none
Azure AD connect to multiple forests

    Question

  • Hi,

    I'm trying to set up Azure AD Connect with a sync from 3 forests to 1 tenant. However, I'm struggling to add the forests in the AD Connect wizard. 

    I'm working with the following domains:

    • intranet.city.com with Netbios name "INTRANET"
    • intranet.pdwxcity.com with Netbios name "INTRANET"
    • city.com with Netbios name "CITY"

    In the "Connect your directories" page, I was able to add the "parent" (company owning the tenant) domain intranet.city.com but I couldn't add the other domains. All the required ports are open. I am getting the following errors (depending on the format of the credentials; Netbios name, full domain name, UPN, etc):

    • The provided user was not found in the directory. Specify a valid domain account
    • OR
    • The specified forest does not exist or cannot be contacted
    • OR
    • The specified domain does not exist or cannot be contacted

    Any idea what the problem could be? Is the fact that 2 of them have the same Netbios name a problem? And is the fact that 2 of them have the same top level domains a problem? 

    Please note that I am working with the hosts file for name resolution to the other domains. I don't know if this is a problem or not. 

    Thanks a lot for the help!

    • Edited by Jozef Woo Wednesday, April 12, 2017 7:38 AM style
    Wednesday, April 12, 2017 7:36 AM

Answers

  • Hi Jozef,

    I am actually not familiar with the underlying logic for DC Locator. What I have been told is that the DC locator logic in Dot.Net DirectoryContext class (used by Azure AD Connect) is different than the classic DC locator logic used by LDAP clients.

    However, I can share with you a test I did which helped in my case. Essentially, I have:

    • 2 AD forests deployed in my test environment (let's call them forest A and B).
    • Each forest is basically a single 2012r2 VM. Both VMs run on the same host.
    • I installed the AADConnect server on the VM for forest A.

    I tried to install the AADConnect server on the VM for forest A. While running AADConnect wizard, I was able to add forest A but not forest B. Eventually, I created a single DNS conditional forwarder in the DNS for forest A which resolves the FQDN of forest B to the VM for forest B. After which, I was able to successfully add Forest B in the Azure AD Connect wizard.

    Thanks,

    Chun Yong

    • Marked as answer by Jozef Woo Monday, April 17, 2017 8:45 PM
    Monday, April 17, 2017 4:25 PM
  • Hi,

    We were finally able to solve the problem. Different (but similar) solution for each domain that couldn't be added.

    For the one domain we had to add a conditional forwarder and open the firewall so that the domain controllers of the 2 domains could communicate (otherwise the conditional forwarder wouldn't work). Having communication with the DC's only from the AD Connect server is not enough.

    The the other domain, it was not possible to create a conditional forwarder. Because of historical reasons there was a manually created zone in DNS for this domain. We manually created all the AD SRV records (like _ldap etc) and then AD Connect was able to use DNS resolution to add this domain as well. 

    So moral of the story: DNS has to be setup correctly/completely. Network connectivity with name resolution through hosts file from the AD Connect server to the domains is not enough. 

    Thanks a lot for all the help!
    • Marked as answer by Jozef Woo Thursday, May 04, 2017 10:22 AM
    Thursday, May 04, 2017 10:22 AM

All replies

  • The problem seems to be related to the fact that "hosts file resolution" might not be supported. AD Connect might need to be able to reach the other domains LDAP and Kerberos SRV records (and not just A record resolution). I just heard it from someone but I can't find any documentation on this.

    Does anyone have an idea? 

    Wednesday, April 12, 2017 5:07 PM
  • Hi,

    Not exactly an answer... but what I can tell you is that Azure AD Connect wizard relies on Dot.Net DirectoryContext class to establish connection to on-premises AD based on the forest information + credentials provided. That said, I have no idea how the DirectoryContext class works except that it has logic (called DC locator) for domain resolution which is dependent on DNS.

    Thanks,

    Chun Yong

    Friday, April 14, 2017 1:23 PM
  • Hi Chun Yong Chua, thanks for the interesting input. It doesn't solve the problem but convinces me more that I should first get this DNS issue sorted out.

    Do you think I will probably have to configure forwarders on the main domain/DNS in order for DNS resolution to work sufficiently for AD Connect to be able to connect to the other domains? 


    • Edited by Jozef Woo Friday, April 14, 2017 5:12 PM
    Friday, April 14, 2017 5:12 PM
  • Hi Jozef,

    I am actually not familiar with the underlying logic for DC Locator. What I have been told is that the DC locator logic in Dot.Net DirectoryContext class (used by Azure AD Connect) is different than the classic DC locator logic used by LDAP clients.

    However, I can share with you a test I did which helped in my case. Essentially, I have:

    • 2 AD forests deployed in my test environment (let's call them forest A and B).
    • Each forest is basically a single 2012r2 VM. Both VMs run on the same host.
    • I installed the AADConnect server on the VM for forest A.

    I tried to install the AADConnect server on the VM for forest A. While running AADConnect wizard, I was able to add forest A but not forest B. Eventually, I created a single DNS conditional forwarder in the DNS for forest A which resolves the FQDN of forest B to the VM for forest B. After which, I was able to successfully add Forest B in the Azure AD Connect wizard.

    Thanks,

    Chun Yong

    • Marked as answer by Jozef Woo Monday, April 17, 2017 8:45 PM
    Monday, April 17, 2017 4:25 PM
  • Chun Yong, you are fantastic. Thanks.
    Monday, April 17, 2017 8:46 PM
  • Hi,

    We were finally able to solve the problem. Different (but similar) solution for each domain that couldn't be added.

    For the one domain we had to add a conditional forwarder and open the firewall so that the domain controllers of the 2 domains could communicate (otherwise the conditional forwarder wouldn't work). Having communication with the DC's only from the AD Connect server is not enough.

    The the other domain, it was not possible to create a conditional forwarder. Because of historical reasons there was a manually created zone in DNS for this domain. We manually created all the AD SRV records (like _ldap etc) and then AD Connect was able to use DNS resolution to add this domain as well. 

    So moral of the story: DNS has to be setup correctly/completely. Network connectivity with name resolution through hosts file from the AD Connect server to the domains is not enough. 

    Thanks a lot for all the help!
    • Marked as answer by Jozef Woo Thursday, May 04, 2017 10:22 AM
    Thursday, May 04, 2017 10:22 AM