Microsoft Direct Access or ADFS or Both?

Marco Milone 51 Reputation points
2020-10-24T08:05:55.29+00:00

Hi,
I successfully setup my OnPremise AD domain and office 365 With "Azure AD Connect" and successfully setup the ADFS for authentication.
I also enabled the Hybrid Join Feature for my clients.
All works fine.

My answer is:

what happens to notebooks that do not contact the domain controller for a long time? These are the devices of the consultants who are never on site. Do they lose the trust relationship? Do password caches expire preventing login?

How can I prevent these problems?

I knew that DirectAccess can solve this problem. Can I install it on the Domain Controller where AD Connect and ADFS are already installed? Is there any alternative?

Thanks!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,226 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-10-24T08:26:57.67+00:00

    @Marco Milone ·

    Scenario:
    “Users have their PCs at home and are without VPN/connectivity. Many are disconnected for longer than the machine password age setting in my AD. Will there be secure channel/device password issues when people come back into the office and plug back into the LAN? Will users see this at sign-in?”

    The answer is “No” - and here’s why:

    The password change process on your remote worker’s PCs will kick-off at some point after the MaximumPasswordAge interval is exceeded on the PC. However, in the ‘no AD connectivity’ situation, a DC won’t be discovered/reachable. The machine password change process ‘logic’ is such that if the client can’t connect to a DC, “the process” will shut itself down before the PC’s local registry is updated with a new password - nothing changes on the client.
    When these PCs come back to the office in xxx days (or get full VPN connectivity to a DC or whatever), the password change process on the PC will “wake up” again and re-attempt the domain password change process. This time, assuming the PC will be able to find a DC, the process will complete its machine password change (and its corresponding registry update) - and then communicate that new value to the DC it found. This DC updates the password attribute of the computer object in its copy of AD, and then AD replication takes that new value out to other DCs. All will be well.
    The netlogon process on the client has been trying this, every so often, while offline - but the process always bailed-out because it couldn’t find/reach a DC.

    Read more: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/secure-channel-expired-machine-account-password-concerns/ba-p/1333535

    Can I install it on the Domain Controller where AD Connect and ADFS are already installed?
    No, Direct Access server can't be a domain controller and must be a member server.

    Read more: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/single-server-wizard/da-basic-plan-s1-infrastructure#bkmk_1_6_AD

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2020-10-27T10:31:04.45+00:00
    0 comments No comments