AD FS 部署拓撲計劃Plan Your AD FS Deployment Topology

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

規劃部署 (AD FS) Active Directory 同盟服務的第一個步驟是以判斷正確部署拓撲貴組織的需求。The first step in planning a deployment of Active Directory Federation Services (AD FS) is to determine the right deployment topology to meet the needs of your organization.

您讀取本主題之前,檢視如何儲存和複製到其他聯盟伺服器聯盟伺服器 AD FS 資料,請確定您知道的目的和複寫方法可用的基礎 AD FS 設定資料庫中儲存的資料。Before you read this topic, review how AD FS data is stored and replicated to other federation servers in a federation server farm and make sure you understand the purpose of and the replication methods that can be used for the underlying data that is stored in the AD FS configuration database.

有兩種資料庫類型,您可以用來儲存 AD FS 設定的資料:Windows 內部資料庫 (WID) 與 Microsoft SQL Server。There are two database types that you can use to store AD FS configuration data: Windows Internal Database (WID) and Microsoft SQL Server. 如需詳細資訊,請查看的角色 AD FS 設定資料庫的For more information, see The Role of the AD FS Configuration Database. 檢視不同的優點和 AD FS 設定資料庫,以及各種不同的應用程式案例他們支援,請選擇使用 WID 或 SQL Server 相關聯的限制。Review the various benefits and limitations that are associated with using either WID or SQL Server as the AD FS configuration database, along with the various application scenarios that they support and then make your selection.


實作基本冗餘、負載平衡和縮放同盟服務 (if required) 的選項,我們建議您部署至少兩部聯盟伺服器每聯盟伺服器陣列所有 production 環境,無論您將會使用資料庫類型。To implement basic redundancy, load balancing, and the option to scale the Federation Service (if required), we recommend that you deploy at least two federation servers per federation server farm for all production environments, regardless of the type of database that you will use.

判斷哪一種 AD FS 使用的設定資料庫Determining which type of AD FS configuration database to use

AD FS 使用儲存設定資料庫和 — 有時候 — 交易資料相關同盟服務。AD FS uses a database to store configuration and—in some cases—transactional data related to the Federation Service. 您可以使用 AD FS 軟體選取 built\ 中 Windows 內部資料庫 (WID) 或 2008 年,或較新版本的 Microsoft SQL Server 同盟服務中儲存資料。You can use the AD FS software to select either the built-in Windows Internal Database (WID) or Microsoft SQL Server 2008 or newer to store the data in the Federation Service.

大多數用途,資料庫兩種類型的相當等。For most purposes, the two database types are relatively equivalent. 但是,有一些開始朗讀詳細資訊,您可以使用 AD FS 使用的各種部署拓撲之前會注意到不同。However, there are some differences to be aware of before you begin reading more about the various deployment topologies that you can use with AD FS. 下表描述 WID 資料庫和 edition 是不同中支援的功能。The following table describes the differences in supported features between a WID database and a SQL Server database.

功能Feature 支援 WID 嗎?Supported by WID? 支援 SQL Server 嗎?Supported by SQL Server?
AD FS 功能AD FS features 聯盟伺服器發電廠部署Federation server farm deployment [是]。Yes. 如果您依賴 100 或較少廠商信任,WID 發電廠的 30 聯盟伺服器的上限。A WID farm has a limit of 30 federation servers if you have 100 or fewer relying party trusts.
WID 發電廠不支援權杖重播偵測或成品的解析度(部安全性判斷提示標記的語言 (SAML) 通訊協定)。A WID farm does not support token replay detection or artifact resolution (part of the Security Assertion Markup Language (SAML) protocol).
[是]。Yes. 聯盟伺服器,您可以在單一發電廠部署的數目無執行限制There is no enforced limit for the number of federation servers that you can deploy in a single farm
AD FS 功能AD FS features SAML 成品解析度SAML artifact resolution
注意:這個功能不需 Microsoft Online Services、Microsoft Office 365、Microsoft Exchange 或 Microsoft Office SharePoint 案例。Note: This feature is not required for Microsoft Online Services, Microsoft Office 365, Microsoft Exchange, or Microsoft Office SharePoint scenarios.
否]No [是]Yes
AD FS 功能AD FS features 聯盟-WS\ SAML\ 日權杖重播偵測SAML/WS-Federation token replay detection 否]No [是]Yes
資料庫功能Database features 基本資料庫重複使用提取複寫,其中一或多個伺服器裝載 read\ 僅限來源的伺服器上的資料庫要求變更的複本,主控資料庫 read/寫入複本Basic database redundancy using pull replication, where one or more servers hosting a read-only copy of the database request changes that are made on a source server that hosts a read/write copy of the database [是]Yes 否]No
資料庫功能Database features 使用 high\ 可用性方案,例如錯誤後的移轉叢集或鏡像資料庫冗餘 \(在資料庫層 only)請注意:所有 AD FS 部署拓撲都支援叢集 AD FS 服務層級。Database redundancy using high-availability solutions, such as failover clustering or mirroring (at the database layer only) Note: All AD FS deployment topologies support clustering at the AD FS service layer. 否]No [是]Yes

SQL Server 注意事項SQL Server considerations

如果您 AD FS 部署選取設定資料庫 SQL Server,考慮下列部署實用資訊。You should consider the following deployment facts if you select SQL Server as the configuration database for your AD FS deployment.

