question

AngelGarciaGomez-7296 avatar image
0 Votes"
AngelGarciaGomez-7296 asked piaudonn answered

Server dedicated for AZURE AD CONNECT SYNC

Hi

A best practice is to have a dedicated server to install Azure AD Connect?

Can you have 2 servers in failover mode? or do you only allow 1?

regards

azure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered

There is no "failover mode" per se.
One Server is the "production" server that handles syncs and exports and you can have other servers in Staging mode, ready to be switched to the "primary"
All of these servers should be treated as peers. In other words, configured the same and can be set as the "primary" server whenever needed , DR or during upgrades.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server

Best practice is to have at least two AADConnect servers to accomplish this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered

Also, about the "dedicated" aspect of that server. Azure AD Connect is a very sensitive service in your environment. It has a high level of permissions and if it were to be compromised, would have a catastrophic impact. Make sure you apply the same security policies, restrictions and threat detection capabilities on Azure AD Connect servers that you do on domain controllers or other ctirical system (Azure AD Connect is in Tier-0 or in the Control Plane if you refer to the following documentation: https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.