Forum Discussion
Azure AD Connect on a DC
Hi Glenn,
In my opinion, the recommended installation is always in a separate server regarding to isolate points of failure.
In past time e.g.. Dirsync it was not supported but Microsoft has expanded the support on installation on servers with other roles using Express Instalation.
If you install AD Connect on a DC or other machine with other products, it would be harder to understand a problem if occurs in your environment either the problem is on the DC role or AD Connect.
Hi Glenn,
I personally think you should not install Azure AD connect on a AD Domain Controller. Is it supported, yes, will it work, yes, but in the long term you might find yourself in a difficult situation. As we know Azure AD Connect comes with a build-id SQL Express DB, so placing that instance on the same platform as your NTDS (AD) database wouldn't be the greatest idea. You also have to consider the main factors of system's consumption; general computing (CPU), memory (RAM), network consumption and finally storage (iops). Keep it simple and install it on a small and single VM. That way you can create scheduled snapshots for quick reversions in case things go wrong. Leave Domain Controllers on their own platforms in case you need to perform AD related troubleshooting and in worst case scenarios System State Restore operations.
I hope this helps with your question.
One thing that people need to keep in mind if they're not co-locating Azure AD Connect on a DC is this; the server onto which it is installed needs to go into https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material alongside your DCs, because it contains password hashes in memory.
AAD Connect Servers need to be protected just as closely as a DC, so why not just install it on a DC?
https://twitter.com/cyb3rops/status/974227789007196160