Which local domain controller is used during an Azure AD password writeback?

gvo 6 Reputation points


I would like to gather some extra information about how Azure Active Directory Connect chooses it's domain controller. More specifically when it has to perform a password writeback task initiated from Azure AD in a multi sites Active Directory forest.
I have 2 questions:

  1. When Azure AD Connect starts a sync cycle to synchronize on premise objects to the cloud it does a DNS query to decide which Domain Controller is used (correct?). I assume this DC is always located in the same AD Site at the site where AAD Connect is running?
  2. When a password writeback is initiated, the AAD Connect server is the one who's in contact with the Azure service bus to it receives the password first. Where does it write the password to?
    • Does AAD Connect write the new password to a DC in the same site as AAD Connect and follows the normal procedure for password resets in an AD forest? (Similar to a password change on for instance a domain joined pc)
    • Does AAD Connect write to the PDC (even when it's not located in the same site)?
    • Does AAD Connect write to the DC which was queried during the last sync to the cloud?
    • Does AAD Connect perform another DNS query to chose a random DC?
    • None of the above.

I'm crawling through the official documentation but cannot find a official answer for this question.

Thanks in advance for your help.

Kind regards,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,073 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. KAREDD-MSFT 406 Reputation points Microsoft Employee
    1. AD Connect will normally initiate a DSGETDC call and will decide based on the result.
    2. The on-premises agent attempts to set the password through the AD DS SetPassword API. This is the same API that is used in on-premise scenarios. So, this API normally looks to see if there a secure channel established with the DC and uses the same channel to communicate the password reset over a different port.
    0 comments No comments