Azure AD Connect, Sync Multiple forests, With single Azure AD tenant

There are several reason organizations have more than one Active Directory Forest in their on-premises environments. Possibly due to minimal hardware capacity or as a result of a merger or acquisition.

Microsoft has made it possible for the Azure AD Connect installation wizard to offer several options to consolidate users who are represented in multiple forests.  

Multi Forest, Single directory

In your case, it is possible that your organizations might have more than one Active Directory Forest in their environment which they want to sync with a single Azure AD tenant. All the forests can be reachable by a single Azure AD Connect sync server. The server must be joined to a or all the domains. There is also an option whereby you can place the server in a perimeter network, such as a DMZ.

In the following step-by-step guide, you will update your existing Azure AD Connect to include more than one forest.

Multiple Forest with Single Azure AD tenant

As an example, the users existing in studentsvlab.local will sync to Azure AD via AAD connect

Prerequisites

  1. On premise Active Directory Forest, with existing Azure AD connect
  2. A second Active Directory Forest (not attached to AAD connect)
  3. Single Azure tenant.
  4. For this example, all your identities should be represented only once across both forests. This means that, you do not have any mail-enabled contacts.

NB: If your users exist in more than one directory and you’ll be merging the data (for example, if contact objects exist in a forest corresponding to users in another forest), Microsoft advise that you uninstall Azure AD Connect and re-install it. This is because the cross-forest join rules condition can only be configured during the first install.

1. Domain join your Azure AD connect to the second domain controller.  

2. Login to the Azure AD connect server and launch the AAD Connect wizard, choose Configure

3. In the additional task wizard choose Customize synchronization options, and then click Next, and login to your azure tenant.

4. On the Connect Your Directories page, under the FOREST field, enter the FQDN of the forest to add and then click Add Directory.

5. Wait for Azure AD connect to verify and validate the directory, then click Next.

6. Select the root domain or select a specific OU and click Next.

7. Select the functionality features that are required by your organization, then click Next.

8. Click Next in the Single sign-on wizard and then Configure for AAD connect to finalize the configuration.

To verify all is working, connect to your Azure AD tenant make sure the studentsvlab.local objects have been synced – in this case your student’s OU.