May 20 2020
- last edited on
Feb 01 2023
I'm trying to implement two cases to sync AD users to O365.
Case A: Domain1 and Domain2 are two DCs we have with trust enabled.
Domain1 has ADConnect installed and syncs users from both Domain1 and Domain2 to Tenant1 on O365. ADConnect on Domain1 uses ms-DS-ConsistencyGuid to identify users with Azure AD
Case B: We also have Tenant2 for which we want to sync users only from Domain2. Is it possible to change ms-DS-ConsistencyGuid for ADConnect on Domain2 to sync users to Tenant2 also? I tried to set it to msDS-cloudExtensionAttribute20 but it does not sync users to Tenant2.
Please see attached. It shows 2 cases (Case A works but Case B does not)
May 21 2020 09:46 AM
@kpsingh as long as you use OU Filtering so that each object is only synced to a single Azure AD Tenant then you are in a supported design as per the Microsoft documentation here:
The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit.
A DNS domain can be registered in only a single Azure AD tenant. The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces. For example, in the preceding picture, three separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com, and wingtiptoys.com. The users in each on-premises Active Directory domain use a different namespace.
This topology has the following restrictions on otherwise supported scenarios:
The requirement for a mutually exclusive set of objects also applies to writeback. Some writeback features are not supported with this topology because they assume a single on-premises configuration. These features include: