Home

Questions on Multi-forest - Hybrid Exchange scenario

%3CLINGO-SUB%20id%3D%22lingo-sub-360365%22%20slang%3D%22en-US%22%3EQuestions%20on%20Multi-forest%20-%20Hybrid%20Exchange%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360365%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Experts%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20our%20customer%20raised%20the%20below%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20have%20the%20below%20environment%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E-Forest%20A%20%26amp%3B%20B%20have%20a%20forest%20trust%20configured%3CBR%20%2F%3E-Both%20forests%20use%20Exchange%202010%20mailboxes%20on%20premise%3CBR%20%2F%3E-Both%20forests%20share%20the%20same%20smtp%20domain%20i.e.%20%40contoso.com%20(both%20forests%20have%20mailboxes%20using%20the%20same%20domain)%3CBR%20%2F%3E-Exchange%202016%20is%20installed%20to%20enable%20a%20hybrid%20migration%3CBR%20%2F%3E-ADFS%20is%20installed%20in%20Forest%20A%20only%20(as%20a%20trust%20is%20in-place%20it%20allows%20ADFS%20to%20be%20placed%20in%20one%20forest%3F)%3CBR%20%2F%3E-AADC%20is%20installed%20in%20Forest%20A%20and%20synch%E2%80%99s%20both%20Forest%20A%20and%20B%20to%20O365%3C%2FP%3E%3CP%3EAim%3A%20To%20migrate%20to%20Office%20365%20using%20hybrid%20from%20both%20forest%20A%20and%20B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%3A%3C%2FP%3E%3CP%3EWhat%20happens%20if%20mailboxes%20in%20both%20forest%20A%20and%20B%20have%20the%20same%20UPN%20suffix%20(i.e.%20contoso.com)%2C%20which%20is%20the%20mailbox%20primary%20email%20domain%20as%20well%3F%3C%2FP%3E%3CP%3E-Will%20ADFS%20be%20able%20to%20authenticate%20logons%20from%20both%20forests%2C%20bearing%20in%20mind%20that%20shared%20smtp%20domain%20is%20in%20use%3F%3CBR%20%2F%3E-If%20ADFS%20cannot%20be%20used%2C%20can%20AADC%20password%20rep%20from%20both%20Forest%20A%20and%20B%20be%20used%20instead%3CBR%20%2F%3E-Is%20there%20any%20way%20to%20use%20AADC%20with%20SSO%20from%20both%20Forest%20A%20and%20B%20to%20overcome%20the%20limitation%20introduced%20by%20the%20shared%20smtp%20domain%20used%20for%20both%20forest%20A%20and%20B%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20pointers%20would%20be%20of%20great%20help!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-360365%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EQuestions%20on%20Multi-forest%20-%20Hybrid%20Exchange%20scenario%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361092%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Multi-forest%20-%20Hybrid%20Exchange%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361092%22%20slang%3D%22en-US%22%3EThis%20works%20as%20long%20as%20the%20UPN%20is%20not%20in%20use%20in%20both%20forests.%20If%20you%20have%20ADFS%20the%20forest%20in%20which%20authentication%20occurs%20needs%20a%20UPN%20suffix%20for%20the%20UPN%20pointing%20to%20other%20forest%20for%20auth%20to%20work.%20This%20is%20very%20complex%20-%20avoid%20it.%20If%20you%20use%20PTA%2BSSO%2C%20similar%20issue%20based%20on%20forest%20in%20which%20you%20install%20the%20auth%20agent.%20Password%20Hash%20auth%20done%20in%20Azure%20AD%20-%20this%20works%20fine.%20If%20you%20have%20the%20user%20migrated%20to%20other%20forest%2C%20don't%20sync%20that%20OU%20that%20contains%20the%20duplicate%20user%20-%20the%20user%20can%20only%20be%20synced%20once%20(unless%20linked%20mailboxes%2C%20but%20you%20did%20not%20say%20that)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
SB V
Contributor

Hi Experts, 

 

One of our customer raised the below query:

 

They have the below environment:


-Forest A & B have a forest trust configured
-Both forests use Exchange 2010 mailboxes on premise
-Both forests share the same smtp domain i.e. @contoso.com (both forests have mailboxes using the same domain)
-Exchange 2016 is installed to enable a hybrid migration
-ADFS is installed in Forest A only (as a trust is in-place it allows ADFS to be placed in one forest?)
-AADC is installed in Forest A and synch’s both Forest A and B to O365

Aim: To migrate to Office 365 using hybrid from both forest A and B

 

Query:

What happens if mailboxes in both forest A and B have the same UPN suffix (i.e. contoso.com), which is the mailbox primary email domain as well?

-Will ADFS be able to authenticate logons from both forests, bearing in mind that shared smtp domain is in use?
-If ADFS cannot be used, can AADC password rep from both Forest A and B be used instead
-Is there any way to use AADC with SSO from both Forest A and B to overcome the limitation introduced by the shared smtp domain used for both forest A and B?

 

Any pointers would be of great help!!

 

Many thanks in advance. 

1 Reply
This works as long as the UPN is not in use in both forests. If you have ADFS the forest in which authentication occurs needs a UPN suffix for the UPN pointing to other forest for auth to work. This is very complex - avoid it. If you use PTA+SSO, similar issue based on forest in which you install the auth agent. Password Hash auth done in Azure AD - this works fine. If you have the user migrated to other forest, don't sync that OU that contains the duplicate user - the user can only be synced once (unless linked mailboxes, but you did not say that)