Sep 09 2019
- last edited on
Jul 24 2020
Hi guys. I have a customer having multiple forests but one of them is tree root trust and not forest trust. We implemented AAD Connect and we can't synchronize user password with this forest. All accounts in other forests work very well.
Someone knows if the tree root trust is compatible with Azure AD Connect ? Someone already has this problem ?
Sep 10 2019 11:12 AM
AD trust is not a requirement for AAD Connect unless you are using PTA for auth. If using PTA you will need a forest trust. If not using PTA then check if the permissions\firewalls are all in place for password sync.
Sep 10 2019 01:21 PM
@mathiassii The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this?
|Allow||AD DS Connector Account||Replicating Directory Changes||This object only (Domain root)|
|Allow||AD DS Connector Account||Replicating Directory Changes All||This object only (Domain root)|
Sep 11 2019 05:56 PM
Sep 11 2019 06:40 PM
@mathiassii I recommend you try using the password hash troubleshooting tool.
Sep 12 2019 05:29 AM
It's the first time i heard this type of trust but i confirm, this trust exists
Parent-child Trust: Parent-child Trust is an implicitly established, two-way, transitive trust when you add a new child domain to a tree.
Tree-root Trust: Tree-root Trust is an implicitly established, two-way, transitive trust when you add a new tree root domain to a forest.
Shortcut Trust: Shortcut Trust is an explicitly created, transitive trust between two domains in a forest to improve user logon times. Shortcut Trust will make a trust path shorter between two domains in the same forest. The Shortcut Trust can be one-way or two-way.
External Trust: External Trust is explicitly created, non-transitive trust between Windows Server 2003 domains that are in different forests or between a Windows Server 2003 domain and Windows NT 4 domain. The External Trust can be one-way or two-way.
Realm Trust: Realm Trust is explicitly created transitive or non-transitive trust between a non Windows Kerberos realm and a Windows Server 2003 domain. This trust helps to create trust relationship between Windows Server 2003 domain and any Kerberos version 5 realm. The Realm Trust can be and one-way or two-way.
Forest Trust: Forest Trust is explicitly transitive (between two forests) created trust between two forest root domains. The Forest Trust can be one-way or two-way.