Forum Discussion
AAD Connect - Object matching across forests, post-installation
We would like to connect a second resource forest to our instance of AAD Connect. This forest is used a Skype resource forest with disabled users populated with the necessary Skype attributes with the goal of hybrid enablement.
During the initial setup of AAD Connect, there is the option for "Uniquely identifying your users". However, this screen is not available during a re-run of the AAD config once it was been installed. Is it possible post-installation to define a custom attribute to match users existing more than once across forests? Is retroactive object matching possible or do we need to re-install AAD Connect, and recreate the metaverse and connectors once again?
Additionally, we plan to use a custom attribute which is also our chosen ImmutableID and is written to both user objects through our identity provisioning system. Do you see any issues using this attribute for the matching or would another be preferred in a Skype hybrid scenario?
Hey Keith,
Not sure I can answer all of your questions, but hopefully I can help the conversation along some.https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
That link goes over all the supported topologies. The good news is what you are describing is in there in two different forms (all under the multiple forest match users settings). As long as your users only have one active account (which your description points out) this should work.The bad news is that it seems to match pre-defined the attributes for you to use as either Mail or ObjectSid/an exchangeSid.
I would read into those topologies more, and with that as a starting point I am sure you can get more details, or perhaps someone smarter than me to help you here! :)
Finally yes, you want to re-install AADC as your are changing your topology and design, not modifying your existing one.Adam
