Forum Discussion
Microsoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory.
So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do.
There were the red line is is the old DC to be demoted.
"Only use preferred domain controllers" setting.
If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.
Hi jpart_777,
You're right to not set a preferred domain controller. That should never be used unless it cannot be avoided (which is typically only when someone has botched their Active Directory site topology design and implementation - which is sadly rather common).
You ought to be fine with following your hunch and not specifying a preferred domain controller list. I've run a quick test on AAD Connect v2.4.131.0 and it cut over fine when I blocked access from the AAD Connect host to the domain controller it typically connects to.
The test was basic but effective and entailed:
- Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
- Running a delta import (DI) on the Active Directory connector;
- Observing the result of the DI run.
I actually expected that the DI may not work and an FI might have been required, but I was pleasantly surprised to see that the DI run succeeded.
Prior to the blocking of the "usual" domain controller
The firewall change to block access to rpdc01.robertsonpayne.com
After the firewall change, showing the automatic switch to another domain controller
Cheers,
Lain
2 Replies
Hi jpart_777,
You're right to not set a preferred domain controller. That should never be used unless it cannot be avoided (which is typically only when someone has botched their Active Directory site topology design and implementation - which is sadly rather common).
You ought to be fine with following your hunch and not specifying a preferred domain controller list. I've run a quick test on AAD Connect v2.4.131.0 and it cut over fine when I blocked access from the AAD Connect host to the domain controller it typically connects to.
The test was basic but effective and entailed:
- Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
- Running a delta import (DI) on the Active Directory connector;
- Observing the result of the DI run.
I actually expected that the DI may not work and an FI might have been required, but I was pleasantly surprised to see that the DI run succeeded.
Prior to the blocking of the "usual" domain controller
The firewall change to block access to rpdc01.robertsonpayne.com
After the firewall change, showing the automatic switch to another domain controller
Cheers,
Lain
Hello
This is what I did and it worked,
- Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
- Running a delta import (DI) on the Active Directory connector;
- Observing the result of the DI run.
Thanks!
