Forum Discussion
Azure AD Connect on a DC
Hi Glenn,
In my opinion, the recommended installation is always in a separate server regarding to isolate points of failure.
In past time e.g.. Dirsync it was not supported but Microsoft has expanded the support on installation on servers with other roles using Express Instalation.
If you install AD Connect on a DC or other machine with other products, it would be harder to understand a problem if occurs in your environment either the problem is on the DC role or AD Connect.
I will add my opinion here that i hope will answer your question specifically addressing installing Azure AD connect on a domain controller.
Ill start off with the statement "Just because it is supported, doesn't mean that it should be done". There are many reasons I think Microsoft enabled support for domain controllers, but I would not recommend it. If you can afford another server, then do it. A good rule of thumb, a domain controller is a domain controller and should be nothing else. Also just throwing this out there as well, it is just a good rule of thumb to not dual pupose servers if you can avoid it. This will help prevent outage planning and troubleshooting issues. If you have Azure AD Connect installed on say an Exchange Server, troubleshooting and rebooting would not be possible outside of an outage window or proper planning. Extreme case but something I have ran into with clients.
Back to my original point.
The one reason that I would never encourage someone to install it on a DC is because of the SQL and local admin privileges for AzADC. This instantly means that any AZADC accounts that need admin to the local server are added to the Builtin\Administrators group in AD and now have admin permissions to the domain. Because of this reason alone, I would not need anymore reasons and never recommend installing on a DC.
I hope that helps clarify or add some flavor to your question.