If the domain controller AD Connect is installed on is not a GC then that can cause issues.
#Office 365 and azure ad connect install#
Local install of SQL Server would consume additional memory thus resulting in extra memory consumption contending with the domain controller’s use of RAM to cache the ntds.dit database.
Azure AD Connect service accounts requiring administrative permissions are added locally to the server which means it would be placed into the Builtin\Administrators group thus resulting it having administrative privileges to the AD Domain.
Extra application or agent increases the attack surface (SQL Server are known for vulnerabilities).
SQL Server 2012 is an additional component that can raise security concerns when on a domain controller.
AD Connect installs a version of SQL Server 2012 Express Edition database which complicates the demotion of a domain controller if that is to be done in the future.
DR for domain controllers would not be as straightforward with the additional AD Connect service installed and the same will be for the AD Connect.
Restarts of the server for troubleshooting AD Connect would affect domain controller services, DNS or other roles that may be on the server.
Installing Azure AD Connect on a Domain Controller is not recommended due to security practices and more restrictive settings that can prevent Azure AD Connect from installing correctly. I’ve come across many organizations who have their AD Connect installed on a domain controller but it is actually not recommended by Microsoft: I won’t go into the details of each option but refer to the following documentation for more information: In other instances, the organization may already have most of their infrastructure migrated to the Azure cloud but would like to leverage the additional capabilities of AD FS. Some organizations prefer this route because they may already have AD FS setup for multiple services with a MFA solution configured and would like to unify authentication requests to their on-premise infrastructure because they have yet to migrate their infrastructure to the Azure cloud. One of the methods for providing authentication for Office 365 services is to redirect users back to an on-premise AD FS (Active Directory Federation Services) portal so that authentication can be handled by the local infrastructure with Domain Controllers.