What is meant by federating an Active Directory?

---

Hi ITPro:

As I am preparing for the MS 70-698 and 70-697 exams, I am using various study material and came across Federating an Active Directory? is it like promoting the Domain Controller to the Active Directory? I just need a clear definition on this term?

Dan l.

Dan,

I hope all is well. A simple definition of Federation is: to extend trust to an EXTERNAL party, and by doing so, allowing users from their organization to access resources in your organization. This allows for the provisioning and extension of Single Sign On (SSO) capabilities to other organizations.

If you want to see what Federation Services in Active Directory (ADFS) are capable of, and learn more about them, take a look at the following URL:

https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services

Good Luck !!

Cheers,

Adam

Hey @Daniel-Loyer ,

Active Directory Federation Services is used to establish a trust relationship between two (or more) Active Directory domains.

For example, company A has an Active Directory domain, domainA. Within this domain there is trust between all nodes and AD. Users can authenticate with any domain controller from domainA, and access resources throughout domainA.

Company B also has an Active Directory domain, domainB. Within this domain there is trust between all nodes and AD. Users can authenticate with any domain controller from domainB, and access resources throughout domainB.

A user in domainB, Bob, wants to access resources in domainA. He has logged in to domainB, but domainA doesn't trust domainB and doesn't trust the authentication token Bob has from domainB. Bob cannot access resources in domainA. Bob would need an account in domainA (another username/password to remember).

To fix this, one solution is Federation Services. We can establish a federation between domainA and domainB. Once the federation is created, domainA will trust domainB's authentication process. Bob will try to access resources in domainA, and present his authentication token he received from domainB. Because domainA now trusts domainB (thanks to the federation) domainA can grant access to Bob, even though he was authenticated by domain controllers from another domain. Bob doesn't need a second account/password to access resources in domainA.

In short, Federation Services allows us to create a trust between two separate security realms. It allows the resource partner to remain in control of the resource and the access level, and allows the account partner to remain in control of the user accounts.

Federation Services is installed on top of Active Directory. Both companies would need AD already established. Both sides would also need to install AD Federation Services as well, and configure the appropriate federation policies.