Share via

Server dedicated for AZURE AD CONNECT SYNC

Angel Garcia Gomez 21 Reputation points
2021-07-14T10:37:33.173+00:00

Hi

A best practice is to have a dedicated server to install Azure AD Connect?

Can you have 2 servers in failover mode? or do you only allow 1?

regards

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2021-07-14T11:25:53.313+00:00

    There is no "failover mode" per se.
    One Server is the "production" server that handles syncs and exports and you can have other servers in Staging mode, ready to be switched to the "primary"
    All of these servers should be treated as peers. In other words, configured the same and can be set as the "primary" server whenever needed , DR or during upgrades.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server

    Best practice is to have at least two AADConnect servers to accomplish this.

    1 person found this answer helpful.
    0 comments
  2. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2021-07-19T13:33:46.917+00:00

    Also, about the "dedicated" aspect of that server. Azure AD Connect is a very sensitive service in your environment. It has a high level of permissions and if it were to be compromised, would have a catastrophic impact. Make sure you apply the same security policies, restrictions and threat detection capabilities on Azure AD Connect servers that you do on domain controllers or other ctirical system (Azure AD Connect is in Tier-0 or in the Control Plane if you refer to the following documentation: https://learn.microsoft.com/en-us/security/compass/privileged-access-access-model).

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.