Aug 02 2017
11:31 PM
- last edited on
Jan 14 2022
05:30 PM
by
TechCommunityAP
Aug 02 2017
11:31 PM
- last edited on
Jan 14 2022
05:30 PM
by
TechCommunityAP
Hi All,
We have deploy Azure AD connec to Azure VM with DC role, but AAD connector prefer AD DC is on-premise DC.
We found when user have password change request, the AAD didn't receive the change request and update to Azure AD with in 2 mins.
Any Suggestion?
Thanks.
Aug 03 2017 01:17 AM
Hi John,
Is your DC a Global Catalog ?
The best architecture to archive your goal is to have a DC separate to AD Connect, please refer to this architectures that describe the scenarios https://technet.microsoft.com/en-us/library/mt613459.aspx
Aug 03 2017 01:22 AM - edited Aug 03 2017 01:25 AM
Yes, two site and two DC , both DC is Global Catalog.
Best practice is separate role, but we lack of resource so combine to one VM.
I have test it is able to do on DC role although it is not recommand practice.
Do it have data loss between Azure AAD to On-premise DC with Site to Site VPN? so AAD can't pull on-premise DC password change request immediately?
Aug 03 2017 01:27 AM
SolutionHi John,
Does your network on Azure point to DNS's on Azure ?
Can you see in cmd prompt if "set" the logon server is one of the Azure ?
Do you have site and services on AD correct configured with the network on Azure ?
Verify the sincronization and schedule times betweent AD sites.
When you change a password on-premises, the user change to the closest DC than AD connect detects that and pull from it to Azure AD.
Aug 03 2017 01:40 AM - edited Aug 03 2017 01:41 AM
Hi Nuno,
Does your network on Azure point to DNS's on Azure ? Primary DNS is point to on-premise DC
Can you see in cmd prompt if "set" the logon server is one of the Azure ? echo %logonserver% result is Azure DC server
Do you have site and services on AD correct configured with the network on Azure ? yes, it is two different site subnets.
Verify the sincronization and schedule times betweent AD sites. Repicate every 15 minutes.
Aug 03 2017 01:45 AM
Hi John,
You DNS setting on Azure Network should point to your DNS servers on Azure to the VM's connect to them. That could be the point.
Aug 03 2017 01:27 AM
SolutionHi John,
Does your network on Azure point to DNS's on Azure ?
Can you see in cmd prompt if "set" the logon server is one of the Azure ?
Do you have site and services on AD correct configured with the network on Azure ?
Verify the sincronization and schedule times betweent AD sites.
When you change a password on-premises, the user change to the closest DC than AD connect detects that and pull from it to Azure AD.