Mon, Apr 8 2013 23:48
ADFS and Dirsync in SMB
With permission from Cliff Galiher of www.thirdtier.net
The conversation started about whether or not we should be doing ADFS and Dirsync in SMB...
"First the simple answer: You cannot set up an ADFS setup with a single server. It just isn't gonna happen.
Filed under: News
Second, neither ADFS nor DirSync will sync passwords.
ADFS will allow Office 365 to authenticate against *your* domain controllers. Which means if your internet connection is disrupted for any reason and your DCs *and* ADFS servers are unreachable, you will not be able to log into any Office 365 services. That requires significant planning for redundancy. ADFS does not do *any* syncing. It is an authentication/authorization system (in this scenario.)
The DirSync tool is what handles creating Office 365 accounts based on AD. That is *all* DirSync does. It is not a two-way sync. So you cannot create O365 accounts and have them sync into AD. Nor does it sync passwords. Which is why implementing DirSync *requires* ADFS first. They don't get local passwords because of how DirSync works, so the only way that would work is to rely on ADFS and have the authentication go directly back to your ADFS/AD environment.
So you have to ask, is *that* what you want? I can't answer that, but it is important to know what ADFS and DirSync is bringing to the table.
But back to your post. If you enabled O365 integration via the dashboard, what is that missing that you think ADFS will allow? The dashboard allows you to create users. It allows you to prevision an O365 license to that user. It allows you to sync the local password up to O365. It is *technically* not a single sign-on account, but to the end user, the difference is so trivial as to be unnoticeable. Based on what you actually describe, as long as you stick to the Essentials Dashboard and don't create users via ADUC directly, you get everything you want from a feature standpoint, if not technically from an underlying functional standpoint.
Forget ADFS/Dirsync. It is a great solution for large businesses that can handle multi-site redundancy and has perimeter network security to set up ADFS proxy servers, but for the SMB it is serious overkill and an administrative nightmare waiting to happen."