Installation of Azure AD Connect on DC


  • I have seen some people state that while installation of AAD Connect on a DC is supported, that it is a best practice to install on a separate server however I have not seen any rationale for this statement. Can anyone provide me some reasons to not put it on a DC?

    Dean MCTS-SQL 2005 Business Intelligence, MCITP SharePoint 2010, MCSA Office 365

    Thursday, April 20, 2017 1:44 AM

All replies

  • Here are some reasons why organizations are hesitant: 

    In general organizations are hesitant to add software on to DC's as it adds complexity in servicing, keeping updated. 

    A domain controller does not have a local account database so any service accounts/groups that are setup for apps/services on a machine would be added to the domain. 

    Load on the server - depending on the size of the organization you want to ensure that login, authentications are not affected by the added service and vice versa. 

    Security concerns - Any operator that needs access to the installed software would need to have rights to login to the DC. 

    I hope our community on the forums can help with more insight from their own experiences. 

    / Brjann

    Twitter: @BBrekkan_MSFT This posting is provided AS IS with no warranties, and confers no rights

    Friday, April 21, 2017 5:54 PM
  • A best practice is just that – practices to reduce risks and ease operations. This doesn’t necessarily mean that you will be at risk if you don’t follow the best practices. There’s no single rule to every customer, it’s up to each sys admin, to decide what it’s best for him and for your company based on many factors like budget, server policies, size of the company, size of the infrastructure. There are many Microsoft Partners that can provide consulting services on this.

    Bottom line: This common sense. In case you have an issue in one service it does not affect other core services of your enterprise. A DC is vital to your enterprise so you don’t want to load a DC with more extra services, unless there’s budget restrictions or the Sys Admin consideres it is as a low risk/low impact.

    Hope this helps.


    Friday, April 21, 2017 6:26 PM
  • The anwers from Brjann and Nuno are spot on.

    That being said, I have a number of customers that run AADC on a DC in Azure just because they're trying to cut down on VM sprawl.  Depending on the size of your organization (less than a few thousand users) and the configuration of your DC (8GB of RAM or more) and how many other DCs you have, you can probably get away with it.

    Neither I nor support will recommend it, but it is a supported configuration.

    If your organization is large enough to require SQL (more than 100,000 objects), you need SQL, which you'll not want to install on a DC.

    Tuesday, April 25, 2017 6:32 PM