Planning the AD FS Topology
by Randy Wintle, Alex Lewis, David Ross, Tom Pacyk
Microsoft® Lync® Server 2013 Unleashed Second Edition
- Title Page
- Copyright Page
- Contents at a Glance
- Table of Contents
- Foreword
- About the Authors
- Dedications
- Acknowledgments
- We Want to Hear from You!
- Reader Services
- Introduction
- Part I: Lync Server 2013 Overview
- Chapter 1. Getting Started with Microsoft Lync Server 2013
- Chapter 2. What’s New in Microsoft Lync Server 2013
- Chapter 3. Feature Overview and Benefits of Microsoft Lync Server 2013
- Chapter 4. Business Cases for Lync Server 2013
- Why Unified Communications
- Instant Messaging and Presence
- Benefits of Instant Messaging and Presence
- Web, Audio, and Video Conferencing
- Benefits of Web, Audio, and Video Conferencing
- Enterprise Telephony
- Understanding the Benefits of Enterprise Telephony as part of a UC Solution
- Unified Messaging
- Understanding the Benefits of Unified Messaging as Part of a UC Solution
- Return on Investment (ROI)
- UC Investments
- Consider the Capital Investments
- Consider the Operating Expenses
- Consider the Committed or “Dual-Run” Costs
- Realizing ROI with Audio Conferencing
- Realizing ROI with Centralized Telephony
- Reduced Hardware Footprint
- Reduced Support Costs
- SIP Trunking Opportunity
- Realizing ROI with Productivity Increases
- Realizing ROI with Reduced Travel Costs
- Realizing ROI with Reduced Real Estate Costs
- Why Lync 2013 for Unified Communications
- Summary
- Why Unified Communications
- Part II: Microsoft Lync Server 2013 Server Roles
- Chapter 5. Microsoft Lync Server 2013 Front End Server
- Chapter 6. Microsoft Lync Server 2013 Edge Server
- Edge Server Overview
- Edge Server Installation
- Hardware Requirements
- Operation System Requirements
- Software Requirements
- Server Roles and Features
- Configure Networking
- IPv6 Support
- Create the Edge Pool
- Edit the Topology
- Deploying a Single Edge Server Pool
- Deploying a Load-Balanced Edge Server Pool
- Publish the Topology
- Installing the Edge Server
- Export Topology
- Installing a Local Configuration Store
- Installing the Lync Server Components
- Creating Certificates
- Importing Offline Certificate Requests
- Assigning Certificates
- Start Services
- Edge Server Configuration
- Edge Server Administration
- Edge Server Troubleshooting
- Firewall Ports
- Routing
- Certificates
- Edge Internal Certificate Names
- Access Edge Certificate Names
- Web Conferencing Edge Certificate Names
- A/V Authentication Certificate Names
- Wildcard Certificates
- DNS Records
- Windows Event Logs
- Lync Centralized Logging
- Lync Server Management Shell
- Telnet
- Troubleshooting Lync Services
- Edge Server Best Practices
- Summary
- Chapter 7. Microsoft Lync Server 2013 Monitoring and Archiving
- Chapter 8. Mediation Server
- Mediation Server Overview
- Installing Mediation Server
- Prerequisites
- Hardware Recommendations
- Operating System Requirements
- Software Requirements
- Server Roles and Features
- Create a Mediation Server Pool
- Steps to Edit the Existing Topology
- Steps to Publish the Updated Topology
- Install Lync Mediation Server Components
- Cache Installation Files
- Install Local Configuration Store
- Install Lync Server Components
- Create Certificates
- Assign Certificates
- Start Services
- Mediation Server Configuration
- Mediation Server Administration
- Mediation Server Troubleshooting
- Summary
- Best Practices
- Chapter 9. Director
- Director Overview
- Installing the Director Role
- Prerequisites
- Hardware Recommendations
- Operating System Requirements
- Software Requirements
- Server Roles and Features
- Installing Server Role Prerequisites
- Creating a Director Pool
- Edit Topology
- Publish Topology
- Install Server
- Cache Installation Files
- Install Local Configuration Store
- Install Lync Server Components
- Create and Install Certificates
- Assign Certificates
- Start Services
- Configuring the Director
- Administration of the Director Role
- Director Troubleshooting
- Summary
- Best Practices
- Chapter 10. Persistent Chat
- Part III: External Dependencies
- Chapter 11. Dependent Services and SQL
- Active Directory
- Domain Name System
- Server Certificates
- Network Dependencies
- Office Web Apps Server
- SQL Server Dependencies
- Lync Database Requirements
- Installing SQL Server for Lync
- SQL Backup Procedures
- Backing Up SQL Using Windows Server Native Backup
- Backing Up SQL Using SQL Server Management Studio
- Maintaining the Lync SQL Databases
- Checking and Repairing Database Integrity
- Monitoring and Reducing Fragmentation
- Shrinking Data Files
- Creating SQL Server Maintenance Plans
- Summary
- Chapter 12. Firewall and Security Requirements
- Firewall Requirements Overview
- Ports Required for Internal and External Access
- Using Network Address Translation (NAT) with Lync Server
