Azure AD Connect with multiple forests

In the last week of 2016 I was working on some issues that some users in certain groups were not synchronized to Azure AD. The users itself were in Azure AD but the group membership did not sync. The problem here was that the users were in another forest than the group.

At this customer, we have multiple forests with users from the different countries and they start to work together more and now we had some complaints that the users where not able to access resources while they placed them in the correct groups. The issue that we had was that the synchronization removed the users from the other forests from the group membership during the synchronization.

After a lot of digging and not knowing where to search and what was happening I finally figured out what the issue was. My knowledge of AD and trusts is not that large and therefore it took some time for me to find the solution. The solution is straight forward and that is to make sure that you synchronize the OU ‘ForeignSecurityPrincipals’.

To understand this a bit more, you need to have some understanding of the working of Active Directory. When you add a user from another forest to the group, there is and anchor created in the Active Directory where the groups exists. This anchor is a Foreign security principal and is stored in the OU ‘ForeignSecurityPrincipals’. Because we did not synchronize this OU the users where removed from the group. This also happens to users in the local domain that are not available in Azure AD.

This was also on the documentation page from Microsoft, but I did not see that when we started with this journey. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnectsync-configure-filtering