Azure-docs: Can pass-through agent be installed in the domain controller?
The document said "For most customers, three Authentication Agents in total are sufficient for high availability and capacity. You should install Authentication Agents close to your domain controllers to improve sign-in latency."
Can pass-through agent be installed in the domain controller? what does recommend
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: c5b27433-167f-6e8e-75a9-2a30e08c94e5
- Version Independent ID: 11a6383e-344c-07dd-307e-1c6c54ac8c03
- Content: Azure AD Pass-through Authentication - Quick start
- Content Source: articles/active-directory/hybrid/how-to-connect-pta-quick-start.md
- Service: active-directory
- Sub-service: hybrid
- GitHub Login: @billmath
- Microsoft Alias: billmath
swiftPeter
All 7 comments
@swiftPeter
Thanks for your feedback! We will investigate and update as appropriate.
MarileeTurscak-MSFT
on 20 Jun 2019
Hi @swiftPeter ,
As the AD Connect prerequisites say,
"Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly."
Yes, you can install the pass-through agent on a domain controller but it is not recommended because it is best not to install AD Connect on a domain controller. If you install AD Connect on a domain controller it will be harder to understand a problem if occurs in your environment whether the problem is on the DC role or AD Connect. Typically, when you install a domain controller, you want to make sure there are no other services that interfere or compete with the compute, memory, networking, or disk resources. Also, should there be an AAD Connect software error, a reboot may be required. Although the network should include multiple DC's for replication and HA purposes, few admins favor adding more resources to a busy and important server.
Hope this helps!
MarileeTurscak-MSFT
on 21 Jun 2019
We will now proceed to close this thread. If you have further questions feel free to tag me or @billmath in the comments and we will gladly continue the discussion.
MarileeTurscak-MSFT
on 21 Jun 2019
@MarileeTurscak-MSFT Thanks Marilee, that make sense
swiftPeter
on 15 Sep 2019
@MarileeTurscak-MSFT @billmath "Yes, you can install the pass-through agent on a domain controller but it is not recommended because it is best not to install AD Connect on a domain controller."
The initial question was specific to the recommendation of the installation of PTA agents not Azure AD Connect. If Azure AD Connect is installed on a member server as recommend, is it recommended to install additional PTA agents Domain Controllers? Swaroop does not suggest the installation of additional PTA agents on Domain Controllers is not recommended. Clarity here would be great as it means customers with Domain Controllers that have sufficient resources to cater for the new service do not need to incur additional expense of additional servers -> https://youtu.be/PyeAC85Gm7w?t=239
Perhaps we could get the PTA Agent/DC Recommendation question added to the PTA agent FAQ as it does regularly come up in talks with customers.
ZaherButt
on 17 Jan 2020
@MarileeTurscak-MSFT @swiftPeter @ZaherButt @PRMerger13 @PRMerger17
So guys... where do we stay with this? I am not going to build a machine on-prem just to hold the PTA agent - and my DC is a Tier1 machine... Can we have some clarity on this please?
Many thanks to all.
ii-batman
on 24 Apr 2020
@billmath @MarileeTurscak-MSFT
Any news?
claudio-ss
on 18 Jun 2020
Related issues
monteledwards
·
3Comments
JeffLoo-ong
·
3Comments
Agazoth
·
3Comments
jebeld17
·
3Comments
bdcoder2
·
3Comments
Most helpful comment
@MarileeTurscak-MSFT @billmath "Yes, you can install the pass-through agent on a domain controller but it is not recommended because it is best not to install AD Connect on a domain controller."
The initial question was specific to the recommendation of the installation of PTA agents not Azure AD Connect. If Azure AD Connect is installed on a member server as recommend, is it recommended to install additional PTA agents Domain Controllers? Swaroop does not suggest the installation of additional PTA agents on Domain Controllers is not recommended. Clarity here would be great as it means customers with Domain Controllers that have sufficient resources to cater for the new service do not need to incur additional expense of additional servers -> https://youtu.be/PyeAC85Gm7w?t=239
Perhaps we could get the PTA Agent/DC Recommendation question added to the PTA agent FAQ as it does regularly come up in talks with customers.