Dir sync between multiple AD forests

Question

Hi everyone,

I have got a case here, where in I have to synchronize multiple AD forest to a single O365 tenant.We can do that using Azure ad connect for FIM.

My concern here is, I already have all my users in o365 which has been created in cloud. I have same users in my local AD forests as well. I want to synchronize both the AD forest to my existing o365 tenant. Is it possible? We have taken the Enterprise Mobility Suite Licenses for all the existing o365 users. We need to enable single sign on to the apps those are being authenticated by our AD. This is the reason we are looking for this directory synchronization.

Any suggestion would be very helpful.

Thanks,

Tejas..

Answer 1

Hi Tejas,

As far as I know, the DNS of both DCs should be resolved by the AADSync server to make it reach to both forests. However, regarding the detailed steps how to let the AAD Sync server reach all the forests, as our forum concentrates on Office 365 online related issues/questions, to ensure this precisely answered, we recommend you contact our professional Windows server engineers via our windows server forum below

https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS

Thanks for your time on this.

Best regards,

Ran

Answer 2

Dear ran,

I have a small query here.

As i have mentioned before that i will be deploying a 2012 server in my open vpn network and it will be joined to one of out forest(prione.in) and i will install the aad connect tool. My query is, will this AAD sync server can be able to reach both the forests(prione.in and cloudtail.in) for the synchronization process? As it has been joined to prione.in Domain.

Thanks,

Tejas

Answer 3

Hi Ran,

I have covered all the pre requisites and i am going to install a win 2012 r2 server on my open VPN network and then i will install ad connect on that server.

Thanks

tejas

Answer 4

hi tejas,

thanks so much for the detailed information. ad sync is the prerequisite of single sign on (sso). after users are matched and sso is set up, users will be able to authenticate from ad when accessing office 365 online pages or microsoft supported clients such as outlook. however, your internal app (a third party app) might not be successfully integrated with office 365 regarding sso when users perform authentications.

like what i mentioned above, the machine which azure ad connect installed should access both forests domain controllers and is able to resolve both forest dns names. then in azure ad connect installation wizard, you can add the two forests like below and finish the setup with two forests integrated to one office 365 tenant.

 

thanks,

ran

Answer 5

Dear Ran,

Thanks for your information again.

As i have informed before, there is no email address in our AD environment. Here we only have user id's in AD.

We have two AD forests, Prione.in and cloudtail.in.

For your better understanding, We have an internal application which is getting authenticated by Prione.in AD and also we have an internal application which is getting authenticated by another AD forest called cloudtail.in. Here some of the users in office 365 cloudtail.in domain are a part of Prione.in AD, as they have to access our internal app which is integrated with prione.in AD. also vice versa with cloudtail.in domain.

My only concern here is that, after the SMTP matching and AD synchronization, I will be integrating these apps with Azure AD to give users single sign on to these internal apps. After integrating these apps with Azure, will it cause an other issue.?

Also i wanted to know, what configuration has to be made while initiating Dir Sync with Azure AD.? How does our both AD forests will get synced with Azure.

Thanks,

Tejas