toby2686
(BigT)
1
The network in question is currently running a single exchange 2010 box and we are looking to install another in an alternate site. This brings up the question as to move towards 365 or not. Now we want to preserve single sign on, which then brings up the ADFS and DirSync scenario. I am keen to hear what people think or if they have had experience in delivering the ADFS and DirSync solution.
Thanks
13 Spice ups
John5152
(John5152)
2
DirSync works well but users will need to change their password in Outlook when they change it in AD, not really a big as long as they remember to check the remember password box when they change it in Outlook, this solution is working well for us.
Single Sign On / ADFS requires several servers to provision.
1 Spice up
tobywells
(toby wells)
3
I inherited an Office 365 setup 2 years ago using ADFS.
ADFS is great if you have complex Sharepoint systems or want to restrict users so they cant use autodiscover and activesync when outside the LAN but for most businesses this is the opposite of what they are trying to do!
Doing ADFS properly needs physically diverse setups so if your site goes bang then you have another to take over (using something like cloudfloor DNS who do active failover rather than low TTL DNS changes)
We had all this but when there city power went out all 3 of our sites were down and people using iPhones in other countries & time zones got knocked out.
We moved to DirSync and users have to check the box that says “remember password” and now we are fully resilient to outages, all 3 sites could go bag and nobody loses service. Its not true SSO its pseudo SSO but for most users its all they need and for IT its a lot less to manage and saves the cost of 4 server licenses and overhead of multiple servers and diversity to manage
ADFS - Generally Inconvenient (phrase stolen from Scott Alan Miller but summarises brilliantly)
DirSync - Simple and very stable
4 Spice ups
toby2686
(BigT)
4
Thanks John So you run local AD with DIRSYNC to make passwords the same for domain and 365. Users for email use username@domain. And domain login domain\username.
lisalyons
(Lisa Lyons)
5
I’ve spent the last 5 weeks getting ADFS working correctly… and even now it’s not! In theory, you should have at least 2 ADFS servers, 2 ADFS proxy servers, all running network load balancing, and all on separate servers.
What I’ve ended up with is a single ADFS server, which also runs my DirSync stuff. A single Proxy, and a half-assed, half-working NLB that I can’t count on.
Yeah… could be easier/better.
1 Spice up
You can handle SSO and and AD integration differently and avoid the additional servers using Okta. If covers other apps too, so the investment in it is for more than just Office365. I recommend it and plan on using it for Office365 if we decide to go that route.
https://www.okta.com/resources/webinar-extending-ad-to-office-365.html
2 Spice ups
lisalyons
(Lisa Lyons)
7
They recently reached out to me, so yeah, that helps!
inkmaster
(InkMaster)
8
I’ve been content with ADFS after using it on two separate tenants - one for 3 years and another for 2 years.
Perhaps it was easier to setup a couple of years ago as I haven’t had any issues with it since implementation.
@Lisa - I’ve been using Okta for a while now. If you want my perspective let me know and I’ll send you my details.
1 Spice up
lisalyons
(Lisa Lyons)
10
I think I’d appreciate it! Feel free to drop me a PM?
John5152
(John5152)
11
Yes effectively that’s the way we work.
We did have a .local Domain name in the office so I needed to add the mail domain extension as a UPN to all the users in AD. e.g. user name was john.5152@mycompany.local and the UPN required was john.5152@mycompany.co.uk once that was done it was quite quick and simple to set the DirSync up.
One note of caution - I think this only applies if you have GoDaddy as your registrant but watch out anyway, when you confirm ownership of the domain don’t go for the automatic set up option because it will reset all your MX records to the Exchange on-line address - I had a pleasant afternoon resetting this after I clicked by accident!
1 Spice up
toby2686
(BigT)
12
Thanks for all the quick answers. ADFS for 30 people seems not to be worth it.
Also are people using the sign on assistant with their dirsync implementations?
Thanks again.
John5152
(John5152)
13
No definitely not worth it (or practical) for 30 users - I think you need 5 servers to run ADFS!
erik
(ErikN)
14
I’ve never worked with ADFS. At what point/company size DOES it make sense?
1 Spice up
inkmaster
(InkMaster)
15
We’re running it for 100+ per tenant.
This is a great chance to go Office 365 and get upgraded and save money. ADFS is recommended only in the most extreme cases. Most of the time DirSync is what you want. Much easier and more straightforward.
3 Spice ups
We moved to 365 after Katrina and haven’t ever regretted it. We also use DirSync and it works great for us.
What was the final decision?
1 Spice up
toby2686
(BigT)
19
We installed a new on premise exchange server mainly due to transport rules. I personally would have gone with 365 however management decided otherwise budget wasnt a major factor.
Thanks to all who responded.
