Forum Discussion
Azure AD Connect on a DC
Hi Glenn,
In my opinion, the recommended installation is always in a separate server regarding to isolate points of failure.
In past time e.g.. Dirsync it was not supported but Microsoft has expanded the support on installation on servers with other roles using Express Instalation.
If you install AD Connect on a DC or other machine with other products, it would be harder to understand a problem if occurs in your environment either the problem is on the DC role or AD Connect.
The default install of Azure Connect doesn't install an instance of SQL that is accessible over the network. So, while I understand the security concerns about adding extra roles to a server that is a Domain Controller, I don't see this particular application as a security concern on a DC.
We have installed it on 4 domain controllers for 4 different small businesses that only have one server. While we have noticied some issues with older versions of Connect running on domain controllers, we have not noticed any issues with installing the latest version. Since Microsoft says in the documentation that it may be installed on a Domain Controller, it doesn't introduce any new vectors for attack over the network, and there is no "Best Practices" whitepaper that says it isn't the best way to do it, I will respectfully disagree with the other comments on this point and say that you should feel comfortable putting it on a domain controller if you like.
If you have servers to burn, go ahead and put it on a dedicated server. If not, put it on a domain controller. It is a supported installation.