Office
Sign in

Implement support for multiple forests

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

Develop your talent with more than 10,000 online courses from LinkedIn Learning

In this lesson, we will look at the topic of supporting multiple Active Directory forests. We'll start with a quick discussion of what a multiple forest topology consists of here. In most organizations, including very likely the one that you will be working on and with, only one forest comes into play, only one forest is involved with an on-premises and Azure Active Directory synchronization operation. However, Microsoft wants you to know what might happen in a larger organization, so take Microsoft for example, when the task is to sync objects that exist across multiple Active Directory forests.

At the end of the day, what the overarching goal is is to take information that is in multiple forests and essentially consolidate it into a single tenant of Azure Active Directory in Office 365. Now, the challenge is that sometimes in a multiple forest topology it could be messy, you could end up with one user object that ends up with lots of references in those different forests. So, what would help us as we study this topic, and it is a potentially huge topic, is if we understand what the defaults are and then we can build our study and our understanding from there and then if we need to actually do it in a large environment, we can always get the reference information that is available to us.

What I want you to be aware of is some of the Azure Active Directory Connect tool assumptions. When you step through the wizard you're going to be presented with several options that help you consolidate the users that are in those multiple forests. You want to select the option that best matches your logical Active Directory implementation and, again, consolidate them into a single Office 365 environment.

The goal being one user in one account. The default assumptions of the Azure Active Directory Connect tool is that you will have, for each user, only one enabled account. Also, each user will only have one mailbox. The tool also assumes that the forest that is hosting the mailbox for that particular user will have the best data for the attributes that are visible in the Exchange Global Address List.

Finally, the tool assumes that if you have a linked mailbox, then there is an account somewhere living in another forest within the topology that is used for sign in. It will look for that account and look for the attributes that are associated with the sign in account as it builds the account for synchronization in Azure Active Directory. If your environment does not match these assumptions, then the Azure Active Directory Connect tool does these things.

If you have more than one active account, or more than one mailbox, then the sync engine picks one and it will ignore the other. The other thing that will happen, the other behavior that the tool engages in is that a linked mailbox with no other active account is not exported to Azure Active Directory. This is a feature that represents an evolution in the synchronization tools. The previous version of Azure Active Directory Connect, DirSync, would take any mailbox, including a linked mailbox, and create a normal mailbox for that particular user in Azure Active Directory, or in other words in Office 365's implementation of Exchange.

This new behavior of not creating an instance for a linked mailbox in Azure Active Directory better supports multi forest scenarios. That's a look at some of the default assumptions that are made by the Azure Active Directory Connect tool and what will happen if those assumptions are not met, if it finds different realities present as it does the multi forest synchronization. Now, other topologies are possible and are supported, but the considerations for supporting each of those scenarios would require exhaustive discussion and probably separate courses and so a full discussion of those is beyond the scope of this course, and this is what I was mentioning at the very beginning of this lesson, where if that represented your company, your enterprise, then you would look up the information that was specific to the topology that matched your implementation.

What I want you to know about, as is often the case, is where to go for additional reference information. Remember this search phrase: topologies azure active directory connect, or azure ad connect. What you're looking for is this resource right here. I've gone ahead and loaded up that web page in Microsoft Edge, and it says here that it will take nine minutes to read, I doubt that very much, not if you read the actual information that's about a specific implementation.

This is the focus if you want to go back and reference this right before you take the test or refresh you memory about that particular test preparation topic is this one: Multiple forests and a single Azure AD tenant. That will be the one that is most relevant for your preparations for the 346.

LinkedIn Learning

LinkedIn Learning is an online learning platform that combines industry-leading content from Lynda.com with LinkedIn’s professional network of more than 500 million member profiles to provide highly personalized course recommendations and a more intuitive learning experience. Learn more.

Benefits

  • Learn from recognized industry experts, and get the business, tech, and creative skills that are most in demand.

  • Receive personal recommendations based on your LinkedIn profile.

  • Stream courses from your computer or mobile device.

  • Take courses for every level – beginner to advanced.

  • Practice while you learn with quizzes, exercise files, and coding windows.

  • Provide learning for your team or entire organization, with an easy to use experience for managing users, curating content and measuring engagement


For businesses with 150+ licenses Request Office 365 onboarding assistance from FastTrack

You can request remote and personalized assistance with onboarding. Our FastTrack engineers will help you plan your Office 365 project, assess your technical environment, provide remediation guidance, and provide user adoption assistance. For businesses with at least 500 licenses, Microsoft also provides personalized assistance to migrate data to Office 365.

See the FastTrack Center Video: http://aka.ms/meetfasttrack

Get started today: http://fasttrack.microsoft.com

Tip: Businesses with 1-149 licenses still have access to FastTrack guidance via links in the Admin Center and also available at https://aka.ms/setupguidance.

Network and system admins can prepare on-premises directories and connect to Azure to take advantage of managing Office 365 groups and users using common identities. Preparation, setup, and administration steps are demonstrated in this course using the Azure Active Directory (AAD) Connect tool. This course is designed to provide you with a better understanding of domain controllers, identity management, synchronization, and more. This course is also an exam preparation resource with topics that map to a corresponding domain in the Office 365 70-346 exam: Managing Office 365 Identities and Requirements.

Topics include:

  • Active Directory Connect and Office 365

  • Planning for non-routable domain names

  • Cleaning up Active Directory objects

  • Using the IDFix tool

  • Filtering Active Directory

  • Using AAD install

  • Synchronizing passwords and attributes

  • Creating and managing users and groups

  • Scheduling and forcing AD synchronization

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×