I am trying to move my ADFS / WAP to the cloud to give better resilience after experiencing a recent failure.
In part to save on VM costs, I am using just 2 VMs, with ADFS installed on a domain controller, and the WAP on a separate machine. It seems like lots of people recommend running ADFS on a domain controller.
I'm a bit stuck though when it comes time to configure the Web Application Proxy. It asks for a local administrator account on the ADFS server…in this case, I'd have to add the account to MyDomain\Administrators, a pretty high-risk group. This doesn't really fit with the idea of running ADFS on a DC.
When starting the WAP post-install configuration, I am looking at the Federation Server page, where it asks for the Federation Service Name, and just below it prompts for a local administrator account on the ADFS server. There is no local administrators group on the DC of course, only the equivalent Domain\Administrators group which gives access to modifying the domain itself.
Is there a way around this, besides taking the ADFS role off of the DC? A more limited account maybe? Or is this lower risk than it seems at first glance?
Best Answer
OK, I found this: http://goodworkaround.com/node/53 and reading closely, it says that the admin credentials are not saved but are only used to create the initial proxy trust. This is NOT made clear by the Microsoft documentation I could find, but I am going to trust it.