No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Single Server

This question has suggested answer(s) This question has suggested answer(s)



I am looking at the ADFS but from the reading of the preparation you require two servers for the NLB.


I only have one SBS 2008 and it would seem that the Single Sign On would not be possible, is this correct and do you have to have the ADFS to enable the AD Syncronisation to be complete?



All Replies
  • Martin, it is feasible for you to use a single ADFS server (which can be run on the DC) and it can be installed on the SBS server. Requiring 2 servers is a 'strong recommendation' as this is the authentication service. If you plan on going down this route, I'd strongly encourage you to have a good understanding of how you plan to backup/restore the service in the event something happened to the server box. Doing a full server backup/restore should work.

    I'm not sure yet on how you are synchronizing the accounts to the MS cloud. The federation(ADFS) & Synchronization solution (DirSync) are optimized to use the same source anchor for the user so that the cloud matches it. If you steer off the beaten path, you have to ensure that the 'source anchor' that is synchronized and stored in the cloud directory matches up with the 'immutableID' that the ADFS system sends on authentication. This is in addition to the UPN.

  • Hi Martin,

    Did Samuel's information help you? If you have any other questions, please feel free to post them in the forum.


    Evan Zhang

  • Thank you very much Sam.  

    I would also like to mention that Directory Sync is required for using ADFS, which can't be installed on a DC (i.e. SBS) and will require a separate machine, anyway.

    Have a great day,


  • Hi Sam,uel

    Thank you for providing this information, I thought it could be done on a single server, but for disaster recovery purposes it is not a viable option, even though I complete daily backups of the server as you cannot predict when the local gas company dig up the road and cut all the fibres and old copper cables as the backup.  :)

    Maybe an idea would be to have a mixed solution of AD from the onsite AD and in the event of the system being unavailable then the login could switch over to the Microsoft login and it then could utilise the AD information which could be stored offsite in 365.

    I know I don't know the total requirements but it would be good for adding to the DR plan that this option was available.

    Again Thank You and sorry for the delay in responding been tied up with the configuring of the team site and the moving of the mailboxes from another provider to 365.


  • So, to edit my response DirSync isn't REQUIRED for ADFS, but is required to be SUPORTED for ADFS.  Its all about Internet routability and AD in the end.

  • Hi Dan,

    Thanks for posting this comment I did read this and had provisioned a possible solution as having just a desktop or a small low cost server for the directory sync, but due to the implications for redundancy (I would require in total 3 machines) and costs required for a secondary server this makes the costs too great and I would not be able to justify these to the MD just to enable everyone to have a single sign on, even though I know the benefits as I could control items within AD.

    At the moment the company is small but the amount of staff will increase greatly over the next few months and having this solution would save a lot of administration.

    But not to be ..... at the moment.  :-)



  • Hi Evan,

    Samuel's information helped me greatly and confirmed what I thought but just was hoping for a magic solution in the event the server was offline then some magic was completed in the background (monitoring through snmp possilby and then authentication would switch over to the Microsoft servers).

    That would be a really good selling feature for MS but I would guess a lot of expense at MS end to store all the companies AD information online.



  • So, there IS a workaround for this, as long as you don't care about having access to SSO outside of the local network.

    Install ADFS on the SBS.  You will have to manage your user creation in O365 (unless you upgrade to SBS 2011: and then ADFS would work with your local AD.

    This will allow users on the local network (and joined to the domain) or via VPN to utilize ADFS.  You will need another server outside the network (ADFS Proxy) in order to get this to work.

    The downside to all of this is that you don't have redundance (but you don't, anyway, with SBS).

    Have a great day,