5

Working with a client to configure ADFS, just got this in an e-mail:

"We are using Server 2008 Enterprise with AD, GP, DNS and DHCP running on the same box."

And now he indicates he wants to also install ADFS on the same box as well. I am not even sure if ADFS and AD can be on the same server, but if it can be I also wonder if it is a good idea or not.

MetaGuru
  • 896
  • 6
  • 22
  • 36

3 Answers3

3

It should be fine to install on your Domain controllers. As long as sane lookup caches (for DNS) and leases (for DHCP) are had, and you have a proper amount of DCs for your environment (the answer is never "one DC"), ADFS should not present a huge amount of load.

gWaldo
  • 11,957
  • 8
  • 42
  • 69
  • But you are installing IIS and exposing the box to the Internet, which I would not recommend doing on a DC for security purposes. – Andy Schneider Jan 15 '13 at 23:00
  • "ADFS’s use of IIS was removed in Windows Server 2012 R2 and so it is now okay to run AD FS on a domain controller... In production, it would be recommended that the AD FS server was behind a Web Application Proxy." - [MSDN](https://msdn.microsoft.com/en-us/library/dn660966.aspx) – Taylor Buchanan Jul 21 '17 at 20:48
2

Yes its a supported configuration to have AD and ADFS on the same box so no problems there. But as the general preference is to have AD roles on dedicated servers, its not an encouraged configuration.

When you upgrade the AD in the future, you'd have to do in place upgrades of this server instead of demote/promote new DCs.

If you are also planning this server to be internet accessible, then its also not a good configuration from a security perspective unless you plan to have ADFS proxies too.

So if this is a very small environment where they have no other servers or means of even using virtualization to host roles on different OS guests, then yes you can do it.

maweeras
  • 2,734
  • 2
  • 17
  • 23
  • As of 4/21/2015 it is actually recommended on TechNet to install ADFS on the DCs for less than 1000 users. ref: https://technet.microsoft.com/en-us/library/dn151324.aspx#BKMK_3 – user319862 Apr 21 '15 at 14:11
  • Although the point about upgrading in place versus demote/promote is definitely something to consider – user319862 Apr 21 '15 at 14:13
0

I'm fairly certain you will need to specify LDAP ports other than default in this scenario. Otherwise, it should function fine.

dogmanky
  • 309
  • 1
  • 3
  • 1
    I believe you are thinking of AD LDS. In which case you would need to specify other ports for the LDS instance. – HostBits Sep 08 '11 at 16:37