Tree AD trust with AAD Connect

Question

Hi guys. I have a customer having multiple forests but one of them is tree root trust and not forest trust. We implemented AAD Connect and we can't synchronize user password with this forest. All accounts in other forests work very well.

Someone knows if the tree root trust is compatible with Azure AD Connect ? Someone already has this problem ?

Thanks

rosaliod · Answer

mathiassii&nbsp;I recommend you try using the password hash troubleshooting tool.&nbsp;&nbsp;https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization

lm · Answer

mathiassii&nbsp;&nbsp;AD trust is not a requirement for AAD Connect unless you are using PTA for auth. If using PTA you will need a forest trust. If not using PTA then check if the permissions\firewalls are all in place for password sync.&nbsp;https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq&nbsp;

mathiassii · Answer

Hi&nbsp;LM&nbsp;,&nbsp;Currently we didn't implement the PTA but it's the next step ;). Thanks for your link.We will recheck the permissions and firewall.&nbsp;Thanks

rosaliod · Answer

mathiassii&nbsp; The ADDS connector space agent needs to have at least the following permissions in the other forest. Did you verify this?https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#permissions-for-password-hash-synchronization&nbsp;AllowAD DS Connector AccountReplicating Directory ChangesThis object only (Domain root)AllowAD DS Connector AccountReplicating Directory Changes AllThis object only (Domain root)

mathiassii · Answer

Hi&nbsp;rosaliod&nbsp;yes we verified it and everything is ok.

Forum Discussion

Tree AD trust with AAD Connect

9 Replies

Resources

Allow	AD DS Connector Account	Replicating Directory Changes	This object only (Domain root)
Allow	AD DS Connector Account	Replicating Directory Changes All	This object only (Domain root)