11. Domain Controller
Company A
AAD Connect
A
Domain Controller
Company B
B
C
B
Add domain to AADCA
B Sync/Move IDs to Forest A
C Create Cloud IDs
D
D
D Create Cloud IDs, match
From Forest A
12. Domain Controller
Company A
AAD Connect
A
Domain Controller
Company B
Password Hash Sync
(PTA/SSO)
A
A B
B If pw is included in sync
Password Hash Sync
(PTA/SSO) from Forest A
B
15. •
•
* Technically speaking, you could do an ADFS-to-ADFS ‘trust’ and have a user in Forest B authenticate through
ADFS in Forest A. The setup requires a LOT of customization (claim rules) and is not for the faint hearted...
Domain Controller
Company A
Domain Controller
Company B
CompanyA.com
CompanyB.com
ADFS
CompanyB.com
16. accountenabled
altrecipient
assistant
authorig
c (Country Abbreviation)
cn (CommonName)
co (Country)
company
Connector.ID
countrycode
department
description
displayname
dlMembSubmitPerms
dlMemRejectPerms
domain.FQDN
Domain.netbios
Objects contributed by either Resource Forest
(RF) or Account forest (AF):
1. If RF has value; use RF value
2. If no value; use AF value
Always use Resource Forest (RF) value.
Always use Account Forest (RF) value.
Account Forest Resource ForestAzure Active Directory
(AAD Connect)
18. Domain Controller
Company A
AAD Connect
Domain Controller
Company B
B
AExchange
Server(s)
Direct Migration
(hybrid or 3rd party)
A
B
B ‘Simple MRS’
C
C Cross-forest + Hybrid
C
B
33. Domain Controller
Company A
AAD Connect
‘Move’ directlyA
B
‘Move’ to ForestA, then
sync to cloud
B
Custom domains cannot exist in both
tenants. UPN must change!in the process.
35. Domain Controller
Company A
AAD Connect
‘Move’ directlyA
C
‘Move’ to ForestA, then
sync to cloud
B
C ‘Move’ directly, then
match objects cross-prem