AAD-connect topology

Question

In context of Azure-AD connect, FULL MESH topology , I have one point to clarify.

• I have 2 domains contoso.com and fabrikam.com synched up in AAD-connect
• both domains may or may not be in the same forest.
• A human user is in both domains with UPN user1@Company portal .com and ******@fabrikam.com
• AAD-connect sync server's preference wise contoso comes ahead of fabrikam
• There is no GAL sync between these 2 domains.
• Both accounts are active.

In AAD-connect configuration

In order for AAD-connect to merge these two accounts of the same human user and send a single identity to Azure-AD, I believe I can accomplish with a common attribute like mail

So in above screen, if I configure Mail to map user identities across multiple directories, will it work ?
If yes, my understanding is mail A. must be having same value.
So if user1@Company portal .com is the mail then in fabrikam domain also the mail A. must be user1@Company portal .com
Am I correct ?

I read that, if you have more than one active account or more than one mailbox, the sync engine picks one and ignores the other.
In which scenario this is applicable ?

Is contacts object involved in this topology ?

Thanks.

Answer 1

1. If contoso and fabrikam are two domains in same Forest, and both objects are of type user, then this will cause a sync error. Because you can’t join two users from same connector. Error will be (I believe):
   sync-generic-failure with stack trace saying something like: “An object is already connected with a different DN”
2. If contoso and fabrikam are AD Forests the objects with matching mail attribute will merge in metaverse and contoso will contribute UPN, ImmutableId, and other account based attributes. Fabrikam object should contribute resource attributes for mail flow / Skype etc.

--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.