Bi-directional trust in multi-forest and separation of a domain as two separate company

Khushi 0 Reputation points
2023-11-20T08:09:53.9+00:00

Hi,

I have an environment where there is a domain which needs to be separated into 2 tenants. Currently the domains have been the same and there is a single azure tenant. Now, this needs to be separated into two, and there is bi-directional trust in multi-forest in between old tenant and new tenant and the old tenant act as a service provider.

Here, my concern is , if there a multi-forest is in bi-directional method then how the domain isolation/IPsec and red- forest will work ? shall we create the domain isolation/IPsec and red domain/forest(ESAE) in new tenant or how the things will work?

Actually I am new on it , please help me as soon as possible.

Thanks!

Khushboo Kumari

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,155 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,219 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,824 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,775 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 33,376 Reputation points Microsoft Vendor
    2024-01-02T08:42:24.3466667+00:00

    Hello,

    You can refer to the supported topology for AAD connect sync: https://video2.skills-academy.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies#multiple-microsoft-entra-tenants

    It is always recommended that for each Azure tenant you should deploy a sync agent for the synchronization, or MS will not support. If you have separate the on-premises forest you could treat them as seperate environment for synchronizaiton scenarios.

    For on-premises forests, you could set up forest trust and enable the required ports: https://video2.skills-academy.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts, which will allow the common AD management tasks running properly.

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments