建立聯盟伺服器陣列的時機When to Create a Federation Server Farm

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

請考慮 (AD FS) Active Directory 同盟服務中建立聯盟伺服器陣列,當您有較大的 AD FS 部署,而您想要提供容錯、 load\ 平衡或延展性到您的組織同盟服務。Consider creating a federation server farm in Active Directory Federation Services (AD FS) when you have a larger AD FS deployment and you want to provide fault tolerance, load-balancing, or scalability to your organization's Federation Service. 有兩個或更多聯盟伺服器建立在相同網路的動作,每個使用相同的同盟服務、 設定和 AD FS 管理 snap\ 中新增的每個伺服器的 token\ 簽署的憑證會建立聯盟伺服器陣列。The act of creating two or more federation servers in the same network, configuring each of them to use the same Federation Service, and adding the public key of each server's token-signing certificates to the AD FS Management snap-in creates a federation server farm.

您可以建立聯盟伺服器陣列或使用 AD FS 聯盟伺服器設定精靈現有發電廠安裝其他聯盟伺服器。You can create a federation server farm or install additional federation servers to an existing farm by using the AD FS Federation Server Configuration Wizard. 如需詳細資訊,請查看當建立聯盟伺服器For more information, see When to Create a Federation Server.

注意

當您選擇的選項來建立新聯盟伺服器陣列使用 AD FS 聯盟伺服器設定精靈,精靈將會嘗試建立容器物件 (for sharing certificates) Active Directory 中。When you choose the option to create a New federation server farm using the AD FS Federation Server Configuration Wizard, the wizard will attempt to create a container object (for sharing certificates) in Active Directory. 因此,這很重要,您第一次登入電腦,您會在位置設定聯盟伺服器角色,以建立此容器物件 Active Directory 中具有權限不足帳號。Therefore, it is important that you first log on to the computer, where you are setting up the federation server role, with an account that has sufficient permissions in Active Directory to create this container object.

聯盟伺服器可以群組發電廠之前,他們必須第一次叢集使完全抵達單一要求限定 (FQDN) 傳送到不同聯盟伺服器伺服器的網域名稱。Before federation servers can be grouped as a farm, they must first be clustered so that requests that arrive at a single fully qualified domain name (FQDN) are routed to the various federation servers in the server farm. 您可以藉由部署公司網路中的網路負載平衡 (NLB) 建立伺服器叢集。You can create the server cluster by deploying Network Load Balancing (NLB) inside the corporate network. 本指南假設 NLB 已正確設定為每個聯盟伺服器叢集。This guide assumes that NLB has been configured appropriately to cluster each of the federation servers in the farm.

如需詳細資訊,了解如何設定叢集 FQDN 使用 Microsoft NLB 技術,查看指定叢集參數For more information about how to configure a cluster FQDN using Microsoft NLB technology, see Specifying the Cluster Parameters.

部署聯盟伺服器陣列最佳做法Best practices for deploying a federation server farm

我們建議部署 production 環境中的聯盟伺服器下列最佳做法:We recommend the following best practices for deploying a federation server in a production environment:

  • 如果您將會在此同時部署多個聯盟伺服器,或您知道,您將加入更多的伺服器發電廠段時間,請考慮陣列中建立現有聯盟伺服器伺服器影像時,您需要快速建立其他聯盟伺服器安裝從該映像。If you will be deploying multiple federation servers at the same time or you know that you will be adding more servers to the farm over time, consider creating a server image of an existing federation server in the farm and then installing from that image when you need to create additional federation servers quickly.

    注意

    如果您選擇執行其他聯盟伺服器部署使用伺服器影像方法,您不需要完成事務於檢查清單: 聯盟伺服器上設定每個您想要新增至陣列伺服器的時間。If you do decide to use the server image method for deploying additional federation servers, you do not have to complete the tasks in Checklist: Setting Up a Federation Server every time that you want to add a new server to the farm.

  • 使用 NLB 或其他形式叢集的許多聯盟伺服器電腦配置單一 IP 位址。Use NLB or some other form of clustering to allocate a single IP address for many federation server computers.

