Forum Discussion

jpart_777's avatar
jpart_777
Copper Contributor
Sep 01, 2025
Solved

Microsoft Entra Connect connecting always to old DC

We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So...
Active Directory
Azure Active Directory (AAD)
Azure AD Connect
microsoft entra
  • LainRobertson's avatar
    LainRobertson
    Sep 02, 2025

    Hi jpart_777​,

     

    You're right to not set a preferred domain controller. That should never be used unless it cannot be avoided (which is typically only when someone has botched their Active Directory site topology design and implementation - which is sadly rather common).

     

    You ought to be fine with following your hunch and not specifying a preferred domain controller list. I've run a quick test on AAD Connect v2.4.131.0 and it cut over fine when I blocked access from the AAD Connect host to the domain controller it typically connects to.

     

    The test was basic but effective and entailed:

     

    • Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
    • Running a delta import (DI) on the Active Directory connector;
    • Observing the result of the DI run.

     

    I actually expected that the DI may not work and an FI might have been required, but I was pleasantly surprised to see that the DI run succeeded.

     

    Prior to the blocking of the "usual" domain controller

     

    The firewall change to block access to rpdc01.robertsonpayne.com

     

    After the firewall change, showing the automatic switch to another domain controller

     

    Cheers,

    Lain

LainRobertson's avatar
LainRobertson
Silver Contributor
Sep 02, 2025

Hi jpart_777​,

 

You're right to not set a preferred domain controller. That should never be used unless it cannot be avoided (which is typically only when someone has botched their Active Directory site topology design and implementation - which is sadly rather common).

 

You ought to be fine with following your hunch and not specifying a preferred domain controller list. I've run a quick test on AAD Connect v2.4.131.0 and it cut over fine when I blocked access from the AAD Connect host to the domain controller it typically connects to.

 

The test was basic but effective and entailed:

 

  • Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
  • Running a delta import (DI) on the Active Directory connector;
  • Observing the result of the DI run.

 

I actually expected that the DI may not work and an FI might have been required, but I was pleasantly surprised to see that the DI run succeeded.

 

Prior to the blocking of the "usual" domain controller

 

The firewall change to block access to rpdc01.robertsonpayne.com

 

After the firewall change, showing the automatic switch to another domain controller

 

Cheers,

Lain

  • jpart_777's avatar
    jpart_777
    Copper Contributor
    Sep 05, 2025

    Hello

    This is what I did and it worked,


    • Configuring the Windows Firewall on the AAD Connect host to block LDAP (and GC) traffic to the usual domain controller;
    • Running a delta import (DI) on the Active Directory connector;
    • Observing the result of the DI run.

     

    Thanks!

Resources