  • SAML 功能,並其資料庫大小和成長SAML features and their effect on database size and growth. SAML 成品解析度或 SAML 權杖重播偵測功能的支援,AD FS 會所發行的每個 AD FS 標記 SQL Server 設定資料庫中儲存的資訊。When either the SAML artifact resolution or SAML token replay detection features are enabled, AD FS stores information in the SQL Server configuration database for each AD FS token that is issued. SQL Server 資料庫根據這項活動的成長並不會很大,並設定權杖重播保留期間而定。The growth of the SQL Server database as a result of this activity is not considered to be significant, and it depends on the configured token replay retention period. 每個成品記錄具有約 30 kb (KB) 的大小。Each artifact record has a size of approximately 30 kilobytes (KB).

  • 伺服器部署所需的數字Number of servers required for your deployment. 您將需要新增至少一個其他伺服器 \(若要將您 AD FS infrastructure\ 部署所需的伺服器總數)可做為專用主機 SQL Server 執行個體。You will need to add at least one additional server (to the total number of servers required to deploy your AD FS infrastructure) that will act as a dedicated host of the SQL Server instance. 如果您打算使用錯誤後的移轉叢集或鏡像提供 SQL Server 設定資料庫容錯和延展性的兩個 SQL server 至少需要。If you plan to use failover clustering or mirroring to provide fault tolerance and scalability for the SQL Server configuration database, a minimum of two SQL servers is required.

如何設定資料庫類型,您可能會影響硬體資源How the configuration database type you select may impact hardware resources

不很大的影響,而不聯盟伺服器部署陣列使用 SQL Server 資料庫中使用 WID 發電廠中部署聯盟伺服器上的硬體資源。The impact to hardware resources on a federation server that is deployed in a farm using WID as opposed to a federation server that is deployed in a farm using the SQL Server database is not significant. 不過,請務必現在,當您使用 WID 陣列時,在農地的每個聯盟伺服器必須市集、管理及維護複寫本機複本 AD FS 資料庫設定的變更時也會持續提供同盟服務需要正常運作。However, it is important to consider that when you use WID for the farm, each federation server in that farm must store, manage, and maintain replication changes for its local copy of the AD FS configuration database while also continuing to provide the normal operations that the Federation Service requires.

相較之下,使用 SQL Server 資料庫發電廠中部署聯盟伺服器不一定包含 AD FS 設定資料庫本機執行個體。In comparison, federation servers that are deployed in a farm that uses the SQL Server database do not necessarily contain a local instance of the AD FS configuration database. 因此,它們可以製作硬體資源稍微較少的要求。Therefore, they may make slightly fewer demands on hardware resources.

放置聯盟伺服器的位置Where to place a federation server

基於安全性最佳練習、AD FS 聯盟伺服器前面防火牆然後將它們連接到您的企業網路,以避免遭受從網際網路。As a security best practice, place AD FS federation servers in front of a firewall and connect them to your corporate network to prevent exposure from the Internet. 因為聯盟伺服器有完整的授權以授與的安全性權杖,這很重要。This is important because federation servers have full authorization to grant security tokens. 因此,它們應該會有為網域控制站的相同的保護。Therefore, they should have the same protection as a domain controller. 受到聯盟伺服器,惡意使用者所有 Web 應用程式,並聯盟伺服器受到 AD FS 發出權杖完整存取權的能力。If a federation server is compromised, a malicious user has the ability to issue full access tokens to all Web applications and to federation servers that are protected by AD FS.


安全性與最佳做法,請避免在網際網路上遇到聯盟伺服器直接存取。As a security best practice, avoid having your federation servers directly accessible on the Internet. 請考慮實驗室測試或組織不具有周邊網路時,您的設定時,只提供您聯盟伺服器直接存取網際網路。Consider giving your federation servers direct Internet access only when you are setting up a test lab environment or when your organization does not have a perimeter network.

一般的企業網路,intranet\ 面向防火牆建立公司網路和周邊網路,並在 Internet\ 面向防火牆通常會建立周邊網路與網際網路之間。For typical corporate networks, an intranet-facing firewall is established between the corporate network and the perimeter network, and an Internet-facing firewall is often established between the perimeter network and the Internet. 此時,聯盟伺服器位於中的企業網路,並不是用網際網路直接存取。In this situation, the federation server sits inside the corporate network, and it is not directly accessible by Internet clients.


Client 電腦連接到企業網路,可以直接與透過 Windows 整合式驗證聯盟伺服器通訊。Client computers that are connected to the corporate network can communicate directly with the federation server through Windows Integrated Authentication.

您在設定使用您防火牆伺服器 AD FS 進行之前,聯盟 proxy 伺服器應該會放在周邊網路。A federation server proxy should be placed in the perimeter network before you configure your firewall servers for use with AD FS.

支援的部署拓撲Supported deployment topologies

下列主題描述,您可以使用 AD FS 使用的各種部署拓撲。The following topics describe the various deployment topologies that you can use with AD FS. 它們也描述的優點和,因此您可以選取最適合拓撲針對特定企業需求的相關每個部署拓撲限制。They also describe the benefits and limitations associated with each deployment topology so that you can select the most appropriate topology for your specific business needs.

也了See Also

在 Windows Server 2012 R2 的 AD FS 設計指南AD FS Design Guide in Windows Server 2012 R2