Syncing multiple forests to Azure AD
Learn how to sync multiple forests to Azure AD
May 28, 2015
Q. If I have multiple AD forests can I still sync to Azure AD using Azure AD Sync (AADSync)?
A. Yes. The initial version of the on-premises AD to Azure AD synchronization tool DirSync did not support the synchronization from multiple forests. However, the successor, Azure AD Sync (AADSync), enables multiple forests to be added during the wizard execution that sets up the replication as shown below.
Note that the first domain that is added becomes the "master" domain and its values are used if there are discrepancies between the values of equivalent objects in other domains. Essentially, the order of domain addition is the order of precedence. There is no requirement for trusts to exist between the various forests being added.
Note that if a user has accounts in multiple domains there needs to be a way for AADSync to link those accounts together when it synchronizes to Azure AD. This could be an EmployeeID or EmployeeNumber, or perhaps some value in a custom field, but it needs to be the same across all the objects a user has across different domains.
AADSync can then check against the various objects and where this value is the same it is merged in the AADSync metaverse and synchronized as a single object to Azure AD. This value is specified in the Matching across forests part of the User Matching part of the wizard as shown.
In the Matching with Azure AD part you pick a sourceAnchor attribute which needs to be unique and that will not change for the user (again could be employee Number/ID) and the UPN attribute in Azure which is the users login ID in Azure which typically will be userPrincipalName providing it is publically routable.
Once the wizard is complete you will be synchronizing across multiple forests. You can find more information on the wizard here.
About the Author
You May Also Like