We need some advise on the ADFS topology we are planning to deploy; if it will work or not.
Our ADS description
- Win 2008 R2 based single forest with just the forest root domain
- AD Forest root domain spans across two AD Sites, each site with a couple of DC's
- approximately we have 750 users in our AD Domain
Our requirement
- We have 4 email domains & we plan to move to O365 Exchange service for all the four email domains.
- we plan to subscribe O365 service for all our 4 email domains
- We also plan to implement ADFS with WID for SSO
- we do not wish to provide SSO for users outside our AD Site LAN network. so we do not need a ADFS proxy.
Our ADFS Deployment Plan
- In AD-Site-1 create a NLB using windows feature on two member server machines & deploy an ADFS/WID farm with an url such ashttps://one.domainname.rootdomain. Also deploy Dir Sync on another system & then configure SSO
- In AD-Site-2 create a NLB using windows feature on two member server machines & deploy an ADFS/WID farm with an url such ashttps://two.domainname.rootdomain. Also deploy Dir Sync on another system & then configure SSO
- when the AD-Site-1 goes down completely we will switch O365 integration to use ADFS in AD-Site-2
Our Query
- Is the above topology workable?
- Can we have two ADFS NLB farms or even two Standalone ADFS instances in a Single AD Domain?
- will WID database of ADFS Farm one in ADSite1 replicate automatically with ADFS Farm two in ADSite2 ? or will the WID DB of both the farms act independently ?
- Can we use a single wild card SSL certificates on all our ADFS servers in both the farm?