Forum Discussion

mathiassii's avatar
mathiassii
Copper Contributor
Sep 09, 2019

Tree AD trust with AAD Connect

Hi guys. I have a customer having multiple forests but one of them is tree root trust and not forest trust. We implemented AAD Connect and we can't synchronize user password with this forest. All acc...
Azure Active Directory (AAD)
Azure AD Connect
mathiassii's avatar
mathiassii
Copper Contributor
Sep 10, 2019

Hi LM ,

 

Currently we didn't implement the PTA but it's the next step ;). Thanks for your link.

We will recheck the permissions and firewall.

 

Thanks

rosaliod's avatar
rosaliod
Brass Contributor
Sep 10, 2019

mathiassii  The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#permissions-for-password-hash-synchronization 

AllowAD DS Connector AccountReplicating Directory ChangesThis object only (Domain root)
AllowAD DS Connector AccountReplicating Directory Changes AllThis object only (Domain root)
  • mathiassii's avatar
    mathiassii
    Copper Contributor
    Sep 11, 2019

    Hi rosaliod 

    yes we verified it and everything is ok.

    • rosaliod's avatar
      rosaliod
      Brass Contributor
      Sep 12, 2019

      mathiassii I recommend you try using the password hash troubleshooting tool. 

       

      https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

    • rosaliod's avatar
      rosaliod
      Brass Contributor
      Sep 12, 2019
      You mentioned an AD Tree trust however there are only 4 types of trusts I know of.

      1.external trust
      2. Realm trust
      3. Forest trust
      4. Shortcut trust

      Which trust is configured? Is this a domain in the same Forest or a domain in another Forest?
      • mathiassii's avatar
        mathiassii
        Copper Contributor
        Sep 12, 2019

        Hi rosaliod 

         

        It's the first time i heard this type of trust but i confirm, this trust exists

        Active Directory Trust Types

        Parent-child Trust: Parent-child Trust is an implicitly established, two-way, transitive trust when you add a new child domain to a tree.

        Tree-root Trust: Tree-root Trust is an implicitly established, two-way, transitive trust when you add a new tree root domain to a forest.

        Shortcut Trust: Shortcut Trust is an explicitly created, transitive trust between two domains in a forest to improve user logon times. Shortcut Trust will make a trust path shorter between two domains in the same forest. The Shortcut Trust can be one-way or two-way.

        External Trust: External Trust is explicitly created, non-transitive trust between Windows Server 2003 domains that are in different forests or between a Windows Server 2003 domain and Windows NT 4 domain. The External Trust can be one-way or two-way.

        Realm Trust: Realm Trust is explicitly created transitive or non-transitive trust between a non Windows Kerberos realm and a Windows Server 2003 domain. This trust helps to create trust relationship between Windows Server 2003 domain and any Kerberos version 5 realm. The Realm Trust can be and one-way or two-way.

        Forest Trust: Forest Trust is explicitly transitive (between two forests) created trust between two forest root domains. The Forest Trust can be one-way or two-way.

Resources