It's an interesting one. As mentioned above, there are plenty of solution providers / systems integrators that will do this sort of thing for you. However, you need to really consider what you are trying to achieve.
In the case of Active Directory, it's the core technology that underpins three four very important things:
- Access Control (who can logon and who has what privileges, Etc.)
- Corporate Directory information (optional use, but AD can be your corporate directory of user info, departments, staff hierarchy (managers, subordinates), telephone numbers, Etc.)
- Group Policy (central configuration of corporate PCs)
- DNS (name resolution of friendly names to IP addresses)
So, it's important. But, once designed, installed and configured, it's a very low-maintenance bit of infrastructure. As long as you have at least two domain controllers (the servers that host AD), and they are being backed up, you don't really need to touch it. That's the technical side of AD.
The operational side, is more labour intensive, but this is only proportional to your head count and staff turnover. For example, someone needs to:
- Create users when new folks join the company
- Reset passwords when people forget them (although this can be delegated to non-admins)
- Keep on top of access control (add/remove people to/from groups as their access needs change, e.g.: change of job role)
- Remove users when they leave
If you have Microsoft Exchange, you'll also have mailbox provisioning to think about.
So, the fact that's it's such a fundamental bit of software in terms of corporate security and integrity can make the decision interesting. Plus, the day-to-day operational bit (the non-techie bit) might make an outsourcing option too expensive.
You might be able to find some middle ground, e.g.: have a Microsoft partner do the spec, install and configuration, plus create some basic "operations manual" for someone in the business.
Lots of stuff to consider.
For a non-Microsoft person, what is ADFS?
ADFS is Microsoft's solution for Single Sign On and web based authentication.
It is used primarily to provide a single set of credentials that can access a variety of sites not necessarily hosted within the same domain.
How does it differ to things like LDAP?
LDAP:
- Communicates using TCP/UDP on port 389 (or port 636 for LDAPS)
- Contains commands for searching/retrieving/adding/deleting/modifying users, profiles and other directory entries
- Can not be performed directly by a web browser, however HTTP authentication can be translated to LDAP using things like Apache's
mod_authnz_ldap.
- When used for third-party website authentication, requires that username & password are provided to the third-party, which is not ideal for security.
- Is more of an open standard and has numerous Linux implementations.
ADFS:
- Better designed for the web as it communicates over standard HTTPS
- Follows a safer process similar (but not exact) to OAuth where the original username/password are provided directly to the organisation's ADFS server (or a proxy, but not the third-party), which if valid, returns a unique token that can be used to access a third-party website.
- Although it does use make use of some open standards (HTTPS, SAML etc.) it is Microsoft-specific and requires Internet Information Services (IIS) which only runs on Windows Servers.
See also this answer on the subject.
How does it work? What kind of information would be included in a typical request to an ADFS server? Is it designed for both authentication and authorization?
It works by having a single site (site A) that hosts the ADFS / ADFS proxy servers, which has access to the credentials (usually by communicating with an Active Directory Domain Controller). It is then given a trust between other sites (sites B & C) that require authenticating through the ADFS.
When a user attempts to access site B in their browser, the site redirects the user to the ADFS-proxy website (site A) which asks for their username & password, authenticates them, returns a set of cookies for remembering them, and redirects them back to the site B, along with an access token.
If the user then attempts to visit site C, they will also get redirected to site A for authentication from the ADFS-proxy website. If the right cookies exist, the user will not be required to enter their password again, but get instantly redirected back to site C with a token.
The ADFS can be configured with specific claims (or permissions) for the user, for authorization purposes. So it can serve both roles. (Note the difference between authentication and authorization.)
Some people prefer not to use it for authorization but instead keep the permissions management in the third-party website. The obvious downside is that both site A & B need to keep track of user accounts, while in the scenario where ADFS handles both, only the ADFS needs to be aware of the users.
Are ADFS servers typically accessible from the internet (whereas corporate AD domain controllers would not be)?
Yes, nearly always. ADFS is based on the notion that it will be primarily used for website authentication. And is built around IIS.
The ADFS-proxy site is the one that is usually accessible from the internet. However the ADFS itself is not. The ADFS is generally a separate server from the ADFS-proxy.
- ADFS Server
Server that links to the credentials, and has the claims configuration as well as the trusts. Generally not publicly accessible.
- ADFS Proxy Server
Server that hosts the IIS instance that has the login pages for the websites requiring authentication. Communicates back to the ADFS when requiring authentication. Generally publicly accessible.
Best Answer
As you talk about "best practice", from a technological viewpoint at least, the correct answer to "how many domains" is always "as few as possible". As there's nothing in your spec that requires more than one domain, the answer is: No.
Yes. DNS for AD is usually best held within AD.
As opposed to doing what instead? If you need a DC in an area then you need something to host that DC.
In what sense do you mean? In broad terms, the best design mantra for anything in IT is "Design your solution to be as simple as possible to get the job done properly. Then stop".
No. Its possible to buy perfectly good, cheap servers for about the same price as a "high end PC". Now if you don't have any budget for servers but you have a storeroom full of "high end PCs" that are doing nothing, then using one of those to provide an adequate amount of DCs is probably better than having an inadequate amount of DCs, but its not something I'd plan on doing, no.
So, er, yes.