Forum Discussion

mathiassii's avatar
mathiassii
Copper Contributor
Sep 09, 2019

Tree AD trust with AAD Connect

Hi guys. I have a customer having multiple forests but one of them is tree root trust and not forest trust. We implemented AAD Connect and we can't synchronize user password with this forest. All acc...
Azure Active Directory (AAD)
Azure AD Connect
LM's avatar
LM
Brass Contributor
Sep 10, 2019

mathiassii 

 

AD trust is not a requirement for AAD Connect unless you are using PTA for auth. If using PTA you will need a forest trust. If not using PTA then check if the permissions\firewalls are all in place for password sync.

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq

 

mathiassii's avatar
mathiassii
Copper Contributor
Sep 10, 2019

Hi LM ,

 

Currently we didn't implement the PTA but it's the next step ;). Thanks for your link.

We will recheck the permissions and firewall.

 

Thanks

  • rosaliod's avatar
    rosaliod
    Brass Contributor
    Sep 10, 2019

    mathiassii  The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this?

    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#permissions-for-password-hash-synchronization 

    AllowAD DS Connector AccountReplicating Directory ChangesThis object only (Domain root)
    AllowAD DS Connector AccountReplicating Directory Changes AllThis object only (Domain root)
    • mathiassii's avatar
      mathiassii
      Copper Contributor
      Sep 11, 2019

      Hi rosaliod 

      yes we verified it and everything is ok.

      • rosaliod's avatar
        rosaliod
        Brass Contributor
        Sep 12, 2019

        mathiassii I recommend you try using the password hash troubleshooting tool. 

         

        https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

Resources