Azure AD Connect - Architecture DMZ or not

Lolo S 1 Reputation point
2022-10-31T15:06:30.987+00:00

Hello,

I would like to know if it's a best practice to put the "AD Azure Connect" Server on DMZ (ex : dmz.contoso.com) when we just need to synchronise the user identites located on the main forest "contoso.com" .
There is only one-way trust from dmz.contoso.com to cssf.lu ( i mean only consoto.com users can connect to dmz.contoso.com forest)

Is there any security risk to put the AD Connect Server directly on the contoso.com forest ?

Thanks

L.

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 157.6K Reputation points MVP Volunteer Moderator
    2022-10-31T15:14:44.29+00:00

    The AADConnect server has to be domain-joined.
    Treat it like a domain controller

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

    255706-image.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.