Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this articleThis article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution. This article includes both supported and unsupported configurations. Here's the legend for pictures in the article:
Important Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft can't provide technical support for such deployments. The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD Connect supports only this topology. Single forest, multiple sync servers to one Azure AD tenantHaving multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects. You might have considered this topology if you can't reach all domains in the forest from a single server, or if you want to distribute load across several servers. Many organizations have environments with multiple on-premises Active Directory forests. There are various reasons for having more than one on-premises Active Directory forest. Typical examples are designs with account-resource forests and the result of a merger or acquisition. When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain. If necessary to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD. There are some common topologies that you can configure in the custom installation path in the installation wizard. On the Uniquely identifying your users page, select the corresponding option that represents your topology. The consolidation is configured only for users. Duplicated groups are not consolidated with the default configuration. Common topologies are discussed in the sections about separate topologies, full mesh, and the account-resource topology. The default configuration in Azure AD Connect sync assumes:
If your environment does not match these assumptions, the following things happen:
You can find more details in Understanding the default configuration. Multiple forests, multiple sync servers to one Azure AD tenantHaving more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. The exception is the use of a staging server. This topology differs from the one below in that multiple sync servers connected to a single Azure AD tenant is not supported. Multiple forests, single sync server, users are represented in only one directoryIn this environment, all on-premises forests are treated as separate entities. No user is present in any other forest. Each forest has its own Exchange organization, and there's no GALSync between the forests. This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL. In the preceding picture, each object in every forest is represented once in the metaverse and aggregated in the target Azure AD tenant. Multiple forests: match usersCommon to all these scenarios is that distribution and security groups can contain a mix of users, contacts, and Foreign Security Principals (FSPs). FSPs are used in Active Directory Domain Services (AD DS) to represent members from other forests in a security group. All FSPs are resolved to the real object in Azure AD. Multiple forests: full mesh with optional GALSyncA full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests. If Exchange is present in more than one forest, there might be (optionally) an on-premises GALSync solution. Every user is then represented as a contact in all other forests. GALSync is commonly implemented through FIM 2010 or MIM 2016. Azure AD Connect cannot be used for on-premises GALSync. In this scenario, identity objects are joined via the mail attribute. A user who has a mailbox in one forest is joined with the contacts in the other forests. Multiple forests: account-resource forestIn an account-resource forest topology, you have one or more account forests with active user accounts. You also have one or more resource forests with disabled accounts. In this scenario, one (or more) resource forest trusts all account forests. The resource forest typically has an extended Active Directory schema with Exchange and Lync. All Exchange and Lync services, along with other shared services, are located in this forest. Users have a disabled user account in this forest, and the mailbox is linked to the account forest. Microsoft 365 and topology considerationsSome Microsoft 365 workloads have certain restrictions on supported topologies:
If you are a larger organization, then you should consider to use the Microsoft 365 PreferredDataLocation feature. It allows you to define in which datacenter region the user's resources are located. Staging serverAzure AD Connect supports installing a second server in staging mode. A server in this mode reads data from all connected directories but does not write anything to connected directories. It uses the normal synchronization cycle and therefore has an updated copy of the identity data. In a disaster where the primary server fails, you can fail over to the staging server. You do this in the Azure AD Connect wizard. This second server can be located in a different datacenter because no infrastructure is shared with the primary server. You must manually copy any configuration change made on the primary server to the second server. You can use a staging server to test a new custom configuration and the effect that it has on your data. You can preview the changes and adjust the configuration. When you're happy with the new configuration, you can make the staging server the active server and set the old active server to staging mode. You can also use this method to replace the active sync server. Prepare the new server and set it to staging mode. Make sure it's in a good state, disable staging mode (making it active), and shut down the currently active server. It's possible to have more than one staging server when you want to have multiple backups in different datacenters. We recommend having a single tenant in Azure AD for an organization. Before you plan to use multiple Azure AD tenants, see the article Administrative units management in Azure AD. It covers common scenarios where you can use a single tenant. Sync AD objects to multiple Azure AD tenantsThis topology implements the following use cases:
Note Global Address List Synchronization (GalSync) is not done automatically in this topology and requires an additional custom MIM implementation to ensure each tenant has a complete Global Address List (GAL) in Exchange Online and Skype for Business Online. GALSync by using writebackGALSync with on-premises sync serverYou can use FIM 2010 or MIM 2016 on-premises to sync users (via GALSync) between two Exchange organizations. The users in one organization appear as foreign users/contacts in the other organization. These different on-premises Active Directory instances can then be synchronized with their own Azure AD tenants. Using unauthorized clients to access the Azure AD Connect backendThe Azure Active Directory Connect server communicates with Azure Active Directory through the Azure Active Directory Connect backend. The only software that can be used to communicate with this backend is Azure Active Directory Connect. It is not supported to communicate with the Azure Active Directory Connect backend using any other software or method. Next stepsTo learn how to install Azure AD Connect for these scenarios, see Custom installation of Azure AD Connect. Learn more about the Azure AD Connect sync configuration. Learn more about integrating your on-premises identities with Azure Active Directory. FeedbackSubmit and view feedback for Which type of information can be synchronized between devices running Windows 10?Windows 10 allows you to sync your Windows settings and data files across multiple computers so that changes made on one computer automatically update all your computers.
Which synchronization connection type would be the fastest and most secure?Connection types that enable synchronization are often high speed and reliable. These include your home 802.11 Wi-Fi connection as well as USB and FireWire. These connections offer two-way transmission of data over a secure and reliable connection, which is crucial to synchronization.
What software is used to synchronize data files between an IOS device and a PC and what connection methods can it use?To synchronize data such as contacts, calendars, and so on, PC users need to use iTunes for Windows. From iTunes a user would select Sync Contacts or Sync Calendars, for example.
Which of the following allows multiple operating systems to work on the same hardware simultaneously?Virtualization software — programs that allow you to run multiple operating systems simultaneously on a single computer — allows you to do just that. Using virtualization software, you can run multiple operating systems on one physical machine.
|