Dir sync between multiple AD forests

Question

Hi everyone,

I have got a case here, where in I have to synchronize multiple AD forest to a single O365 tenant.We can do that using Azure ad connect for FIM.

My concern here is, I already have all my users in o365 which has been created in cloud. I have same users in my local AD forests as well. I want to synchronize both the AD forest to my existing o365 tenant. Is it possible? We have taken the Enterprise Mobility Suite Licenses for all the existing o365 users. We need to enable single sign on to the apps those are being authenticated by our AD. This is the reason we are looking for this directory synchronization.

Any suggestion would be very helpful.

Thanks,

Tejas..

Answer 1

Hi Tejaswi,

Yes, it is possible to match users with SMTP match which is based on user’s primary SMTP address. Like what the article mentioned, basically, first copy the primary SMTP address (*** Email address is removed for privacy ***) from Office 365 and past it to the E-mail field for the corresponding user (*** Email address is removed for privacy ***) in AD. Then perform the AD sync in Azure AD connect. Meanwhile, to have better understanding of the situation, can you let us know the two email addresses of the user tejas in AD and in Office 365 respectively via PM?

For your second question, since the server is required to be reachable to all forests, it should be placed in a network DMZ.

Please feel free to let us know if anything is unclear.

Thanks,

Ran

Answer 2

Hi Ran,

Thanks for your help. I have gone through the documents and accordingly i have started matching the users smtp address in our AD. Also found that, some users have been created in abcd.in domain forest and their o365 email id is in wxyz.in domain. which means a user called tejas is an active user in AD domain abcd.in and also active in office 365 as *** Email address is removed for privacy ***..

Is it possible to match such users SMTP address?

Also I wanted to know whether i should install Azure AD connect on a DC or it should be on a different server in DMZ. As it is a Multi forest scenario and both the forest are in transitive trust. but there is no GAL sync in between these forests.

Thanks,

Tejas

Answer 3

Hi Tejaswi,

Please feel free to share any updates when you have time.

Thanks,

Ran

Answer 4

Hi Tejaswi,

Whether FIM 2010/2016 is required depends on the topology of your AD forests. If there is no GALSync between your local AD forests, there will be no need to set up FIM to trust the AD forests with each other. The Azure AD Connect tool supports this scenario – “Multiple forests – separate topologies” where you don’t need to set up FIM. You just need set up Azure AD Connect to sync all forests to one Office 365 tenant. Here is the article

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-topologies/

You can also refer to other sections in this article (it includes all the supported scenarios with multi-forests) if your AD forests topology is not like this.

And as some users are created in Office 365, you can use SMTP matching via the following article to match on-premises users with Office 365 existing users so that there will not be duplicate users in Office 365 after Directory sync.

https://support.microsoft.com/en-us/kb/2641663

Thanks,

Ran

Answer 5

Hello Priyanka,

Yes this looks similar, Is FIM 2010 is a must requirement for the multi forest directory synchronization. is there any other way to sync multiple AD forest? I have one doubt here, As i have mentioned before, i already have users in my o365. does the synchronization process create duplicate values in my o365 tenant or will it impact my o365 mail flow?

Anybody has an idea on how it works?

Thanks,

Tejas