Azure AD Connect uses two different topologies to support on-premises AD deployments. However, there are certain limitations and unsupported configurations that we need to know about:
- Single AD forest-single Azure AD: This is the most commonly used deployment topology. When a user has a single AD forest, it can be synced to one Azure AD tenant. Even if it is has multiple domains, it still can be used with one AD tenant. The Azure AD Connect express setup only supports this topology.
However, at any given time, only one Azure AD connect server can sync data to the Azure AD tenant. For high availability, staging server support is available, which will be explained later in this section.
- Multiple AD forest-single Azure AD: Some organizations have multiple AD forests for various reasons. Azure AD has support for syncing identities from all the forests into one Azure AD tenant. Each AD forest can have multiple domains as well. The AD connect server should be able to reach all the forests, but this doesn't mean it needs to have AD trust between forests. The Azure AD Connect server can be placed in a perimeter network and then allowed access to different forests from there. A rule of thumb in this model is to represent a user only once in Azure AD. If a user exists in multiple forests, it can be handled in two ways:
- We can set it to match the user's identity using the mail attribute. If Microsoft Exchange is available in one or more forests, it may also have on-premises GALSync solution. GALsync is a solution which use to share exchange mail objects between multiple forests. This will allow to represent each user object as a contact in other forests. If a user has a mailbox in one forest, it will be joined with the contacts in the other forests.
- If users are in an account-resource forest topology that has an extended AD schema with Exchange and Lync, they will be matched using the ObjectSID and sExchangeMasterAccountSID attributes.
These options can be selected during the AD Connect configuration. There is no support for having multiple AD Connect servers in each forest syncing to one Azure AD tenant.