08-22-2017 06:13 AM
08-22-2017 06:13 AM
Our scenario is the following:
CompanyA has on-premise AD and Exchange. They have deployed Azure AD Connect and ADFS with their own Azure tenant and everything is working fine.
CompanyB har their own on-premise AD and Exchange. They want to use same tenant as CompanyA, but want On-premise AD to be seperated. What is supported scenario, if any?
According to this article, the closest they get is Multiple forest, single Azure AD tenant: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologi...
What are pros and cons ?
They will probably need to setup trust between them?
Other ways this can be achieve?
08-22-2017 06:32 AMSolution
There can be only one Azure AD Connect instance for a single Azure tenant. This means, you have to use one AAD Connect instance for both companies, if you want to go single tenant.
Azure AD Connect supports connecting multiple forests to a single Azure AD tenant. A server that runs Azure AD Connect does not have to be joined to any domain locally, however, it must be able to access domain controllers in both forests.
In some cases, you can choose to place the Azure AD Connect server in a (DMZ), especially if you do not have a direct network connection to all forests that you would like to include in the synchronization.
If you need more information, you probable should tell what is your goal and how both companies must work together.
08-22-2017 06:41 AM
Hi Dominik and thanks for prompt reply.
As of now, the main goal is that both company can collaborate with each other in Office 365, but keep internal system seperate.
Not sure if its better they merge on-premise environment or go for the trust and use single AD connect.
08-22-2017 06:53 AM - edited 08-22-2017 06:54 AM
You are welcome.
From my perspective, if they want to manage their own on-premise Active Directory, use one AAD Connect instance and go to a single Azure tenant.
You can merge it later if you want, this is no problem. Depending of the AAD Connect server placement (domain joined, locally or DMZ) you need no trust relationship.
Make sure both admins from both companies have a good design decision what to sync, merge and which attributes are needed. Then this will be no problem.
08-22-2017 11:15 PM
Currently we do not have full overview of their environment and not sure which workload they want to migrate to Office 365.
My guess is that they have AADC joined to domain at CompanyA.
Will they need to create a trust between them for this setup to work?
08-22-2017 11:56 PM
what about ADFS with single sign-on, it does not need trust between them either?
You mean they can freely collaborate in O365 without having any trust between their on-premise environment?
Trying to read up some documentations, but this scenario seems to be a bit vague
10-14-2017 03:46 AM