Forum Discussion
AZURE AD Password Protection Requirements
As we prepare to install the Azure AD Password Protection DC Agent.
We have three windows 2008 servers which are not compatible as per the notes below but we are building a 2016 DC. -
Do we need to install the Azure AD Password Protection Agent across every DC's or it's ok in just one DC?
Please your response will be highly appreciated.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
1 Reply
The answer is Yes, to ensure consistent enforcement of password policies across your domain, you must install the Azure AD Password Protection DC Agent on every domain controller (DC):
• The DC Agent only validates passwords on the DC where it's installed.
• Windows clients don’t target specific DCs for password changes, so if a password change hits a DC without the agent, the policy won’t be enforced.
• Partial deployment is only recommended for testing, not production use.