Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Tree AD trust with AAD Connect

Copper Contributor

Hi guys. I have a customer having multiple forests but one of them is tree root trust and not forest trust. We implemented AAD Connect and we can't synchronize user password with this forest. All accounts in other forests work very well.

Someone knows if the tree root trust is compatible with Azure AD Connect ? Someone already has this problem ?

Thanks

9 Replies

@mathiassii 

 

AD trust is not a requirement for AAD Connect unless you are using PTA for auth. If using PTA you will need a forest trust. If not using PTA then check if the permissions\firewalls are all in place for password sync.

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq

 

Hi @LM ,

 

Currently we didn't implement the PTA but it's the next step ;). Thanks for your link.

We will recheck the permissions and firewall.

 

Thanks

@mathiassii  The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connec... 

AllowAD DS Connector AccountReplicating Directory ChangesThis object only (Domain root)
AllowAD DS Connector AccountReplicating Directory Changes AllThis object only (Domain root)

Hi @rosaliod 

yes we verified it and everything is ok.

You mentioned an AD Tree trust however there are only 4 types of trusts I know of.

1.external trust
2. Realm trust
3. Forest trust
4. Shortcut trust

Which trust is configured? Is this a domain in the same Forest or a domain in another Forest?

Hi @rosaliod 

 

It's the first time i heard this type of trust but i confirm, this trust exists

Active Directory Trust Types

Parent-child Trust: Parent-child Trust is an implicitly established, two-way, transitive trust when you add a new child domain to a tree.

Tree-root Trust: Tree-root Trust is an implicitly established, two-way, transitive trust when you add a new tree root domain to a forest.

Shortcut Trust: Shortcut Trust is an explicitly created, transitive trust between two domains in a forest to improve user logon times. Shortcut Trust will make a trust path shorter between two domains in the same forest. The Shortcut Trust can be one-way or two-way.

External Trust: External Trust is explicitly created, non-transitive trust between Windows Server 2003 domains that are in different forests or between a Windows Server 2003 domain and Windows NT 4 domain. The External Trust can be one-way or two-way.

Realm Trust: Realm Trust is explicitly created transitive or non-transitive trust between a non Windows Kerberos realm and a Windows Server 2003 domain. This trust helps to create trust relationship between Windows Server 2003 domain and any Kerberos version 5 realm. The Realm Trust can be and one-way or two-way.

Forest Trust: Forest Trust is explicitly transitive (between two forests) created trust between two forest root domains. The Forest Trust can be one-way or two-way.

That sure is right! Did you get a chance to use the password sync troubleshooting tool?

Hi @rosaliod,

We asked to the customer if he did something because today it works.

We will see ;)