- Reverse Proxy Requirements
- Reverse Proxy Configuration
- Create DNS Records for Lync Server Reverse Proxy
- Verifying Access to the Lync Web Services
- Configuring Microsoft Threat Management Gateway (TMG) for Lync Server
- Configure Web Farm FQDN
- Request and Configure SSL Certificates
- Configuring Web Publishing Rules
- Configuring Authentication and Certification on IIS Virtual Directories
- File Share Permissions
- Summary
- Chapter 11. Dependent Services and SQL
- Part IV: Administration and Management
- Chapter 13. Monitoring Lync Server 2013
- Understanding Key Areas to Monitor in Your Deployment
- Monitoring the Health and Performance of Lync Server 2013
- Using Performance Monitor to Establish Performance Baselines
- Important Performance Monitor Counters
- Collecting and Analyzing Performance Monitor Data
- Features Available in Lync Server 2013 for Health Monitoring and Troubleshooting
- Using Windows Event Logs to Identify Health Issues
- Using Synthetic Transactions to Identify Health Issues
- Capabilities and Benefits of System Center Operations Manager with Lync Server
- Monitoring the Health of Lync Server 2013 with SCOM
- Summary
- Chapter 14. Administration of Microsoft Lync Server 2013
- Administration Overview
- Lync Server Control Panel
- Lync Server Management Shell
- Benefits of the Management Shell
- Management Shell Basics
- Tips and Tricks
- Use the Tab Key
- Skip the Identity
- Surround Spaces with Quotation Marks
- Leverage Get-Help
- Role-Based Access Control
- Lync Versus Exchange RBAC
- Default Roles
- Creating New Roles
- Using the Lync Topology Model
- Managing Servers and Users
- Configuring Quality of Service
- Troubleshooting
- Best Practices
- Summary
- Administration Overview
- Chapter 15. High-Availability and Disaster Recovery
- Defining Business Requirements for High-Availability and Disaster Recovery
- Designing for High-Availability
- Understanding High-Availability
- High-Availability Options in Lync Server 2013
- What Services Are Supported for Lync High-Availability?
- SQL Server Backend High-Availability
- File Share High-Availability
- Lync Front End Server High-Availability
- Lync Edge Server High-Availability
- Lync Mediation Server High-Availability
- Persistent Chat High-Availability
- Shared Components High-Availability
- Designing for Disaster Recovery
- Defining Disaster Recovery
- Disaster Recovery Options in Lync Server 2013
- What Services Are Supported for Lync Disaster Recovery?
- SQL Server Backend Disaster Recovery
- Lync Front End Server Disaster Recovery
- Lync Edge Server Disaster Recovery
- Lync Mediation Server Disaster Recovery
- Persistent Chat Disaster Recovery
- Shared Components Disaster Recovery
- Configuring Lync Server for High-Availability
- Configuring SQL Server Mirroring
- Configuring SQL Server Mirroring During Pool Creation in Topology Builder
- Configuring SQL Server Mirroring on Existing Front End Server Pools
- Failing Over a Failed SQL Store to the SQL Server Mirror
- Configuring Front End Server Pools
- Configuring a Front End Server Enterprise Edition Pool
- Configuring DNS Load Balancing for Enterprise Edition Pools
- Configuring File Shares
- Configuring Persistent Chat Server Pools
- Executing Disaster Recovery Procedures
- Summary
- Chapter 13. Monitoring Lync Server 2013
- Part V: Migrating from Older Versions
- Part VI: Lync Voice, Video, and Integration
- Chapter 17. Lync Telephony and Voice Integration
- Chapter 18. Advanced Lync Voice Configuration
- Building the Lync Topology
- Defining Mediation Pools
- Defining PSTN Gateways
- Defining Additional Trunk Associations
- Defining Branch Sites
- Defining Survivable Branch Appliances and Servers
- Deploying a Survivable Branch Appliance
- Adding the Survivable Branch Appliance to Active Directory
- Defining the Service Principal Name
- Installing a Survivable Branch Appliance
- Voice Routing
- Configuring a Dial Plan
- Creating Normalization Rules
- Configuring Voice Policies
- Creating Voice Routes
- Creating PSTN Usages
- Creating a Trunk Configuration
- Configuring Inter-Trunk Routing
- Creating Translation Rules
- Publishing Voice Configuration Changes
- Export and Import Voice Configuration
- Creating Test Cases
- Voice Features
- Advanced Enterprise Voice Features
- Defining the Network Configuration
- Creating Network Regions
- Creating Network Sites
- Creating Network Subnets
- Configuring Call Admission Control
- Defining Bandwidth Policy
- Associate Bandwidth Policy Profile
- Network Region Links
- Creating Network Region Routes
- Creating Network Inter-Site Policies
- Enabling Call Admission Control
- Media Bypass
- Enabling Media Bypass
- Creating Bypass IDs
- Configuring E911
- Configuring Site Locations
- Validating Civic Addresses
- Create Location Policy
- Dial-In Conferencing
- Response Groups
- Configuring Agent Groups
