SOLVED

Multiple forest exhange hybrid without forest trust

%3CLINGO-SUB%20id%3D%22lingo-sub-1727181%22%20slang%3D%22en-US%22%3EMultiple%20forest%20exhange%20hybrid%20without%20forest%20trust%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727181%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20to%20make%20sure%20the%20requirement%2C%3C%2FP%3E%3CP%3EI%20have%20two%20forest%20and%20want%20to%20deploy%20Exchange%20hybrid%20with%20single%20tenant.%20based%20on%20this%20article%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fhybrid-with-multiple-forests%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fhybrid-with-multiple-forests%2C%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethere%20is%20no%20requirement%20to%20configure%20forest%20trust%20to%20deploy%20Exchange%20hybrid%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20it%20correct%20we%20can%20do%20without%20trust%20%3F%3C%2FP%3E%3CP%3Ehow%20azure%20AD%20Connect%20recognize%20the%20other%20domain%20without%20trust%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1727181%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1740832%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20forest%20exhange%20hybrid%20without%20forest%20trust%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1740832%22%20slang%3D%22en-US%22%3EAD%20connect%20can%20use%20a%20service%20account%2C%20it%20doesn't%20need%20to%20be%20in%20the%20domain.%20You'll%20essentially%20be%20setting%20up%20two%20forest%20connectors%20and%20one%20AAD%20connector.%3CBR%20%2F%3E%3CBR%20%2F%3ESupported%20topology%20is%20at%20this%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23multiple-forests-single-azure-ad-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23multiple-forests-single-azure-ad-tenant%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1756913%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20forest%20exhange%20hybrid%20without%20forest%20trust%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1756913%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F811793%22%20target%3D%22_blank%22%3E%40AdminSeanMc%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehappy%20to%20hear%20there%20is%20no%20trust%20required%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20I%20already%20make%20azure%20ad%20connect%20and%20other%20forest%20dc%20ping%20each%20other%2C%20is%20there%20any%20other%20requirement%20like%20conditional%20dns%20forwarder%20%3F%20because%20not%20all%20the%20resource%2Fip%20address%20is%20routable%20each%20domain.%20I%20just%20need%20to%20run%20sync%20user%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

i have to make sure the requirement,

I have two forest and want to deploy Exchange hybrid with single tenant. based on this article https://docs.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-with-multiple-forests,

 

there is no requirement to configure forest trust to deploy Exchange hybrid

 

is it correct we can do without trust ?

how azure AD Connect recognize the other domain without trust ?

 

thanks

 

5 Replies
Highlighted
AD connect can use a service account, it doesn't need to be in the domain. You'll essentially be setting up two forest connectors and one AAD connector.

Supported topology is at this link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-fore...
Highlighted

Hi, @AdminSeanMc 

 

happy to hear there is no trust required :smile:

 

if I already make azure ad connect and other forest dc ping each other, is there any other requirement like conditional dns forwarder ? because not all the resource/ip address is routable each domain. I just need to run sync user only.

 

Thanks for your reply

As long as the AD Connect server can resolve both forests and can connect on the required ports as per the documentation AD Connect can sync your users. You can add OU filtering to the connectors to capture just the users you want. You can set up DNS conditional forwarders to ensure AD Connect can resolve both forests and all DCs.

The topology you're looking for is in the documentation as "Multiple forests, single Azure AD tenant"

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
Highlighted

Hi,@AdminSeanMc 

 

I already test with conditional forwarders, but conditional forwarders is not suitable with my environment.

 

lets give me example, i have two forest. contoso.com and fabrikam.com

 

If i enable conditional forwarder fabrikam.com in contoso DNS, all record to fabrikam.com will route trough dns A record.  if contoso client try to ping www.fabrikam.com, it will resolve by internal ip, and the routing is not availble, the result is ping www.fabrikam.com is RTO. My requirement is when contoso client ping www.fabrikam.com, it will resolve by ip public

 

i curious, is it any solution that suit to my requirement ? is it hostfile available to do that ?

 

Thanks before

 

 

 

Highlighted
Best Response confirmed by Ichwan (Occasional Contributor)
Solution

@Ichwan 

Host file records should work but generally not recommended as they introduce complexity and manual configuration. Alternatively you could look at a dedicated non-AD integrated DNS server to manage just the AD Connect lookups, or update your public records in your internal DNS servers to point to public IP (This depends on if that will impact your internal users..