Microsoft Azure Active Directory Connect deployment best practice?

EnterpriseArchitect 4,741 Reputation points
2022-06-23T06:45:00.227+00:00

Folks,

I'm currently trying to set up the Hybrid Azure AD DS On-premise with Azure AD using the Pass-Through Authentication.

May I know where is the best placement for the Azure AD connect server?
Is there any best practice documentation I can follow to set up the Azure AD Connect

Thanks in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,858 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,486 Reputation points Microsoft Employee
    2022-06-25T04:24:33.423+00:00

    @EnterpriseArchitect

    You can have 2 AD connect servers, one in production and other one as staging.
    Only difference between production and staging servers are that in production server there will be import, synchronization and export steps (one for each connector) in one sync cycle. But in staging server there is no export that runs, only import and synchronization step runs as part of one sync cycle.

    If for some reason production AD connect goes down then you can disable staging mode on staging server and get it to production immediately.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
  2. Sandeep G-MSFT 14,486 Reputation points Microsoft Employee
    2022-06-23T10:45:08.033+00:00

    @EnterpriseArchitect

    Thank you for reaching out to us.

    Usually there is no specific best practice to place AD connect server. You can place the AD connect server anywhere in your on-premise environment.
    However, if you want to harden your Azure AD connect server, you can follow below article,
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#harden-your-azure-ad-connect-server

    Apart from this if you are not looking for hardening the server then you can get below statements in place,

    Make sure that the server running the Azure AD Connect agent is properly secured. Limit which accounts are able to logon to the server, specifically those with local administrative rights. You will also need to control physical access to the server and enforce a strong password policy. If you need to allow other uses to access the Azure AD Connect Sync tool, you can add them to the ADSyncAdmins group on the local server.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.