Questions on Multi-forest - Hybrid Exchange scenario

Brass Contributor

Hi Experts, 


One of our customer raised the below query:


They have the below environment:

-Forest A & B have a forest trust configured
-Both forests use Exchange 2010 mailboxes on premise
-Both forests share the same smtp domain i.e. (both forests have mailboxes using the same domain)
-Exchange 2016 is installed to enable a hybrid migration
-ADFS is installed in Forest A only (as a trust is in-place it allows ADFS to be placed in one forest?)
-AADC is installed in Forest A and synch’s both Forest A and B to O365

Aim: To migrate to Office 365 using hybrid from both forest A and B



What happens if mailboxes in both forest A and B have the same UPN suffix (i.e., which is the mailbox primary email domain as well?

-Will ADFS be able to authenticate logons from both forests, bearing in mind that shared smtp domain is in use?
-If ADFS cannot be used, can AADC password rep from both Forest A and B be used instead
-Is there any way to use AADC with SSO from both Forest A and B to overcome the limitation introduced by the shared smtp domain used for both forest A and B?


Any pointers would be of great help!!


Many thanks in advance. 

1 Reply
This works as long as the UPN is not in use in both forests. If you have ADFS the forest in which authentication occurs needs a UPN suffix for the UPN pointing to other forest for auth to work. This is very complex - avoid it. If you use PTA+SSO, similar issue based on forest in which you install the auth agent. Password Hash auth done in Azure AD - this works fine. If you have the user migrated to other forest, don't sync that OU that contains the duplicate user - the user can only be synced once (unless linked mailboxes, but you did not say that)