Questions on Multi-forest - Hybrid Exchange scenario

Highlighted
Contributor

Hi Experts, 

 

One of our customer raised the below query:

 

They have the below environment:


-Forest A & B have a forest trust configured
-Both forests use Exchange 2010 mailboxes on premise
-Both forests share the same smtp domain i.e. @contoso.com (both forests have mailboxes using the same domain)
-Exchange 2016 is installed to enable a hybrid migration
-ADFS is installed in Forest A only (as a trust is in-place it allows ADFS to be placed in one forest?)
-AADC is installed in Forest A and synch’s both Forest A and B to O365

Aim: To migrate to Office 365 using hybrid from both forest A and B

 

Query:

What happens if mailboxes in both forest A and B have the same UPN suffix (i.e. contoso.com), which is the mailbox primary email domain as well?

-Will ADFS be able to authenticate logons from both forests, bearing in mind that shared smtp domain is in use?
-If ADFS cannot be used, can AADC password rep from both Forest A and B be used instead
-Is there any way to use AADC with SSO from both Forest A and B to overcome the limitation introduced by the shared smtp domain used for both forest A and B?

 

Any pointers would be of great help!!

 

Many thanks in advance. 

1 Reply
Highlighted
This works as long as the UPN is not in use in both forests. If you have ADFS the forest in which authentication occurs needs a UPN suffix for the UPN pointing to other forest for auth to work. This is very complex - avoid it. If you use PTA+SSO, similar issue based on forest in which you install the auth agent. Password Hash auth done in Azure AD - this works fine. If you have the user migrated to other forest, don't sync that OU that contains the duplicate user - the user can only be synced once (unless linked mailboxes, but you did not say that)