使用 WID 聯盟伺服器陣列Federation Server Farm Using WID

適用於:Windows Server 2012Applies To: Windows Server 2012

Active Directory 同盟服務 (AD FS) 的預設拓撲是聯盟伺服器發電廠,使用 Windows 內部資料庫 (WID),這最多 5 聯盟伺服器管理您的組織同盟服務所組成。The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. 在這個拓撲,AD FS 使用 WID 在市集中為所有加入農地聯盟伺服器設定資料庫 AD FS。In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. 發電廠複製和維護同盟服務資料庫中的資料設定陣列中每個伺服器上。The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

建立的第一個聯盟伺服器發電廠中的動作也會建立新的同盟服務。The act of creating the first federation server in a farm also creates a new Federation Service. AD FS 設定資料庫中使用 WID,當您建立陣列中的第一個聯盟伺服器稱為主要聯盟伺服器When you use WID for the AD FS configuration database, the first federation server that you create in the farm is referred to as the primary federation server. 這表示這部電腦已使用 AD FS 設定資料庫 read/寫入複本。This means that this computer is configured with a read/write copy of the AD FS configuration database.

所有您設定的這個發電廠其他聯盟伺服器稱為第二個聯盟伺服器]因為他們必須複寫 read\ 僅限複本儲存本機 AD FS 設定資料庫主要聯盟伺服器上所做的任何變更。All other federation servers that you configure for this farm are referred to as secondary federation servers because they must replicate any changes that are made on the primary federation server to the read-only copies of the AD FS configuration database that they store locally.

注意

我們建議使用 load\ 平衡設定在至少兩部聯盟伺服器。We recommend the use of at least two federation servers in a load-balanced configuration.

部署注意事項Deployment considerations

本節各種考量有關的目標對象、優點和這部署拓撲相關聯的限制。This section describes various considerations about the intended audience, benefits, and limitations that are associated with this deployment topology.

誰應該使用此拓撲?Who should use this topology?

  • 100 或較少設定的信任關係需要提供內部使用者與組織 \(登入電腦的實際連接到企業 network\)的單一 sign\ 上 (SSO) 存取聯盟應用程式或服務Organizations with 100 or fewer configured trust relationships that need to provide their internal users (logged on to computers that are physically connected to the corporate network) with single sign-on (SSO) access to federated applications or services

  • 想要讓他們內部使用者 SSO 存取 Microsoft Online Services 或 Microsoft Office 365 組織Organizations that want to provide their internal users with SSO access to Microsoft Online Services or Microsoft Office 365

  • 較小的組織需要備援,可縮放服務Smaller organizations that require redundant, scalable services

注意

使用較大型資料庫組織考慮使用聯盟伺服器發電廠使用 SQL Server部署拓撲,稍後此一節所述。Organizations with larger databases should consider using the Federation Server Farm Using SQL Server deployment topology, which is described later in this section. 從登入網路以外的使用者與組織考慮使用聯盟伺服器發電廠使用 WID 與 Proxy拓撲或聯盟伺服器發電廠使用 SQL Server拓撲。Organizations with users who log in from outside the network should consider using either the Federation Server Farm Using WID and Proxies topology or the Federation Server Farm Using SQL Server topology.

使用這個拓撲的好處為何?What are the benefits of using this topology?

  • 內部使用者提供 SSO 存取Provides SSO access to internal users

  • 資料和同盟服務冗餘 \(每個聯盟伺服器會複寫變更相同 farm\ 其他聯盟伺服器)Data and Federation Service redundancy (each federation server replicates changes to other federation servers in the same farm)

  • 發電廠,可以調整新增最多 5 聯盟伺服器The farm can be scaled out by adding up to five federation servers

  • WID 已隨附 Windows。因此,不需要購買 SQL ServerWID is included with Windows; therefore, no need to purchase SQL Server

使用這個拓撲限制為何?What are the limitations of using this topology?

  • WID 發電廠的五個聯盟伺服器上限。A WID farm has a limit of five federation servers. 如需詳細資訊,請查看AD FS 部署拓撲考量For more information, see AD FS Deployment Topology Considerations.

  • WID 發電廠不支援權杖重播偵測或成品解析度 \(的安全性判斷提示標記語言 (SAML) protocol\ 一部分)。A WID farm does not support token replay detection or artifact resolution (part of the Security Assertion Markup Language (SAML) protocol).

伺服器配置建議位置與網路Server placement and network layout recommendations

當您準備好部署這個拓撲您網路中的 [開始],您應該計劃的所有聯盟伺服器置於背後的網路負載平衡 (NLB) 主機,可以針對 NLB 叢集專用的叢集網域名稱系統 (DNS) 名稱及叢集 IP 位址設定您的公司網路。When you are ready to start deploying this topology in your network, you should plan on placing all of the federation servers in your corporate network behind a Network Load Balancing (NLB) host that can be configured for an NLB cluster with a dedicated cluster Domain Name System (DNS) name and cluster IP address.

注意

這個叢集 DNS 名稱必須符合同盟服務名稱,例如 fs.fabrikam.com。This cluster DNS name must match the Federation Service name, for example, fs.fabrikam.com.

NLB 主機可以使用此 NLB 配置 client 要求的個人聯盟伺服器叢集定義的設定。The NLB host can use the settings that are defined in this NLB cluster to allocate client requests to the individual federation servers. 下圖顯示虛構 Fabrikam,Inc.公司如何設定使用 two\ 電腦聯盟伺服器陣列其部署第一階段 (fs1 and fs2) WID 和 DNS 伺服器和已企業網路單一 NLB 主機的位置。The following illustration shows how the fictional Fabrikam, Inc., company sets up the first phase of its deployment using a two-computer federation server farm (fs1 and fs2) with WID and the positioning of a DNS server and a single NLB host that is wired to the corporate network.

使用 WID 伺服器陣列

注意

如果此 NLB 的單一主機失敗,使用者將無法聯盟應用程式或服務存取。If there is a failure on this single NLB host, users will not be able to access federated applications or services. 新增其他 NLB 主機,如果您的企業需求不允許時發生失敗單點。Add additional NLB hosts if your business requirements do not allow having a single point of failure.

如需有關如何使用您的網路環境設定聯盟伺服器的資訊,請查看聯盟伺服器的名稱解析需求中的 AD FS 設計。For more information about how to configure your networking environment for use with federation servers, see Name Resolution Requirements for Federation Servers in the AD FS Design Guide.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012