SOLVED

AdConnect v2 Password write back with two different DC versions

%3CLINGO-SUB%20id%3D%22lingo-sub-2785208%22%20slang%3D%22en-US%22%3EAdConnect%20v2%20Password%20write%20back%20with%20two%20different%20DC%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2785208%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20has%20anyone%20run%20into%20this%20situation%3F%3C%2FP%3E%3CP%3EI%20will%20be%20installing%20ADconnect%20on%20a%20domain%20member%20server%20running%202019.%3C%2FP%3E%3CP%3EHowever%2C%20I%20have%20two%20DC%20running%20two%20different%20versions%2C%202012%20and%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20MS%20doc%2C%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Ftutorial-enable-sspr-writeback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETo%20use%20password%20writeback%2C%20your%20Domain%20Controllers%20must%20be%20Windows%20Server%202016%20or%20later%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20enable%20password%20write%20back%2C%20but%20I'm%20not%20sure%20if%20it%20will%20work%20if%20one%20of%20them%20is%20running%202016%20but%20the%20other%202012%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2785208%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2785235%22%20slang%3D%22en-US%22%3ERe%3A%20AdConnect%20v2%20Password%20write%20back%20with%20two%20different%20DC%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2785235%22%20slang%3D%22en-US%22%3EHi%20KleoNunket%2C%3CBR%20%2F%3E%3CBR%20%2F%3EPassword%20writeback%20needs%202012%20r2%20not%202016%2C%20new%20version%20of%20Azure%20AD%20Connect%20needs%20server%202016%20so%20maybe%20the%20recommendation%20is%20based%20for%20this%20one.%3CBR%20%2F%3E%3CBR%20%2F%3EForest%20and%20domain%20level%20don't%20have%20to%20be%202016.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2785259%22%20slang%3D%22en-US%22%3ERe%3A%20AdConnect%20v2%20Password%20write%20back%20with%20two%20different%20DC%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2785259%22%20slang%3D%22en-US%22%3EHi%20HarriJaakkonen%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20it's%20based%20of%20the%20new%20Azure%20AD%20Connect.%3CBR%20%2F%3ENew%20version%20of%20ad%20connect%20requires%202016(because%20it%20uses%20newer%20sql%202019).%3CBR%20%2F%3EHowever%2C%20if%20using%20the%20newer%20ad%20connect%20which%20is%20what%20I%20think%20the%20article%20is%20based%20off%20on%2C%20it%20says%20says%20that%20password%20write%20back%20requires%202016%20DCs.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%2C%20if%20i%20have%20an%20environment%20of%20DC%20running%20on%20server%202012%20r2%20and%202016%2C%20then%20password%20write%20back%20won't%20work%2C%20or%20it%20will%20still%20work%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAD%20connect%20will%20be%20installed%20on%20a%202019%20domain%20member%20server.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2785594%22%20slang%3D%22en-US%22%3ERe%3A%20AdConnect%20v2%20Password%20write%20back%20with%20two%20different%20DC%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2785594%22%20slang%3D%22en-US%22%3EHi%20again%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20not%20about%20the%20dc's%2C%20it's%20about%20the%20aad%20connect%20server.%20Dc's%20will%20write%20what%20aad%20connect%20tells%20them.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20this%20config%20you%20have%20to%20make%20sure%20that%20aad%20connect%20isn't%20a%20single%20point%20of%20failure%20and%20keep%20it%20updated.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20it%20will%20run%20like%20it%20should%20as%20long%20as%20aad%20connect%20is%20working.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20answer%20to%20your%20question.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2786343%22%20slang%3D%22en-US%22%3ERe%3A%20AdConnect%20v2%20Password%20write%20back%20with%20two%20different%20DC%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2786343%22%20slang%3D%22en-US%22%3EI%20was%20confused%20by%20the%20part%20that%20says%20DC%20needs%20to%20be%20on%202016%20server%2C%20but%20glad%20to%20hear%20it%20doesn't%20affect%20anything.%3CBR%20%2F%3E%3CBR%20%2F%3EStaged%20mode%20looks%20to%20be%20the%20%22redundancy%22%20mode.%3CBR%20%2F%3EThank%20you.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, has anyone run into this situation?

I will be installing ADconnect on a domain member server running 2019.

However, I have two DC running two different versions, 2012 and 2016.

 

 

According to MS doc,

To use password writeback, your Domain Controllers must be Windows Server 2016 or later

 

I would like to enable password write back, but I'm not sure if it will work if one of them is running 2016 but the other 2012 ?

 

Cheers!

4 Replies
Hi KleoNunket,

Password writeback needs 2012 r2 not 2016, new version of Azure AD Connect needs server 2016 so maybe the recommendation is based for this one.

Forest and domain level don't have to be 2016.

Hope this helps,
Hi HarriJaakkonen,

Yes, it's based of the new Azure AD Connect.
New version of ad connect requires 2016(because it uses newer sql 2019).
However, if using the newer ad connect which is what I think the article is based off on, it says says that password write back requires 2016 DCs.

So, if i have an environment of DC running on server 2012 r2 and 2016, then password write back won't work, or it will still work ?

AD connect will be installed on a 2019 domain member server.

Thanks !
best response confirmed by KleoNunket (Occasional Contributor)
Solution
Hi again,

It's not about the dc's, it's about the aad connect server. Dc's will write what aad connect tells them.

In this config you have to make sure that aad connect isn't a single point of failure and keep it updated.

So it will run like it should as long as aad connect is working.

Hope this answer to your question.
I was confused by the part that says DC needs to be on 2016 server, but glad to hear it doesn't affect anything.

Staged mode looks to be the "redundancy" mode.
Thank you.