-Forest A & B have a forest trust configured -Both forests use Exchange 2010 mailboxes on premise -Both forests share the same smtp domain i.e. @contoso.com (both forests have mailboxes using the same domain) -Exchange 2016 is installed to enable a hybrid migration -ADFS is installed in Forest A only (as a trust is in-place it allows ADFS to be placed in one forest?) -AADC is installed in Forest A and synch’s both Forest A and B to O365
Aim: To migrate to Office 365 using hybrid from both forest A and B
What happens if mailboxes in both forest A and B have the same UPN suffix (i.e. contoso.com), which is the mailbox primary email domain as well?
-Will ADFS be able to authenticate logons from both forests, bearing in mind that shared smtp domain is in use? -If ADFS cannot be used, can AADC password rep from both Forest A and B be used instead -Is there any way to use AADC with SSO from both Forest A and B to overcome the limitation introduced by the shared smtp domain used for both forest A and B?
This works as long as the UPN is not in use in both forests. If you have ADFS the forest in which authentication occurs needs a UPN suffix for the UPN pointing to other forest for auth to work. This is very complex - avoid it. If you use PTA+SSO, similar issue based on forest in which you install the auth agent. Password Hash auth done in Azure AD - this works fine. If you have the user migrated to other forest, don't sync that OU that contains the duplicate user - the user can only be synced once (unless linked mailboxes, but you did not say that)