Synching with AADConnect from two ADs, but one AD will be Synched into 2 different Tenants at the same time

Dieter Tontsch (GMail) 962 Reputation points
2023-02-06T15:02:37.3566667+00:00

Hello,

I have a question. We are about to migrate parts of our Active Directory synchend to AzureAD (via AADConnect) into another Azure AD.

Therefor, for testing purposes I have created a new Azure Tenant + Domain (in a test environment) from where I successfully can synch users fro that new AD to AZure.

Now I tried to connect, from same AzureAD Service, to my productive AD in order to specifically sync a few users into this new AzrueAD. When I try to add this forest it tells me something mentioned here https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#adding-new-directories-to-existing-deployment (unique ms-DS-ConsistencyGuid)

The very same error message. Now it is true that the source AD in charge is also synched to my yet productive Azure Tenant. But I actually wanted to take a few users out of the sync and later on synch them into the new AzrueAD. I have to mention yet there is no Domain Trust established between the two on-prem ADs, is this required?

So, should it be possible to do the following:

  • add a verified domain from my new target AzureAD to my productive AD.
  • add the above mentioned AD as second source into my AADConnect, while parts of that AD are still synched with another AADConnect into a different Azure Tenant. That domain is already configured for Sync with a different AADConnect - that's probably why it gives the error "The forest xxx cannot be added because the attribute used to uniquely identity your users an Azure-AD (mS-DS-ConsistencyGUI) is already in use."
  • modify UPN for some users (my test users) in order to match domain from new target Azrue Tenant. IN the same time take these users out from original sync
  • configure newly added domain in order to synch e.g. a certain OU only with users matching UPN for new Azure Tenant
  • as a bonus I'd still could restore these deleted users (Restore-MsolUser) in the old tenant (they have a different UPN there) and can still use their identity like for certain Enterprise Apps etc... This would only be a temporary step.

Basically I want to sync from one Active Directory into 2 Azure Tenants at the same time, not the same users obviously.

kind regards,

Dieter

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,128 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 35,431 Reputation points
    2023-02-07T10:28:22.58+00:00

    Hi @Anonymous

    Unfortunately ,you can't sync the same forest to 2 tenant in same time.

    If the forest is alreday synced through Azure AD connect you will get this error :

    The forest xxx cannot be added because the attribute used to uniquely identity your users an Azure-AD (mS-DS-ConsistencyGUI) is already in use

    If you want sync your forest with new tenent and keep user account in old tenant , I suggest you to follow those steps:

    • Diable Directory synchronisation on first adconnect server with old tenant : Turn off directory synchronization for Microsoft 365
    • Update UPN and mail adresse on your on-premise forest in order to avoid any conflict
    • Sync the forest with new tenant using another adconnect server

    Please don't forget to mark helfpful answer as accepted*

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 42,241 Reputation points
    2023-02-06T15:57:37.9833333+00:00

    Hi Dieter,

    Yes it is possible howver you need to takecare of the following points:

    The default configuration in Azure AD Connect sync assumes:

    • Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
    • Each user has only one mailbox

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.