Azure AD Connect uses two different topologies to support on-premises AD deployments. However, there are certain limitations and unsupported configurations that we need to consider, which are as follows:
- Single AD forest-single Azure AD: This is the most commonly used deployment topology. When a user has a single AD forest, it can be synced to one Azure AD Tenant. Even if it has multiple domains, it still can be used with one AD Tenant. The Azure AD Connect express setup only supports this topology. However, at any given time, only one Azure AD Connect server can sync data to the Azure AD Tenant. For HA, staging server support is available, which will be explained later in this section.
- Multiple AD forest-single Azure AD: Some organizations have multiple AD forests for various reasons. Azure AD supports syncing identities from all the forests into one Azure AD Tenant. Each AD forest can have multiple domains as well. The AD Connect server should be able to reach all the forests, but this doesn't mean it needs to have AD trust between forests. The Azure AD Connect server can be placed in a perimeter network and then be allowed access to different forests from there. A rule of thumb in this model is to represent a user only once in Azure AD. If a user exists in multiple forests, it can be handled in two ways:
- We can set the forest to match the user's identity using the mail attribute. If Microsoft Exchange is available in one or more forests, it may also have an on-premises Global Address List Synchronization (GALSync) solution. GALSync is a solution that is used to share exchange mail objects between multiple forests. This will allow us to represent each user object as a contact in other forests. If a user has a mailbox in one forest, it will be joined with the contacts in the other forests.
- If users are in an account resource forest topology that has an extended AD schema with Exchange and Lync, they will be matched using the objectSid and sExchangeMasterAccountSid attributes.
These options can be selected during the AD Connect configuration. There is no support for having multiple AD Connect servers in each forest syncing to one Azure AD Tenant.