Azure-docs: Clarification concerning password protection proxy
I have looked over the documentation and the FAQ but there is one detail I'm not sure on which may be worth clarifying in the documentation.
For those of us with large on-prem AD forests, it is already quite an undertaking to install an agent on every DC, so how many proxy servers would it be reasonable to maintain? Are they redundant? And if for example, we only have 2 proxies and these are offline for a period of time (say over an hour) what will happen on the DC's if they can't poll for a new password policy? Will they simply continue using the last known downloaded policy?
Thanks
Document details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 53684ada-fb90-0497-30d2-8c8c5d3a39ec
- Version Independent ID: f6b5da43-1f40-3bdf-58cd-037632680668
- Content: Azure AD password protection - Azure Active Directory
- Content Source: articles/active-directory/authentication/concept-password-ban-bad-on-premises.md
- Service: active-directory
- Sub-service: authentication
- GitHub Login: @MicrosoftGuyJFlo
- Microsoft Alias: joflore
WhatsMyNameLol
All 3 comments
@WhatsMyNameLol Thanks for your feedback! We will investigate and update as appropriate.
SaurabhSharma-MSFT
on 8 May 2019
Hi @WhatsMyNameLol,
The proxy servers are stateless, so yes having two is just for redundancy. It is usually a non-event if the proxy server(s) are offline for hours or even a day or three. Please take a look at the following section of the docs:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy#high-availability
To answer the question directly though: yes even if all registered proxy servers become unavailable, the DC Agents continue to enforce their locally cached password policy.
jay98014
on 9 May 2019
Thank you @jay98014 for this explanation. We will now proceed to close this thread. If you have further questions feel free to tag us in the comments and we will gladly continue the discussion.
MarileeTurscak-MSFT
on 9 May 2019
Related issues
smcd253
·
44Comments
ManuelMos
·
46Comments
aspnet4you
·
50Comments
andersgidlund
·
45Comments
jlorek
·
46Comments
Most helpful comment
Hi @WhatsMyNameLol,
The proxy servers are stateless, so yes having two is just for redundancy. It is usually a non-event if the proxy server(s) are offline for hours or even a day or three. Please take a look at the following section of the docs:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy#high-availability
To answer the question directly though: yes even if all registered proxy servers become unavailable, the DC Agents continue to enforce their locally cached password policy.