使用 WID 的同盟伺服器陣列Federation Server Farm Using WID

Active Directory Federation Services 的預設拓撲(AD FS)同盟伺服器陣列,使用 Windows 內部資料庫(WID),其中包含裝載最多五部同盟伺服器的程式組織 Federation Service。The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. 在此拓撲中,AD FS 會使用 WID,做為存放區的所有同盟伺服器會加入該伺服陣列的 AD FS 組態資料庫。In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. 伺服器陣列會複寫並維護伺服器陣列中每部伺服器之設定資料庫的 Federation Service 資料。The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

在伺服器陣列中建立第一部同盟伺服器時,也會建立新的 Federation Service。The act of creating the first federation server in a farm also creates a new Federation Service. 當您使用 WID 的 AD FS 設定資料庫時,您建立伺服器陣列中第一部同盟伺服器指主要同盟伺服器When you use WID for the AD FS configuration database, the first federation server that you create in the farm is referred to as the primary federation server. 這表示這台電腦,設定讀取/寫入 AD FS 設定資料庫的複本。This means that this computer is configured with a read/write copy of the AD FS configuration database.

所有其他您設定此伺服器陣列的同盟伺服器稱為次要同盟伺服器因為它們必須將複寫的讀取主要同盟伺服器上所做的任何變更-只其本機儲存的 AD FS 設定資料庫的複本。All other federation servers that you configure for this farm are referred to as secondary federation servers because they must replicate any changes that are made on the primary federation server to the read-only copies of the AD FS configuration database that they store locally.

注意

我們建議您在負載中的至少兩部同盟伺服器使用-平衡的組態。We recommend the use of at least two federation servers in a load-balanced configuration.

部署考量Deployment considerations

本章節會描述相關的適用對象、 權益和限制,這種部署拓撲相關聯的各種考量。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 需要其內部的使用者提供的 100 或更少設定的信任關係的組織(登入實際連接到公司網路的電腦)單一登-上(SSO)同盟應用程式或服務的存取權Organizations with 100 or fewer configured trust relationships that need to provide their internal users (logged on to computers that are physically connected to the corporate network) with single sign-on (SSO) access to federated applications or services

  • 想要提供其內部使用者的 SSO 存取,Microsoft Online Services 或 Microsoft Office 365 的組織Organizations that want to provide their internal users with SSO access to Microsoft Online Services or Microsoft Office 365

  • 較小的組織需要備援、 可調整的服務Smaller organizations that require redundant, scalable services

注意

具有較大的資料庫的組織應該考慮使用同盟伺服器陣列使用 SQL Server部署拓撲,稍後會說明這一節。Organizations with larger databases should consider using the Federation Server Farm Using SQL Server deployment topology, which is described later in this section. 登入從網路外部的使用者的組織應該考慮使用其中一個同盟伺服器陣列使用 WID 和 Proxy拓樸或同盟伺服器陣列使用 SQL Server拓撲。Organizations with users who log in from outside the network should consider using either the Federation Server Farm Using WID and Proxies topology or the Federation Server Farm Using SQL Server topology.

使用此拓撲的優點有哪些?What are the benefits of using this topology?

  • 提供內部使用者的 SSO 存取Provides SSO access to internal users

  • 資料和同盟服務備援(每部同盟伺服器會將變更複寫到相同的伺服器陣列中的其他同盟伺服器)Data and Federation Service redundancy (each federation server replicates changes to other federation servers in the same farm)

  • 伺服器陣列可以藉由新增最多五部同盟伺服器向外延展The farm can be scaled out by adding up to five federation servers

  • WID 隨附 Windows;因此,不需要購買 SQL ServerWID is included with Windows; therefore, no need to purchase SQL Server

使用此拓撲的限制有哪些?What are the limitations of using this topology?

  • WID 伺服器陣列的上限為 5 部同盟伺服器。A WID farm has a limit of five federation servers. 如需詳細資訊,請參閱 AD FS 部署拓撲考量For more information, see AD FS Deployment Topology Considerations.

  • WID 伺服器陣列不支援權杖重新執行偵測或成品解析(安全性聲明標記語言的一部分(SAML)通訊協定)。A WID farm does not support token replay detection or artifact resolution (part of the Security Assertion Markup Language (SAML) protocol).

伺服器的位置和網路配置的建議Server placement and network layout recommendations

當您準備好開始部署此拓撲,在您網路中的,您應該規劃將所有的同盟伺服器放在您的公司網路,網路負載平衡後方(NLB)可以設定為 NLB 叢集的主機包含網域名稱系統 」 的專用叢集(DNS)名稱和叢集 IP 位址。When you are ready to start deploying this topology in your network, you should plan on placing all of the federation servers in your corporate network behind a Network Load Balancing (NLB) host that can be configured for an NLB cluster with a dedicated cluster Domain Name System (DNS) name and cluster IP address.

注意

此叢集 DNS 名稱必須符合 Federation Service 名稱,例如,fs.fabrikam.com。This cluster DNS name must match the Federation Service name, for example, fs.fabrikam.com.

NLB 主機可以使用用戶端將要求配置到個別的同盟伺服器到此 NLB 叢集中定義的設定。The NLB host can use the settings that are defined in this NLB cluster to allocate client requests to the individual federation servers. 下圖顯示 Fabrikam,Inc.,這家虛構公司如何使用兩個部署的第一個階段會設定-電腦的同盟伺服器陣列(fs1 和 fs2)具有 WID 和 DNS 伺服器的位置和有線公司網路的單一 NLB 主機。The following illustration shows how the fictional Fabrikam, Inc., company sets up the first phase of its deployment using a two-computer federation server farm (fs1 and fs2) with WID and the positioning of a DNS server and a single NLB host that is wired to the corporate network.

使用 WID 伺服器陣列

注意

如果沒有在這個單一 NLB 主機上的失敗,使用者將無法存取同盟應用程式或服務。If there is a failure on this single NLB host, users will not be able to access federated applications or services. 如果您的業務需求不允許有單一失敗點,請加入其他 NLB 主機。Add additional NLB hosts if your business requirements do not allow having a single point of failure.

如需如何設定同盟伺服器使用的網路環境的詳細資訊,請參閱同盟伺服器的名稱解析需求中 AD FS 設計指南。For more information about how to configure your networking environment for use with federation servers, see Name Resolution Requirements for Federation Servers in the AD FS Design Guide.

另請參閱See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012