2

I'm a developer and got the order to install a Team Foundation Server (2017) on a Windows 2012 Server (no RC) in our Network. All Clients of the network authenticates over a Active Directory, so it would make sense to stick to the same mechanism with TFS. (I know that it would work with workgroups but i would rather use what's in place...)

Honestly, i'm a bit scared to interrupt our Active Directory which would have direct impact on our network.

I have read the docs:

https://msdn.microsoft.com/en-us/library/ms253184(v=vs.90).aspx

https://msdn.microsoft.com/de-de/library/ms253081(v=vs.110).aspx

but can't find more specific info's.

My Questions are:

Does the TFS writes Entries into the Active Directory?

Is there something i would have to pay attention while installing the TFS regarding to the AD?

Can something go wrong with the AD? Are there scenerios in which i would destroy/interrupt the AD?

Kris
  • 123
  • 5

2 Answers2

2

Let's clarify this:

TFS does not write to Active Directory (AD) nor "has it's own Active Directory".

TFS stores users and groups, permissions and security, into its own database. To integrate with Windows Security by running a background job every hour and reading users and groups from AD. Note that I wrote Windows Security because there are two scenarios:

  1. TFS is running on a single machine not joined to any AD domain (aka Workgroup mode);
  2. The machine(s) where you install TFS is domain-joined.

Indeed the configuration wizards assume that all required Windows accounts (AD or Workgroup) exists (you see a Test link aside each input box).

As a TFS Administrator, you have no dial for this job, but you should periodically look for errors in the Job Monitoring page (see New tools for TFS Administrators) at _oi/_jobMonitoring/.

Instead, you should prepare your DNS configuration, if possible , to facilitate future changes and reconfiguration of your TFS infrastructure: see this and this posts.

Giulio Vian
  • 508
  • 2
  • 10
0

TFS has it's own security and makes a one way trust relationship to the users Active Directory domain through the use of an user. No entries are made in your domains Active Directory.

Because of this when your setting up permissions in TFS, I highly recommend you tie the TFS groups to your domain groups to manage your TFS project permissions.

https://msdn.microsoft.com/en-us/library/ms253081(v=vs.90).aspx

Edited to change Active Directory to Security.

illandous
  • 157
  • 6
  • Why would TFS require a separate domain? Why wouldn't you install it in the same domain as your users and groups? – twconnell Jul 07 '17 at 20:15
  • This is incorrect. TFS does not "have its own Active Directory" and the link that you posted does not confirm that claim. – MDMarra Jul 09 '17 at 13:24