I would like to gather some extra information about how Azure Active Directory Connect chooses it's domain controller. More specifically when it has to perform a password writeback task initiated from Azure AD in a multi sites Active Directory forest.
I have 2 questions:
When Azure AD Connect starts a sync cycle to synchronize on premise objects to the cloud it does a DNS query to decide which Domain Controller is used (correct?). I assume this DC is always located in the same AD Site at the site where AAD Connect is running?
When a password writeback is initiated, the AAD Connect server is the one who's in contact with the Azure service bus to it receives the password first. Where does it write the password to?
Does AAD Connect write the new password to a DC in the same site as AAD Connect and follows the normal procedure for password resets in an AD forest? (Similar to a password change on for instance a domain joined pc)
Does AAD Connect write to the PDC (even when it's not located in the same site)?
Does AAD Connect write to the DC which was queried during the last sync to the cloud?
Does AAD Connect perform another DNS query to chose a random DC?
None of the above.
I'm crawling through the official documentation but cannot find a official answer for this question.
Thanks in advance for your help.