Setup Azure AD Connect to Synchronize Multiple Active Directory Forests

Spread the love




Azure Active Directory is a cloud version of on-premise Active Directory running on Windows server that we are all familiar with. Azure AD Connect is a tool that allow you to synchronize on-premise Active Directory objects like, user accounts, groups, contacts, etc. with Azure Active Directory. Azure AD Connect allow you to synchronize single Active Directory forest or multiple Active Directory forests with Office 365. In this article, I will show how you can setup Azure AD Connect to synchronize multiple Active Directory forests with single Office 365 tenant.

Setup Azure AD Connect to Synchronize Multiple Active Directory Forests

The diagram above shows our scenario. We have two separate Active Directory forests, mustbegeek.com and mustbeweb.com. In this example, mustbegeek.com purchased mustbeweb.com. So directory synchronization server will be installed on mustbegeek.com network on MBG-DirSync server. The MBG-DIrSync server needs to reach Active Directory of both sites with certain ports. Two completely different Exchange organization exists in both network, users exists uniquely across two forests.

You can setup Azure AD Connect on any domain joined Windows Server or even non-domain joined. Download the Azure AD Connect in the MBG-DirSync server and start installation. Here, I will setup Azure AD Connect on Server 2012 R2. I created service.dirsync service account and logged into MBG-DirSync server with this service account. I also made this account member of local Administrators group in MBG-DirSync server.

Setup Azure AD Connect to Synchronize Multiple Active Directory Forests



Agree the license terms and click continue.

customize

Click customize.

service-account

Choose use an existing service account, enter the service account credentials and click Install.

begin-installation

The installation will now begin.

password-synchronization

Choose password synchronization option and click Next. Password synchronization will sync hash of password from on-prem Active Directory to Office365.

connect-to-azure-ad

Enter Azure AD credentials and click Next.

add-mustbegeek

Now add active directory forest, here it’s mustbegeek.com forest. Type mustbegeek administrator credentials and click Add Directory.

add-mustbeweb

After adding mustbegeek.com forest, you can add mustbeweb.com forest. Enter domain administrator credentials and click Add Directory. If you do not have forest trust relationship established mustbeweb.com forest can not be added here.

configured-directories

You can see the list of configured directories as shown above. Now, click Next.

upn

You will see the available UPN suffix that can be used for logins. Under user principal name choose userPrincipalName. UPN is used to login to Office 365 portal. You can also use other attributes like email address, employee ID, etc.

sync-ous

You can now choose OUs that you want to synchronize with Azure Active Directory. You can do this for both forests. The screenshot above shows for mustbegeek.com forest, you can repeat the same step for mustbeweb.com forest. Click Next once done. To select OUs for another directory choose mustbeweb.com from Directory drop-down option above. If you can select the directory but you are not seeing any OUs, then it is most likely because the DirSync server is unable to reach the Active Directory of the particular site. Check if required ports are reachable or not from DirSync server to Active Directory. You also need to make sure DNS is resolving correctly.

identify-users

This is tricky and important. If you have separate forest and users of one forest is not present in another forest then you can choose users are represented only once across all directories option. If user and resource is located anywhere in forest then you should choose user identities exist across multiple directories option and match using mail attribute or other attribute. To know more about supported topologies visit this link. Choose option “synchronize all users and devices”. Click Next on filtering.

Check option “Exchange hybrid deployment” and click Next.

Choose start the synchronization process when configuration completes and click Install.

 




The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top