SOLVED

Azure AD Connect on Azure VM with DC role

%3CLINGO-SUB%20id%3D%22lingo-sub-92859%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92859%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EWe%20have%20deploy%20Azure%20AD%20connec%20to%20Azure%20VM%20with%20DC%20role%2C%20but%20AAD%20connector%20prefer%26nbsp%3BAD%20DC%20is%20on-premise%20DC.%3C%2FP%3E%3CP%3EWe%20found%20when%20user%20have%20password%20change%20request%2C%20the%20AAD%20didn't%20receive%20the%20change%20request%20and%20update%20to%20Azure%20AD%20with%20in%202%20mins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%26nbsp%3BSuggestion%3F%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-92859%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92918%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92918%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20DNS%20setting%20on%20Azure%20Network%20should%20point%20to%20your%20DNS%20servers%20on%20Azure%20to%20the%20VM's%20connect%20to%20them.%20That%20could%20be%20the%20point.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92916%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92916%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nuno%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20your%20network%20on%20Azure%20point%20to%20DNS's%20on%20Azure%20%3F%20Primary%20DNS%20is%20point%20to%20on-premise%20DC%3C%2FP%3E%3CP%3ECan%20you%20see%20in%20cmd%20prompt%20if%20%22set%22%20the%20logon%20server%20is%20one%20of%20the%20Azure%20%3F%20echo%20%25logonserver%25%20result%20is%20Azure%20DC%20server%3C%2FP%3E%3CP%3EDo%20you%20have%20site%20and%20services%20on%20AD%20correct%20configured%20with%20the%20network%20on%20Azure%20%3F%20%26nbsp%3B%20%26nbsp%3Byes%2C%20it%20is%20two%20different%20site%20subnets.%26nbsp%3B%3C%2FP%3E%3CP%3EVerify%20the%20sincronization%20and%20schedule%20times%20betweent%20AD%20sites.%20%26nbsp%3BRepicate%20every%2015%20minutes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92910%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92910%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20your%20network%20on%20Azure%20point%20to%20DNS's%20on%20Azure%20%3F%3C%2FP%3E%3CP%3ECan%20you%20see%20in%20cmd%20prompt%20if%20%22set%22%20the%20logon%20server%20is%20one%20of%20the%20Azure%20%3F%3C%2FP%3E%3CP%3EDo%20you%20have%20site%20and%20services%20on%20AD%20correct%20configured%20with%20the%20network%20on%20Azure%20%3F%3C%2FP%3E%3CP%3EVerify%20the%20sincronization%20and%20schedule%20times%20betweent%20AD%20sites.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20change%20a%20password%20on-premises%2C%20the%20user%20change%20to%20the%20closest%20DC%20than%20AD%20connect%20detects%20that%20and%20pull%20from%20it%20to%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92908%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92908%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20two%20site%20and%20two%20DC%20%2C%20both%20DC%20is%20%3CSPAN%3EGlobal%20Catalog.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBest%20practice%20is%20separate%20role%2C%20but%20we%20lack%20of%20resource%20so%20combine%20to%20one%20VM.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20test%20it%20is%20able%20to%20do%20on%20DC%20role%20although%20it%20is%20not%20recommand%20practice.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDo%20it%20have%20data%20loss%20between%20Azure%20AAD%20to%20On-premise%20DC%20with%20Site%20to%20Site%20VPN%3F%20so%20AAD%20can't%20pull%20on-premise%20DC%20password%20change%20request%20immediately%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92907%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20on%20Azure%20VM%20with%20DC%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92907%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20your%20DC%20a%20Global%20Catalog%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20architecture%20to%20archive%20your%20goal%20is%20to%20have%20a%20DC%20separate%20to%20AD%20Connect%2C%20please%20refer%20to%20this%20architectures%20that%20describe%20the%20scenarios%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt613459.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt613459.aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi All,

We have deploy Azure AD connec to Azure VM with DC role, but AAD connector prefer AD DC is on-premise DC.

We found when user have password change request, the AAD didn't receive the change request and update to Azure AD with in 2 mins.

 

Any Suggestion?

Thanks.

5 Replies
Highlighted

Hi John,

 

Is your DC a Global Catalog ?

 

The best architecture to archive your goal is to have a DC separate to AD Connect, please refer to this architectures that describe the scenarios https://technet.microsoft.com/en-us/library/mt613459.aspx

Highlighted

Yes, two site and two DC , both DC is Global Catalog.

Best practice is separate role, but we lack of resource so combine to one VM.

I have test it is able to do on DC role although it is not recommand practice.

 

Do it have data loss between Azure AAD to On-premise DC with Site to Site VPN? so AAD can't pull on-premise DC password change request immediately?

Highlighted
Best Response
Solution

Hi John,

 

Does your network on Azure point to DNS's on Azure ?

Can you see in cmd prompt if "set" the logon server is one of the Azure ?

Do you have site and services on AD correct configured with the network on Azure ?

Verify the sincronization and schedule times betweent AD sites.

 

When you change a password on-premises, the user change to the closest DC than AD connect detects that and pull from it to Azure AD.

Highlighted

Hi Nuno,

 

Does your network on Azure point to DNS's on Azure ? Primary DNS is point to on-premise DC

Can you see in cmd prompt if "set" the logon server is one of the Azure ? echo %logonserver% result is Azure DC server

Do you have site and services on AD correct configured with the network on Azure ?    yes, it is two different site subnets. 

Verify the sincronization and schedule times betweent AD sites.  Repicate every 15 minutes.

Highlighted

Hi John,

 

You DNS setting on Azure Network should point to your DNS servers on Azure to the VM's connect to them. That could be the point.