Entra Connect Sync from multiple AD Forests

Andres Bohren
Entra Connect Sync from multiple AD Forests

Hi All,

I’ve added a second Active Directory Forest in my Entra Connect Sync in my Lab. Compliant to the supported Entra Connect Sync topologies.

It’s already a few Months ago, since i’ve configured this and created the Screenshots. Since then Azure AD Connect has been Rebranded to Entra Connect Sync, got updated Icons - but the Process remains the same.

Architecture

This Article describes, how to add an additional Active Forest to an existing Entra Connect Sync Infrastructure to sync to a common Entra ID Tenant.

Entra Domains

I’ve already registered the following Domains in my Entra ID Tenant.

Connect-MgGraph -Scopes Domain.Read.All -NoWelcome
Get-MgDomain

AD Trust and UPN Suffix

On the Forest “corp.icewolf.ch” the following UPN Suffixes are configured

  • serveralive.ch
  • icewolf.ch

There is an AD Trust to the Forest “demo.local”

On the UPN Suffix Routing i’ve registered the following suffixes

  • demo.local
  • icewolf.li

On the Forest “demo.local” the following UPN Suffixes are registered

  • icewolf.li

There is a Trust to the Forest “corp.icewolf.ch”

On the UPN Suffix Routing i’ve registered the following suffixes

  • icewolf.ch
  • serveralive.ch

Entra Connect Service Account

I’ve checked under what Credential the Entra Connect Sync Service is running. Make sure, you know the Password of the Service Account.

Entra Connect Sync Configuration

Start Entra Connect Sync Configuration “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe”

Use “Add Directory” and enter the name of the Actove Directory Forest

Use the existing Service Account and enter the Password

Two source Forests are configured

Select Source OU’s

Select Features

Select Directory Extensions

Configure Group Writeback

Enable Single Sign-On

and Enter credentials

Select “Next”

Configuration is ready

Configuration is applied

Configuration is complete

Device Registration ServiceConnection Point

Check or Manually create Device Registration ServiceConnectionPoint (SCP)

Account Sync

I’ve created a Test Account in the “demo.local” Forest with the “icewolf.li” UPN Suffix

In the next Sync Cycle the Account will be synchronized to Entra ID

Sync Details in Sync

Details of the Sync in the Synconization Manager

“C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe”

Regards
Andres Bohren

EntraID Logo