Home

Replace multi forest on prem ADs with AAD

%3CLINGO-SUB%20id%3D%22lingo-sub-883070%22%20slang%3D%22en-US%22%3EReplace%20multi%20forest%20on%20prem%20ADs%20with%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-883070%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI%20searched%20this%20on%20internet%20many%20times%20but%20I%20couldn't%20find%20a%20solid%20answer%20for%20this.%20My%20problem%20is%2C%3C%2FP%3E%3CP%3EWe%20have%20on-prem%20DCs%20in%20three%20countries%20(US%2C%20Sweden%2C%20UK)%3C%2FP%3E%3CP%3EAll%20three%20has%20their%20own%20forests%2C%20not%20replicated%20or%20synced%20to%20each%20other%20or%20no%20link%20at%20all.%26nbsp%3B%3C%2FP%3E%3CP%3EEach%20DC%20has%20500%2B%20user%20profiles%3C%2FP%3E%3CP%3EWe%20are%20planning%20to%20completely%20get%20rid%20of%20on-prem%20ADs%20in%20three%20locations%20and%20use%20AAD%20and%20merge%20all%20three%20locations.%20We%20are%20not%20consider%20about%20GPOs%20and%20other%20stuffs%20on%20on-prem%20has.%20We%20only%20needed%20the%20authentication%20from%20a%20single%20location%20and%20access%20to%20O365%20and%20no%20physical%20servers.%20That's%20all.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20Plan%20is%20sync%20all%20three%20servers%20using%20Azure%20AD%20connect%20to%20the%20same%20Azure%20tennant.%20Once%20everything%20synced%2C%20use%20in%20a%20one%20domain.%20May%20be%20it%20sounds%20stupid%20but%20is%20it%20possible%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-883070%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-883129%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20multi%20forest%20on%20prem%20ADs%20with%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-883129%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F417442%22%20target%3D%22_blank%22%3E%40DNM0288%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20certainly%20possible!%3C%2FP%3E%3CP%3EOne%20thing%20to%20keep%20in%20mind%20is%20that%20there%20can%20only%20be%20one%20active%20AADC%20per%20tenant.%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20replicate%20multiple%20AD%20forests%20to%201%20tenant%2C%20you%20need%20to%20get%20a%20trust%20between%20the%203%20different%20tenants.%20Check%20this%20link%20for%20more%20information%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23multiple-forests-single-azure-ad-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23multiple-forests-single-azure-ad-tenant%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20can't%20be%20done%20without%20a%20trust.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20this%20has%20been%20setup%20all%20users%20will%20be%20enabled%20in%20Azure%20Active%20Directory%20and%20will%20authenticate%20to%20a%20single%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20any%20more%20questions%2C%20don't%20hesistate%20to%20reply%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895165%22%20slang%3D%22en-US%22%3ERe%3A%20Replace%20multi%20forest%20on%20prem%20ADs%20with%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895165%22%20slang%3D%22en-US%22%3EThis%20is%20correct%20you%20can%20only%20have%20one%20AAD%20Connect%20server%20syncing%20to%20an%20AAD%20tenant%20at%20any%20given%20time.%20However%20you%20don't%20need%20a%20trust%20between%20forests.%20The%20AAD%20Connect%20server%20needs%20to%20be%20able%20to%20communicate%20to%20the%20other%20three%20forests%20so%20a%20VPN%20or%20another%20method%20of%20connectivity%20is%20needed.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskypeforbusiness%2Fhybrid%2Fcloud-consolidation-aad-connect%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskypeforbusiness%2Fhybrid%2Fcloud-consolidation-aad-connect%3C%2FA%3E%3C%2FLINGO-BODY%3E
DNM0288
Occasional Visitor

Hello, 

I searched this on internet many times but I couldn't find a solid answer for this. My problem is,

We have on-prem DCs in three countries (US, Sweden, UK)

All three has their own forests, not replicated or synced to each other or no link at all. 

Each DC has 500+ user profiles

We are planning to completely get rid of on-prem ADs in three locations and use AAD and merge all three locations. We are not consider about GPOs and other stuffs on on-prem has. We only needed the authentication from a single location and access to O365 and no physical servers. That's all. 

 

My Plan is sync all three servers using Azure AD connect to the same Azure tennant. Once everything synced, use in a one domain. May be it sounds stupid but is it possible? 

 

Thank you in advance. 

2 Replies

Hi @DNM0288 

 

This is certainly possible!

One thing to keep in mind is that there can only be one active AADC per tenant. 

To replicate multiple AD forests to 1 tenant, you need to get a trust between the 3 different tenants. Check this link for more information : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-fore...

This can't be done without a trust.

 

Once this has been setup all users will be enabled in Azure Active Directory and will authenticate to a single tenant.

 

If you have any more questions, don't hesistate to reply :)

This is correct you can only have one AAD Connect server syncing to an AAD tenant at any given time. However you don't need a trust between forests. The AAD Connect server needs to be able to communicate to the other three forests so a VPN or another method of connectivity is needed.

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/cloud-consolidation-aad-connect
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies