none
Azure AD Connect and the On-Premises Server issues RRS feed

  • Question

  • Hi all,

    Our company upgrade the Windows server farm from 2008R2 to 2016 and sync user account to AAD for o365 and m365. But i have some question.

    Background: All server is 2008 R2, 6 Domain controllers, Forest is 2008R2. Before upgrade the server farm need to sync the on-premise server AD account to Azure AD.

    1. I have already create the 2016 server with joined domain (No DC in this server). But i found the the Azure AD connect can install at domain controller or a member server. What is the difference? 

    2. After sync the account to the Azure AD, if upgrade the on-premise server farm and domain forest 2016 will affect the Azure AD sync?

    3. If i remove the server 2016 Azure AD connect (No DC in this server) and re-install to the other server with Domain Controller server 2016 in the same forest will affect Azure AD connect sync account?

    Thanks all reply.

    Sunday, October 20, 2019 11:50 AM

Answers

  • Hello Alvin.Wong

    Thank you for your query. Please find the answer as below. 

    1. I have already create the 2016 server with joined domain (No DC in this server). But i found the the Azure AD connect can install at domain controller or a member server. What is the difference? 

    Ans :- You can install the AAD connect on a DC as well and there is no difference but I would not recommend the same. This is because if you have both sync server and domain controller on the same server , it becomes a single point of failure. Also the memory utilization would be higher on the DC in this case . The third point is that you would have to install some or the other instance of SQL on the same domain controller if you go with default settings and we do not recommend install SQL services on a Domain controller. In case you keep SQL on a different server and store the AAD connect metaverse on separate server, still you have a single point of failure in the event of the server going down. Two critical roles on a single server creates a single point of failure always hence not recommended. In some cases where the load on the server is going to be extremely less then maybe you can do that like environment of 25-30 users. 

    2. After sync the account to the Azure AD, if upgrade the on-premise server farm and domain forest 2016 will affect the Azure AD sync?

    Ans :- No, Windows 2016 upgrade will require you to update the schema of your current forest and Schema upgrade will be done by ADprep operation . In this situation some new attributes for all the objects in the directory will be added to the schema of Local AD . once the Forest upgrade is done to 2016 domain controllers , you would need to run a schema refresh for the Azure AD connect to copy the new schema to its database. 

    3. If i remove the server 2016 Azure AD connect (No DC in this server) and re-install to the other server with Domain Controller server 2016 in the same forest will affect Azure AD connect sync account?

    Ans :- I think you should continue using AD connect on this server itself if this server is not a domain controller. You can still install the AD connect to the domain controller in the same forest however , AD connect on a Domain controller creates a service account for which password recovery and rotation is extremely difficult and hence we would recommend you not to install AAD connect on a domain controller. 

    Hope the above clarification helps you. I have added relevant links to the answer which may help you understand more , please check them to find detailed information where ever you need them. In case the information provided in this post helps you with your issue , please do mark it as answer. In case you have additional queries , feel free to let me know and I will be happy to assist further. 

    Thank you. 



    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!


    Monday, October 21, 2019 6:57 AM
    Moderator