Azure Ad Connect for 2 forest with same users

Question

Dear Team,

We have a scenario wherein we have to configure ad connect to two forests and create Office 365 mailbox. There is no trust between them. There are multiple users present in both the forest for business needs. What options do we have in this scenario?

Best regards.

Answer 1

@officead365, Since you have same set of users in both forests, the only supported scenario would be to use account-resource forest where, account in resource forest should be disabled. Each user should have only one enabled account. If you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other. Also, the resource forest trusts all account forests.

For more information, please refer to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant.

-----------------------------------------------------------------------------------------------------------

Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

Answer 2

I think it is worth asking: what do you want to happen? Let's assume you only want one Azure AD tenant. How many of the users in forest A also have an account in forest B, and vice versa? If the overlap is zero you may be able to connect them without setting up trusts. If the overlap is heavy, then you really have to ask yourself who is in charge.? What do you expect to happen absent of Azure AD Connect - for example what do you want to happen if one or other is disabled, or changes from enabled to disabled or vice versa. There is an organizational question here that has to be answered before a technical solution can be defined.