Azure-docs: Clarification for Windows 2008 (non-R2) domain controller requirements for Password Writeback

Thanks for the feedback! We are currently investigating and will update you shortly.

Thanks. I have assigned the issue to the author to investigate and update as appropriate.

@micahmckittrick, the customer is asking about a pre-requisite for a Windows Server 2008 R2 hotfix in the KB https://support.microsoft.com/en-us/help/2386717/the-enforce-password-history-and-minimum-password-age-group-policy-set

This is a support question and not a clarification question on the doc mentioned. Only support would be able to answer the questions on their KBs.

Thanks @billmath for clarifying.

@jrochet I did some research and the PDC role should be installed on your on premise DC if it is being used as your Primary Domain Controller (PDC)

As per your question if you are installing AD Connect on a secondary DC that is not running PDC then you should not need to install this hotfix.

Thanks @micahmckittrick-msft. I saw Bill Mathers' comment and thought oh great, now I see why they switched to GitHub from the old comments system. Classic.

But then you pulled through! Much appreciated.

@jrochet Well thank you! Glad we could help!

@jrochet, @MicahMcKittrick-MSFT you are correct that Azure AD Connect does not need to be installed on the PDC. However if you are using password-writeback in it may.

The PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain, and it is the source for the latest password information whenever a logon attempt fails as a result of a bad password.

If I am writing passwords back from Azure AD to on-premises AD then the PDC emulator would be required to replicate these changes to my other domain controllers. If these changes are not replicated then user logins can start to fail.

This is why I would recommend following up with support otherwise you may have users who are unable to login.

Thanks for the additional info. I luckily am dealing with a scenario where all of the FSMO roles including PDC-e are assigned to newer Windows DC's and there's just a single straggler DC with Windows 2008 SP2 with no roles. AAD Connect is actually installed on a separate member server, so the hotfix really seems like it won't be a factor.

We are enabling Password Writeback, to confirm, which is when we came across the hotfix requirement on the AAD Connect req's page, and then the hotfix' own documentation which brought up the PDC-e.

Thanks again!

@jrochet Just wanted to follow-up as I had a chance to speak with one of the devs on this. A DC or a DC with the PDC role is not a requirement for Azure AD Connect to do password writeback. The hotfix only needs to be applied to a pre-SP2 2008 servers the has the PDC role. But based on the info above, you have all SP2 or greater DCs so you shouldn't need the hotfix and should be good to go.

@jrochet My bad I got SP2 and R2 mixed up, must be coffee time. But if your FSMO roles are on newers servers you should be okay.