TWO separated Domain Controller to One tenant using AD connect

Question

TWO separated Domain Controller to One tenant using AD connect

Bekuretsion Gebremichael 0

Hello Community,

I have been working for weeks to figure this out, but unfortunately, I haven’t been able to make much progress.

My company has two separate Domain Controllers: bek.et and it.et. The bek.et domain is hosted in a partner company’s data center, which means it is separated from ours, including its networking system.

As far as I know, Azure AD Connect only supports syncing two forests to one tenant, but my case is different. So, is it possible to sync these two separate Active Directories using AD connect?

What are the options for having centralized user management, ideally with one tenant for both ADs? if both separate ADs are synced with their own Azure AD tenants (so two tenants).

Is it possible to:

Sync both Azure AD to one tenant?

Or merge the two tenants?

Any recommendations or best practices are appreciated

1 answer

Your answer

Answer 1

Obinna Ejidike 1,985

Hi Bekuretsion Gebremichael

Thanks for using the Q&A platform.

Yes, you can sync two separate domain controllers to one Azure AD tenant. Azure AD Connect can support multiple forests, so you can install Azure AD Connect on another machine, but it must be in Staging mode. Azure AD Connect cannot be running on 2 servers at the same time.

Install Azure AD Connect on one server in bek.et and sync to Azure AD tenant contoso.onmicrosoft.com, proceed to Install another instance in it.et, in staging mode, sync to the same Azure AD tenant. Only one instance can perform password hash sync, writeback, etc. at a time. But you can have both sync users into the tenant.

Another option would be to create a forest trust between bek.et and it.et and deploy a single Azure AD Connect server with a multi-forest configuration.

Find documentation:https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server#staging-mode

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies#multiple-forests-single-azure-ad-tenant

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Obinna

Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-07T23:01:54.27+00:00

Hello Bekuretsion Gebremichael,

Multiple forests, single Microsoft Entra tenant is a supported scenario,When you have multiple forests, all forests must be reachable by a single Microsoft Entra Connect Sync server and you need to create a Trust Between Forests.

Establish a Forest Trust Between Two AD Forests-:A forest trust enables secure communication and resource access between two separate AD forests.
**Single Azure AD Connect Server:**Install Azure AD Connect on a single server that has network connectivity to both AD forests. This server will handle synchronization for both forests to the Azure AD tenant.
**Staging Server for Redundancy:**Install a second Azure AD Connect server in Staging mode. This server will not perform any synchronization but will have an updated copy of the identity data. In case the primary server fails, you can promote the staging server to active mode without manual intervention.
**Network Considerations:**Ensure that the Azure AD Connect server has network access to both AD forests. If the forests are in separate data centres, consider placing the Azure AD Connect server in a perimeter network (DMZ) to facilitate connectivity.

Reference Document -:
Microsoft Entra Connect: Supported topologies - Microsoft Entra ID | Microsoft Learn
Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-08T19:20:50.95+00:00

Hello Bekuretsion Gebremichae ,

I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!
Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-09T19:24:36.2366667+00:00

Hello Bekuretsion Gebremichae ,

I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!

Share via

TWO separated Domain Controller to One tenant using AD connect

1 answer

Your answer