- Understanding Routing Methods in Agent Groups
- Creating an Agent Group
- Configuring Queues
- Creating a Queue
- Configuring Workflows
- Creating Workflows
- Creating a Hunt Group Workflow
- Creating an Interactive Workflow
- Configuring Business-Hour Collections
- Configuring Holiday Sets
- Creating Workflows Using the Lync Server Management Shell
- Best Practices
- Building the Lync Topology
- Chapter 19. Lync Native Video and Data Conferencing
- Chapter 20. Video Integration with Third-Party Products and Services
- Part VII: Integration with Other Applications
- Chapter 21. Exchange and SharePoint Integration
- Server-to-Server Authentication
- Exchange Integration Features
- Unified Contact Store
- Migrating Users to Unified Contact Store
- Selectively Enabling Users for Unified Contact Store
- Unified Contact Store Rollback Procedure
- Lync Archiving Integration
- Archiving Policies in Lync and Exchange
- Archiving Configuration
- High-Resolution Photos
- Uploading Photos Using the Exchange Management Shell
- Uploading Photos Using Outlook Web App
- Outlook Web App Integration
- Unified Messaging Voice Mail Integration
- Exchange UM Components
- Exchange UM Configuration for Lync
- Lync Configuration for Exchange UM
- Testing the UM Integration
- SharePoint Integration Features
- Summary
- Chapter 21. Exchange and SharePoint Integration
- Part VIII: Office 365 and Lync Online
- Chapter 22. Lync Online and Hybrid Deployments
- Overview of Lync Online and Office 365
- System Requirements
- Experiencing Lync Online
- Deploying Lync Online
- Adding Domains to Lync Online/Office 365
- Adding Lync Online User Accounts
- Adding User Accounts Using the Online Portal
- Adding User Accounts Using PowerShell
- Adding User Accounts in Bulk
- Preparing Client Systems for Lync Online
- Configuring Federation and Public IM
- Configuring Dial-in Conferencing
- Configuring Lync Properties for User Accounts
- Configuring Lync-to-Phone
- Configuring Exchange UM Integration
- Creating a SIP URI Dial Plan
- Enabling Users for Exchange UM
- Configuring an Auto Attendant Number
- Configuring a Subscriber Access Number
- AD FS Deployment for SSO
- Preparing Systems for AD FS
- Preparing the Network for AD FS
- Installing AD FS Software
- Configuring the First Federation Server in the Farm
- Adding Federation Servers to the Farm
- Verifying That the Federation Service Is Operational
- Federation Server Proxy Configuration
- Verifying That the Federation Proxy Is Operational
- Establishing Trust with Office 365 for SSO
- Installing the Microsoft Online Services Module
- Adding or Converting a Domain for SSO
- Configuring Directory Synchronization
- Lync Hybrid Deployment
- Summary
- Chapter 22. Lync Online and Hybrid Deployments
- Part IX: Lync Server 2013 Clients
- Chapter 23. Mac Client
- Chapter 24. Mobile Clients
- Mobile Clients Overview
- Lync Server 2013 Mobility Technical Review
- Deploying Lync 2013 Mobility
- Certificate and DNS Requirements
- DNS Requirements for Push Notifications
- Certificate Requirements for LyncDiscover
- Federation Requirements for Push Notifications
- Reverse Proxy and Hardware Load Balancer Considerations for Mobility
- Reverse Proxy Certificate Requirements
- Hardware Load Balancer Requirements
- Network and Security Considerations for Mobility
- Firewall Rules Required for Lync Mobile
- Steps to Enable Mobility
- DNS Configuration for the LyncDiscover Service
- Configurations for Proper Certificate Configuration
- Configurations for Push Notifications
- Enable Mobility for Users
- Controlling Functionality with Mobility Policies
- User Policies for Lync Mobile
- Server Policies for Lync Mobile
- Summary
- Chapter 25. Windows Client
- Chapter 26. Browser Client
- Lync 2013 Browser Capabilities
- Lync Server 2013 Web App Technical Review
- Requirements to Deploy Lync 2013 Browser Functionality
- Installing Lync Web App Server
- Configuring Lync Web App
- Enabling Lync Web App Access for Anonymous Users
- Lync Web App Conferencing Policies
- Publishing Lync Web App Service to External Clients
- Operating System Requirements for Lync 2013 Web App Client
- Browser Requirements for Lync 2013 Web App Client
- Summary
- Chapter 27. Lync and VDI
- Part X: Planning for Deployment
- Chapter 28. Planning for Lync Online and Hybrid Deployments
- Comparing Topologies
- Lync Online and Office 365 Subscription Plans
- Planning for Lync Online
- Lync Online Identity Scenarios
- Cloud Identity
- Cloud Identity + Directory Synchronization
- Federated Identity
- Planning Lync Online Administration
- Planning the SIP Namespace
- Planning the Network for Lync Online
- Planning Internet Connection Bandwidth for Lync Online
- Firewall Port Requirements for Lync Online
- DNS Requirements for Lync Online
- Planning for Federation and Public IM
- Planning for Dial-in Audio Conferencing