  • 保留靜態陣列中每個聯盟伺服器的 IP 位址,根據您的網域名稱系統 (DNS) 設定動態主機設定通訊協定 (DHCP) 插入每個 IP 位址排除項目。Reserve a static IP address for each federation server in the farm and, depending on your Domain Name System (DNS) configuration, insert an exclusion for each IP address in Dynamic Host Configuration Protocol (DHCP). Microsoft NLB 技術需要的每個參與 NLB 叢集伺服器指派靜態 IP 位址。Microsoft NLB technology requires that each server that participates in the NLB cluster be assigned a static IP address.

  • 如果 AD FS 資料庫設定會儲存在 SQL 資料庫,避免在此同時編輯多個聯盟伺服器 SQL 資料庫。If the AD FS configuration database will be stored in a SQL database, avoid editing the SQL database from multiple federation servers at the same time.

設定為發電廠聯盟伺服器Configuring federation servers for a farm

下表描述,因此每個聯盟伺服器可以參與陣列來說環境必須完成的工作。The following table describes the tasks that must be completed so that each federation server can participate in a farmed environment.

工作Task 描述Description
如果您正在使用 SQL Server 儲存 AD FS 資料庫設定If you are using SQL Server to store the AD FS configuration database 聯盟伺服器陣列包含的兩個或更多聯盟伺服器共用相同 AD FS 設定資料庫和 token\ 簽署的憑證。A federation server farm consists of two or more federation servers that share the same AD FS configuration database and token-signing certificates. 在 Windows 內部資料庫或 SQL Server 資料庫中可以儲存設定資料庫。The configuration database can be stored in either Windows Internal Database or in a SQL Server database. 如果您想要儲存在 SQL 資料庫設定資料庫,請確定該設定資料庫存取使其可以存取所有新聯盟伺服器參與發電廠。If you plan to store the configuration database in a SQL database, make sure that the configuration database is accessible so that it can be accessed by all new federation servers that participate in the farm. 注意:發電廠案例中,這很重要,也不會參與為聯盟伺服器在農地的電腦上找到設定資料庫。Note: For farm scenarios, it is important that the configuration database be located on a computer that does not also participate as a federation server in that farm. Microsoft NLB 不允許任何參與發電廠到彼此的電腦。Microsoft NLB does not allow any of the computers that participate in a farm to communicate with one another. 注意:確保中加入了 eu-u.s 發電廠每個聯盟伺服器上網際網路資訊服務 (IIS)) AD FS AppPool 的身分已設定資料庫讀取權限。Note: Ensure that the identity of the AD FS AppPool in Internet Information Services (IIS)) on every federation server that participates in the farm has Read access to the configuration database.
取得並分享憑證Obtain and share certificates 您可以取得單一伺服器驗證憑證的公用憑證授權單位 \ (CA),例如 VeriSign。You can obtain a single server authentication certificate from a public certification authority (CA)—for example, VeriSign. 然後,讓所有聯盟伺服器都共用相同金鑰的私密部分憑證,您可以設定的憑證。You can then configure the certificate so that all federation servers share the same private key portion of the certificate. 如需有關如何共用相同的憑證的詳細資訊,請查看檢查清單︰ 設定好聯盟伺服器For more information about how to share the same certificate, see Checklist: Setting Up a Federation Server. 注意: AD FS 管理 snap\ 中指的是伺服器驗證憑證的同盟服務通訊的憑證以的伺服器。Note: The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.

如需詳細資訊,請查看聯盟伺服器的憑證需求For more information, see Certificate Requirements for Federation Servers.
指向相同 SQL Server 執行個體Point to the same SQL Server instance 如果 AD FS 資料庫設定會儲存在 SQL 資料庫,新的聯盟伺服器必須指向,讓新的伺服器可以參與發電廠是由其他聯盟伺服器相同 SQL Server 執行個體。If the AD FS configuration database will be stored in a SQL database, the new federation server must point to the same SQL Server instance that is used by other federation servers in the farm so that the new server can participate in the farm.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012