使用 WID 的同盟伺服器陣列Federation Server Farm Using WID

Active Directory 同盟服務(AD FS)的預設拓撲是同盟伺服器陣列,使用 Windows 內部資料庫(WID),其中包含最多五部裝載您的同盟伺服器組織的同盟服務。The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization's Federation Service. 在此拓撲中,AD FS 會針對加入該伺服器陣列的所有同盟伺服器,使用 WID 做為 AD FS 設定資料庫的存放區。In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. 伺服器陣列會複寫並維護伺服器陣列中每部伺服器之設定資料庫的 Federation Service 資料。The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

在伺服器陣列中建立第一部同盟伺服器時,也會建立新的 Federation Service。The act of creating the first federation server in a farm also creates a new Federation Service. 當您使用 WID 做為 AD FS 設定資料庫時,您在伺服器陣列中建立的第一部同盟伺服器稱為「主要同盟伺服器」。When you use WID for the AD FS configuration database, the first federation server that you create in the farm is referred to as the primary federation server. 這表示這部電腦是使用 AD FS 設定資料庫的/讀取寫入複本進行設定。This means that this computer is configured with a read/write copy of the AD FS configuration database.

您為此伺服器陣列所設定的其他所有同盟伺服器稱為「次要同盟伺服器」,因為它們必須將在主要同盟伺服器上所做的任何變更複寫-到 AD FS 的唯讀複本。他們儲存在本機的設定資料庫。All other federation servers that you configure for this farm are referred to as secondary federation servers because they must replicate any changes that are made on the primary federation server to the read-only copies of the AD FS configuration database that they store locally.

注意

建議您在負載-平衡設定中至少使用兩部同盟伺服器。We recommend the use of at least two federation servers in a load-balanced configuration.

部署考量Deployment considerations

本節說明與此部署拓撲相關聯的目標物件、優點和限制的各種考慮。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 具有100或更少已設定信任關係的組織,必須提供他們(的內部使用者登入實際連線到公司網路)的電腦,並使用-單一登入( SSO)存取同盟應用程式或服務Organizations with 100 or fewer configured trust relationships that need to provide their internal users (logged on to computers that are physically connected to the corporate network) with single sign-on (SSO) access to federated applications or services

  • 想要為其內部使用者提供 Microsoft Online Services 或 Microsoft Office 365 的 SSO 存取權的組織Organizations that want to provide their internal users with SSO access to Microsoft Online Services or Microsoft Office 365

  • 需要重複、可擴充服務的小型組織Smaller organizations that require redundant, scalable services

注意

具有較大資料庫的組織應該考慮使用 SQL Server 部署拓撲的同盟伺服器陣列,本節稍後將會加以說明。Organizations with larger databases should consider using the Federation Server Farm Using SQL Server deployment topology, which is described later in this section. 具有從網路外部登入之使用者的組織,應考慮使用使用 WID 和proxy 拓撲的同盟伺服器陣列,或使用 SQL Server 拓撲的同盟伺服器陣列。Organizations with users who log in from outside the network should consider using either the Federation Server Farm Using WID and Proxies topology or the Federation Server Farm Using SQL Server topology.

使用此拓撲的優點有哪些?What are the benefits of using this topology?

  • 提供內部使用者的 SSO 存取權Provides SSO access to internal users

  • 資料和同盟服務冗余(每一部同盟伺服器都會將變更複寫到相同伺服器陣列中的其他同盟伺服器)Data and Federation Service redundancy (each federation server replicates changes to other federation servers in the same farm)

  • 您可以新增最多五部同盟伺服器,以相應放大伺服器陣列The farm can be scaled out by adding up to five federation servers

  • WID 隨附在 Windows 中;因此,不需要購買 SQL ServerWID is included with Windows; therefore, no need to purchase SQL Server

使用此拓撲的限制為何?What are the limitations of using this topology?

  • WID 伺服器陣列的限制為五部同盟伺服器。A WID farm has a limit of five federation servers. 如需詳細資訊,請參閱 AD FS 部署拓撲考量For more information, see AD FS Deployment Topology Considerations.

  • WID 伺服器(陣列不支援安全性聲明標記語言(SAML)通訊協定)的權杖重新執行偵測或成品解析部分。A WID farm does not support token replay detection or artifact resolution (part of the Security Assertion Markup Language (SAML) protocol).

伺服器放置和網路設定建議Server placement and network layout recommendations

當您準備好要開始在網路中部署此拓撲時,您應該規劃將公司網路中的所有同盟伺服器放置在網路負載平衡(nlb)主機(可針對 nlb 叢集設定)後方具有專用叢集網域名稱系統(DNS)名稱和叢集 IP 位址。When you are ready to start deploying this topology in your network, you should plan on placing all of the federation servers in your corporate network behind a Network Load Balancing (NLB) host that can be configured for an NLB cluster with a dedicated cluster Domain Name System (DNS) name and cluster IP address.

注意

此叢集 DNS 名稱必須符合同盟服務名稱,例如 fs.fabrikam.com。This cluster DNS name must match the Federation Service name, for example, fs.fabrikam.com.

NLB 主機可以使用此 NLB 叢集中定義的設定,將用戶端要求配置給個別的同盟伺服器。The NLB host can use the settings that are defined in this NLB cluster to allocate client requests to the individual federation servers. 下圖顯示虛構 Fabrikam,inc.,公司如何使用兩-部電腦同盟(伺服器陣列 fs1 來設定其部署的第一個階段,以及如何搭配 WID)和 DNS 伺服器的位置進行 fs2和一個連接公司網路的 NLB 主機。The following illustration shows how the fictional Fabrikam, Inc., company sets up the first phase of its deployment using a two-computer federation server farm (fs1 and fs2) with WID and the positioning of a DNS server and a single NLB host that is wired to the corporate network.

使用 WID 的伺服器陣列

注意

如果此單一 NLB 主機失敗,使用者將無法存取同盟應用程式或服務。If there is a failure on this single NLB host, users will not be able to access federated applications or services. 如果您的業務需求不允許有單一失敗點,請加入其他 NLB 主機。Add additional NLB hosts if your business requirements do not allow having a single point of failure.

如需有關如何設定網路環境以與同盟伺服器搭配使用的詳細資訊,請參閱 AD FS 設計指南中的同盟伺服器的名稱解析需求For more information about how to configure your networking environment for use with federation servers, see Name Resolution Requirements for Federation Servers in the AD FS Design Guide.

另請參閱See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012