2

I want to migrate active directory accounts from multiple on-premise servers (located on different location and having same domain name) to Office 365.

I am using Azure AD Connect to sync these accounts and I tested by creating a dummy environment (single server). Everything is working fine. Now the thing I want to know is that can I configure Azure AD Connect similarly on all my servers so that account from all servers will be synced on Office 365.

Points to note here:

  1. I don't have any conflict in usernames on my server
  2. I already have email account of users on office 365 and want to merge on-premise and Office 365 account based on username/ email address
  3. I want password synchronization
  4. Enable SSO (Single Sign On) for Office 365 account

My main doubt is about SSO because when I configured Azure AD Connect on my single server dummy environment, it configured SSO so if I will do same thing on all server do I need to do SSO configuration also or I have to leave this step one other servers?

Nikhil Gaur
  • 137
  • 1
  • 4
  • 2
    Hi Ankit can you clarify your domain structure? you mention multiple servers, are they all part of the same domain? are they in separate domains? – Michael Brown Jun 28 '17 at 11:43
  • Hi Michael, I have different servers on different locations and all the server have same domain name. – Nikhil Gaur Jun 29 '17 at 03:46
  • Are all the servers part of the same AD Forest? – Michael Brown Jun 29 '17 at 08:11
  • Azure AD Connect works by syncing up domains, not servers. It sounds like you need to read up on how Active Directory works. That being said, the company I work for has 3 domains in 2 different forests (for a total of a dozen or so domain controllers) that we sync to Office 365 via Azure AD Connect... which is installed on a single member server. – HopelessN00b Jun 30 '17 at 04:48
  • @HopelessN00b I got your point but in my case we have approx 10 on-premise servers (located in different countries) having domain controller configured with same name on each of them. All those server are independent without any link to each other. Now can I configure Azure AD Connect for each of these domain controller separately? – Nikhil Gaur Jun 30 '17 at 05:22
  • @MichaelBrown no all my server have same domain name but are independent without any link to each other – Nikhil Gaur Jun 30 '17 at 05:23
  • 1
    Alright. You either have the worst Active Directory configuration I've ever even heard about in 15 years as a sysadmin, or you don't know what you're talking about. Either way, I don't see any possible way to help you, based on what you've said. – HopelessN00b Jun 30 '17 at 05:29
  • @HopelessN00b yes, actually I am not a sysadmin but I have to handle this for our client. If all domains are connected in anyway then is there any possibility so that I can do this synchronization? – Nikhil Gaur Jul 05 '17 at 13:07
  • You're doing your client a disservice, then. You either need to contract this task out to someone who knows what they're doing, or tell your client to find someone else to do it, because you can't. It wouldn't be hard to find someone who can get this setup right for you, either locally, or on here. Most IT guys I know take on side gigs for extra money and I imagine that's the same the world over. – HopelessN00b Jul 05 '17 at 13:14
  • 1
    You should never have configured them with the same domain names on each of those locations/offices. As per my answer, you can either setup separate AD tenants for each of these locations with UNIQUE domain names or you'll need to completely revamp your design. You simply don't have a supported configuration that O365 can work with. – TheCleaner Jul 05 '17 at 14:33

1 Answers1

3

I suggest you read this MS article:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies

Specifically this section:

Single forest, multiple sync servers to one Azure AD tenant

enter image description here

Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects. You might have considered this topology if you can't reach all domains in the forest from a single server, or if you want to distribute load across several servers.

You CAN have one or more STAGING servers, but they are only for DR purposes and really aren't even needed short of remembering your configuration/sync settings.

If you export and document your AADConnect settings/mappings/customization then you can just as easily rebuild a new AADConnect server in a DR scenario.

You CANNOT have more than one AADConnect sync server in your environment connecting to the same Azure AD tenant.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Hi TheCleaner, so you want to say even if all my server are on different locations (not connected to each other) and having separate set of usersnames but because they have same domain name so it will behave like single forest? – Nikhil Gaur Jun 29 '17 at 04:12
  • 1
    @NikhilGaur - pretty much. You can't have one O365 tenant and multiple AADConnect servers syncing to that instance, even if it were multiple forests. You'd either need multiple O365 tenants federated together, or you'd need to setup a cross-forest trust and let one server on-premise sync everything for both forests up to a single tenant. – TheCleaner Jul 05 '17 at 14:29