This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in a single forest, aren’t considered as multiple AD Forest. Let’s say Company A (DomainA.com) bought Company B (DomainB.com). Company A has an Office 365 tenant with default domain domainA.onmicrosoft.com. Now Company A wishes to migrate Company B mailboxes into the Office 365 tenant but maintains the hybrid environment.
Here is the infrastructure you should consider.
|AD Forest 1||AD Forest 2|
|Email Domain or Externally Routable NameSpace||DomainA.com||DomainB.com|
|Externally Routable Autodiscover CNAME||Autodiscover.DomainA.com||Autodiscover.DomainB.com|
|Default Domain in Office 365 Tenant||domainA.onmicrosoft.com||domainA.onmicrosoft.com|
|On-Prem Exchange Server Version||Exchange 2013 SP1 or later||Exchange 2013 SP1 or later|
|On-prem Certificate||Issued by Public CA
|Issued by Public CA
To configure a hybrid environment for a multi-forest organization, you’ll need to complete the basic steps below:
- Create Two-Way Trust Relationship between on-premises Corp.DomainA.com and On-premises Corp.DomainB.com if Trust relationship is not already established.
- Make sure you have correct public certificates for both forests.
- Build AAD Connect Server in Corp.DomainA.com Domain. AD Synchronisation occurs Corp.DomainA.com domain. you do not need to add another AAD Connect server in domainB.com domain. Run custom AAD Connect wizard and use domain filter and select both domains to sync to Azure AD.
- Build ADFS Farm in Corp.DomainA.com Domain. You use either AD FS or password sync to allow for a seamless user authentication experience for both domains.
- Add domain and verify both domains in Office 365 tenant. Setup both domain in Office tenant as an Internal Relay Domain
- Run Hybrid Configuration wizard in both Forest. Select both domains whilst running HCW. For Centralized MailFlow Configuration of both domains, you must retain your existing MX record. Add EOP in your SPF record for the both domains. If you do not wish to configure Centralized MailFlow then point MX record to the EOP record of Exchange Online.
AAD Connect Recommendations:
- Separate Topology – This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL.
In AAD Connect Wizard Select “Users are only once across all forests” and Mail Attribute.
- Full Mesh- A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.
In AAD Connect Wizard Select “Users identities exist across multiple forests” and Mail Attribute.
Hybrid with Multiple Forest Recomendations:
- Having a single tenant in Azure AD for an organization
- Having a single ADD connect server for an organisation
- Having a unique Active Directory object for an organisation. Each unique object is synced into the Azure AD for once only.
- Having a single on-prem namespace (UPN: domainA.com, domainB.com) to match the registered domain in Azure AD.
- Having a single namespace associated with an user or an object
- Having all email domains registered in a single tenant
- Having a single AAD Connect and ADFS Farm in a same forest if “Federation with ADFS” is selected in AAD Connect custom installation Wizard