Azure Active Directory is a cloud version of on-premise Active Directory running on Windows server that we are all familiar with. Azure AD Connect is a tool that allow you to synchronize on-premise Active Directory objects like, user accounts, groups, contacts, etc. with Azure Active Directory. Azure AD Connect allow you to synchronize single Active Directory forest or multiple Active Directory forests with Office 365. In this article, I will show how you can setup Azure AD Connect to synchronize multiple Active Directory forests with single Office 365 tenant.
Setup Azure AD Connect to Synchronize Multiple Active Directory Forests
The diagram above shows our scenario. We have two separate Active Directory forests, mustbegeek.com and mustbeweb.com. In this example, mustbegeek.com purchased mustbeweb.com. So directory synchronization server will be installed on mustbegeek.com network on MBG-DirSync server. The MBG-DIrSync server needs to reach Active Directory of both sites with certain ports. Two completely different Exchange organization exists in both network, users exists uniquely across two forests.
You can setup Azure AD Connect on any domain joined Windows Server or even non-domain joined. Download the Azure AD Connect in the MBG-DirSync server and start installation. Here, I will setup Azure AD Connect on Server 2012 R2. I created service.dirsync service account and logged into MBG-DirSync server with this service account. I also made this account member of local Administrators group in MBG-DirSync server.
Agree the license terms and click continue.
Choose use an existing service account, enter the service account credentials and click Install.
The installation will now begin.
Choose password synchronization option and click Next. Password synchronization will sync hash of password from on-prem Active Directory to Office365.
Enter Azure AD credentials and click Next.
Now add active directory forest, here it’s mustbegeek.com forest. Type mustbegeek administrator credentials and click Add Directory.
After adding mustbegeek.com forest, you can add mustbeweb.com forest. Enter domain administrator credentials and click Add Directory. If you do not have forest trust relationship established mustbeweb.com forest can not be added here.
You can see the list of configured directories as shown above. Now, click Next.
You will see the available UPN suffix that can be used for logins. Under user principal name choose userPrincipalName. UPN is used to login to Office 365 portal. You can also use other attributes like email address, employee ID, etc.
You can now choose OUs that you want to synchronize with Azure Active Directory. You can do this for both forests. The screenshot above shows for mustbegeek.com forest, you can repeat the same step for mustbeweb.com forest. Click Next once done. To select OUs for another directory choose mustbeweb.com from Directory drop-down option above. If you can select the directory but you are not seeing any OUs, then it is most likely because the DirSync server is unable to reach the Active Directory of the particular site. Check if required ports are reachable or not from DirSync server to Active Directory. You also need to make sure DNS is resolving correctly.
This is tricky and important. If you have separate forest and users of one forest is not present in another forest then you can choose users are represented only once across all directories option. If user and resource is located anywhere in forest then you should choose user identities exist across multiple directories option and match using mail attribute or other attribute. To know more about supported topologies visit this link. Choose option “synchronize all users and devices”. Click Next on filtering.
Check option “Exchange hybrid deployment” and click Next.
Choose start the synchronization process when configuration completes and click Install.