We have deploy Azure AD connec to Azure VM with DC role, but AAD connector prefer AD DC is on-premise DC.
We found when user have password change request, the AAD didn't receive the change request and update to Azure AD with in 2 mins.
View best response
Is your DC a Global Catalog ?
The best architecture to archive your goal is to have a DC separate to AD Connect, please refer to this architectures that describe the scenarios https://technet.microsoft.com/en-us/library/mt613459.aspx
Yes, two site and two DC , both DC is Global Catalog.
Best practice is separate role, but we lack of resource so combine to one VM.
I have test it is able to do on DC role although it is not recommand practice.
Do it have data loss between Azure AAD to On-premise DC with Site to Site VPN? so AAD can't pull on-premise DC password change request immediately?
Does your network on Azure point to DNS's on Azure ?
Can you see in cmd prompt if "set" the logon server is one of the Azure ?
Do you have site and services on AD correct configured with the network on Azure ?
Verify the sincronization and schedule times betweent AD sites.
When you change a password on-premises, the user change to the closest DC than AD connect detects that and pull from it to Azure AD.
Does your network on Azure point to DNS's on Azure ? Primary DNS is point to on-premise DC
Can you see in cmd prompt if "set" the logon server is one of the Azure ? echo %logonserver% result is Azure DC server
Do you have site and services on AD correct configured with the network on Azure ? yes, it is two different site subnets.
Verify the sincronization and schedule times betweent AD sites. Repicate every 15 minutes.
You DNS setting on Azure Network should point to your DNS servers on Azure to the VM's connect to them. That could be the point.