Forum Discussion

Glenn V's avatar
Glenn V
Brass Contributor
Apr 06, 2017
Solved

Azure AD Connect on a DC

With the documentation I've found so far I'm a bit unclear whether or not it is best practice to install Azure AD Connect on a domain controller. In this particular scenario we are looking at a singl...
Azure Active Directory (AAD)
  • NunoAriasSilva's avatar
    NunoAriasSilva
    Apr 07, 2017

    Hi Glenn,

     

    In my opinion, the recommended installation is always in a separate server regarding to isolate points of failure.

     

    In past time e.g.. Dirsync it was not supported but Microsoft has expanded the support on installation on servers with other roles using Express Instalation.

     

    If you install AD Connect on a DC or other machine with other products, it would be harder to understand a problem if occurs in your environment either the problem is on the DC role or AD Connect. 

Nick Basic's avatar
Nick Basic
Copper Contributor
Mar 17, 2018

Hi Glenn,

 

I personally think you should not install Azure AD connect on a AD Domain Controller. Is it supported, yes, will it work, yes, but in the long term you might find yourself in a difficult situation. As we know Azure AD Connect comes with a build-id SQL Express DB, so placing that instance on the same platform as your NTDS (AD) database wouldn't be the greatest idea. You also have to consider the main factors of system's consumption; general computing (CPU), memory (RAM), network consumption and finally storage (iops). Keep it simple and install it on a small and single VM. That way you can create scheduled snapshots for quick reversions in case things go wrong. Leave Domain Controllers on their own platforms in case you need to perform AD related troubleshooting and in worst case scenarios System State Restore operations. 

 

I hope this helps with your question. 

  • SusanBradleyGeek's avatar
    SusanBradleyGeek
    MVP
    May 21, 2018

    Would the answer change if the user count was under 50?  Under 25?  How about Microsoft allow a no cost vm if it's only used for one thing - Azure AD connect deployment?

    • amit kalia's avatar
      amit kalia
      Copper Contributor
      May 22, 2018
      Hi,

      Well actually according to best practices answer does not changes. However I have seen that if implement AAD connect on a DC for small organization which cannot afford a a dedicated server it works fine.

      But still we would recommend keeping all on separate servers.

      Thanks & Regards
      Amit Kalia
    • OrionWithrow's avatar
      OrionWithrow
      Brass Contributor
      May 22, 2018
      I don't think the answer really changes. If you MUST do it then yes it is supported but don't unless you have to.
  • Daniel Streefkerk's avatar
    Daniel Streefkerk
    Copper Contributor
    Mar 22, 2018

    One thing that people need to keep in mind if they're not co-locating Azure AD Connect on a DC is this; the server onto which it is installed needs to go into https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material alongside your DCs, because it contains password hashes in memory. 

     

    AAD Connect Servers need to be protected just as closely as a DC, so why not just install it on a DC?

     

    https://twitter.com/cyb3rops/status/974227789007196160

Resources