AD Connect - staging mode server and security

Question

Hi,
Currently, we're using AD Connect on 2012 R2 to sync identities to Azure AD. We use ADFS for authentication. We want to upgrade AD Connect and add a staging mode server.

Is it supported/recommended to run Windows 2019 AD connect on a staging mode server whilst the active AD connect is on 2012 R2?

Our plan is to make the staging mode server live and then setup a new 2019 server and install AD Connect on the third server so that we have an active/passive configuration.

Lastly, what are the security controls and best practices around password writeback? My management team wants to ensure we're not opening ourselves to vulnerabilities.

Thanks in advance

Answer 1

I don't think it matters about the server versions between the staging and "prod" server
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#installation-prerequisites

The supported version is simply 2012 or higher

The best practices:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback#configure-account-permissions-for-azure-ad-connect

And hardening recommendations:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#harden-your-azure-ad-connect-server

Answer 2

Thanks, very helpful