe%3A%20Advice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60245%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60166%22%20slang%3D%22en-US%22%3ERe%3A%20Advice%20on%20moving%20from%20AD%20Connect%20with%20Password%20Sync%20to%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60166%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20reuse%20the%20existing%20server%2C%20that's%20not%20a%20problem.%20Having%20a%20single%20AD%20FS%20server%20(or%20WAP%20one)%20is%20a%26nbsp%3Brecipe%20for%20disaster%20however%2C%20you%20should%20have%20at%20minimum%202%2B2%20to%20ensure%20HA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20Server%202016.%20You%20can%20use%20the%20AD%20FS%20server%20to%20restrict%20logins%20based%20on%20criteria%20such%20as%20IP%20or%20protocol%20used%2C%20but%20the%20implementation%20depends%20on%20several%20factors%20(such%20as%20the%20use%20of%20Modern%20authentication)%2C%20and%20in%20some%20cases%20Conditional%20access%20might%20be%20a%20better%20solution.%20I%20dont%20have%20enough%20time%20to%20write%20a%20proper%20answer%20now%2C%20but%20this%20has%20been%20discussed%20numerous%20time%20already%2C%20do%20a%20search%20on%20the%20internet%20to%20find%20the%20relevant%20articles.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20find%20the%20instructions%20about%20switching%20between%20federated%20and%20managed%20ids%20with%20password%20sync%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Chris Yue
Contributor

Environment
AD Connect with Single Sign On and Password sync and Hybrid Exchange enabled.

 

I am using one server LAN based running AD Connect. If I move to ADFS, I understand that I will need the following:-
Domain joined server with ADFS services and a SSL cert installed.
Another server on the DMZ (not Domain joined) with Web Application Proxy services installed.

 

Q/
Can I using my existing AD Connect server and install ADFS services and a SSL Cert instead of building a new server with ADFS installed? Or do I need to keep the AD Connect server as it is and build 2 more servers?

 

Q/
Can I build the new infrastructure servers on Server 2016?

 

Q/
For backup, I understand it is possible to add Password sync to ADFS as an option.
In the event of a building loss where my ADFS environment is not available, how can I change from a Federated to a Managed Identity? Once I restore connectivity, how do I revert back?

 

Q/
Is it possible using Access Control Policy Templates to prevent users from accessing Office 365 services outside of the trusted IP whitelist?

 

Q/
Can I granulise the above to allow ActiveSync is always work irerespective?

 

The main driving force behind the change is to negate the need to purchase AD Premium licences which are required to use Conditonal Access to prevent a subset of users from accessing O365 outside the Intranet.

 

With ADFS is feature is built in.

 

Any advice would be grateful.

 

5 Replies
Solution

You can reuse the existing server, that's not a problem. Having a single AD FS server (or WAP one) is a recipe for disaster however, you should have at minimum 2+2 to ensure HA.

 

You can use Server 2016. You can use the AD FS server to restrict logins based on criteria such as IP or protocol used, but the implementation depends on several factors (such as the use of Modern authentication), and in some cases Conditional access might be a better solution. I dont have enough time to write a proper answer now, but this has been discussed numerous time already, do a search on the internet to find the relevant articles.

 

You can find the instructions about switching between federated and managed ids with password sync here: https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...

Hi Chris,

 

Absolutley agree with Vasil, one ADFS server is a recipe for disaster, even though a single ADFS server can handle thousands of logons, I always spec a minimum of 2 using hardware load balancing where possible and the same for the WAP in the DMZ, 2 with hardware load balancing.

 

Keep your AADConnect server seperate to your ADFS is my preferred practice as it ensures that the ADFS servers stay identicial which makes management easier in the future and keeps the roles sperate. (AADC may also self update depending on your configuration, so less risk if it's seperate.)

 

For the backup option, you can leave password sync in place, however the fail back in the event of you losing both of your ADFS servers (You did split them between virtual hosts/data centres hopefully..) then you need to force the Federated domain back to managed. This is a simple powershell command, BUT it takes about 30-45 minutes to fully take effect because of the number of logon servers in the office 365 arena.

 

Convert-MSOLDomainToStandard and ConvertMSOLDomainToFederated

 

Failing back is a case of changing the domain back to federated again, but again this takes time to take effect, so you can see why having a fully HA ADFS farm is a better option and leave this for when the stuff has really hit the fan!

 

You can configure Client Access Policy (now called Access Control Policy) templates to allow only people coming from trusted IP ranges however be warned if you're not using RFC1918 addresses internally (e.g. 10.0.0.0 etc) then your RegEx setup for the policies is going to be nasty! You can also allow a single group to ignore the ACP and get in. This technet article covers some of the common scenarios, including allowing ActiveSync for ADFS 2.0 (Limit access to Office 365 services based on location), (there was a later version but my links all seem to redirect to this now. Manage risk with conditional access control - Technet)

 

Good luck.

Paul.

 

 

 

Agree with previous comments.  But be careful when it comes to switching from federated to managed identity when ADFS is unavailable. The Convert-MsolDomainToStandard command requires ADFS to be available.

 

If ADFS is not available, use 

 

Set-MsolDomainAuthentication -DomainName mydomain.com –Authentication Managed

 

More info here 

That's good to know Shane, I've not had to recover authentication from ADFS in the event of a farm failure so never hit that!

 

Paul.

Related Conversations
Password Generation and Password Reveal are Not working
HotCakeX in Discussions on
5 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
OneDrive date modified without changing the file
RahamimL in OneDrive for Business on
4 Replies
OneDrive stuck on "getting in sync" icons
Susan McClements in OneDrive for Business on
46 Replies