- Planning for Hosted Voice Using Lync-to-Phone
- Planning for Exchange UM Integration
- Planning for Single Sign-On with AD FS
- Preparing Active Directory for SSO
- Planning Active Directory Federated Services for SSO
- Planning the AD FS Topology
- Choosing the AD FS Database Platform
- Planning for External Access to AD FS
- Planning AD FS Hardware
- Planning AD FS Certificates
- Planning the Network for AD FS
- Planning Browser Support for AD FS
- Planning for Directory Synchronization
- Planning for a Hybrid Deployment
- Summary
- Chapter 29. Virtualization Support
- Chapter 30. Planning for Basic Lync Services
- Determining the Scope of the Deployment
- Determining Your Infrastructure Needs
- Planning for Capacity
- Planning for IM
- Planning for Conferencing
- Planning for Clients and Devices
- Planning for Archiving
- Defining Your Archiving Requirements
- Planning for Management
- Documenting the Plan
- Best Practices
- Summary
- Chapter 31. Planning to Deploy External Services
- Chapter 32. Planning for Voice Deployment
- Chapter 28. Planning for Lync Online and Hybrid Deployments
- Part XI: Endpoints
- Index
Planning the AD FS Topology
The first consideration in the AD FS planning process is the number of federation servers to be deployed, and the sizing of those servers. In the AD FS section of the TechNet site, Microsoft provides detailed capacity planning guidance along with a sizing calculator that can be used to determine how many federation servers are needed, along with the sizing recommendations for each server. However, the reality is that for a new Lync Online deployment, most organizations will not have the data that must be input to make use of the sizing tools provided. For this reason, and also because the resource requirements for a federation server are not significant, Microsoft also provides separate guidance for AD FS deployments that are planned for Office 365. This information can be used to estimate the number of federation servers and federation server proxies that should be deployed based on the number of users who will be accessing Office 365. For example, Table 28.7 provides guidelines on the number of servers recommended based on the Lync Online user count.
As shown in Table 28.7, for small environments with fewer than 1,000 users, it is acceptable to install the federation server role on nondedicated systems and still expect good performance. For example, the federation server role can be installed on domain controller systems. However, the federation server software is compatible only with Windows Server 2008 and Windows Server 2008 R2; therefore, with a Windows Server 2003–based Active Directory environment it might still be necessary to use dedicated federation server systems. Also, if the federation server role is installed on domain controller systems, another system needs to be used for the NLB function to provide redundancy.
Note from Table 28.7 that a minimum of two servers is recommended for all scenarios, regardless of user count. The reason for this is that, although a single federation server can handle many user connections, this configuration would represent a single point of failure for a relatively critical service. Two federation servers is therefore the minimum recommendation to allow resiliency for SSO. Connections to multiple federation servers in a farm must be load balanced, which can be accomplished using Microsoft’s built-in network load balancing (NLB) feature, or using a hardware load balancer.
Regardless of the number of servers involved, each deployment of AD FS constitutes a single instance of a federation service, and each federation service is represented by a fully qualified domain name that is unique within the organization. If the federation service will provide connections from external systems, a public DNS name is required. If split brain DNS is used, a DNS host record for the federation service needs to be configured for both the internal and the external zones.
One service account is also used to run AD FS across all servers within a federated service instance. With a standalone AD FS deployment, a dedicated service account is not required, and the NETWORK SERVICE account is automatically specified by the AD FS installer to serve this purpose. However, a dedicated service account is still recommended for standalone deployments to reduce the attack surface of the federation server. A user account should therefore be created for this purpose in Active Directory before the installation of AD FS, and then configured as a dedicated service account for AD FS during the initial configuration. The service account does not require any particular rights to the AD domain; however, it must be a member of the local Administrators group on each federation server.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.