- By Orin Thomas
Supporting multiple forests
The Azure Active Directory Connect tool also supports synchronization from multiple on-premises Active Directory forests to a single Azure Active Directory instance. Multiple forest synchronization to a single Azure AD instance is supported only when a single Azure AD Connect server is in use. Microsoft does not support multiple Azure AD Connect servers synchronizing with a single Azure AD instance, whether there is one or multiple forests being synchronized.
By default, Azure AD Connect will assume that:
A user has a single enabled account. Also, the forest where this account is located must host the directory that is used to authenticate the user. This assumption is used in both password sync and federation scenarios. On the basis of this assumption, the UserPrincipalName and sourceAnchor/immutableID are drawn from this forest.
Each user has a single mailbox, and the forest that host that mailbox is the best source of attributes visible in the Exchange Global Address List (GAL). In the event that a user doesn’t have an associated mailbox, any configured forest can function as the source for these attribute values.
If a user account has a linked mailbox, there will be an account in an alternate forest used for the sign-in process.
The key to synchronizing user accounts from multiple forests is that only one user account from all synchronized forests should represent the user. This means that the synchronization engine should have a way to determine when accounts in separate forests represent the same user. You can configure how the Azure AD Connect sync engine identifies users on the Uniquely Identifying Your Users page, shown in Figure 4-11 using one of the following options:
FIGURE 4-11 Uniquely identify users
Match users using the mail attribute
Match user using ObjectSID and msExchangeMasterAccountSID/msRTCIP-OrgiginatorSID attributes
Match user using SAMAccountName and MailNickName attributes
Specify a custom attribute upon which to match names