We have company A AD forest (forest domain a.com) and company B AD forest (forest domain b.com) linked by inter-forest trusts and each with On-Premises Exchange 2010 SP3.
We plan to migrate both Exchange Server to a single Office 365 tenant in an hybrid environment using multi-forest Azure AD Connect to synchronise both AD into separate directories in Azure.
a.com is using john.doe@a.com as its UPN.
b.com is using john.doe@b.com as its UPN.
Now because the 2 organisation is sort of merging its operations, we are exploring the possibility that both a.com and b.com staff to log on using the same UPN c.com like john.doe@c.com as their UPN instead.
I know I can add c.om in a.com and b.com forest as a new UPN no problem but when it comes to AADC, it is a different arena.
When running AADC, I am not sure if it can go past this screen?
Is this supported at all?
Thanks in advance.
Best Answer
ADConnect doesn't care about the AD UPN, only if it can be properly matched to an Azure AD UPN; so, if you have non-routable UPN suffixes such as "@domain.local", ADconnect will warn you about this; if an user account with such an UPN suffix gets synchronized, the Azure AD user will get the default UPN suffix ("@yourname.onmicrosoft.com"), because the original UPN will not be usable.
If you add a third UPN suffix to your AD forest(s) and it can be properly matched to an Azure AD UPN suffix (i.e. a DNS domain you validated in Azure AD / Office 365), this will not be a problem at all; just remember to set your users' UPN to use the new suffix prior to starting synchronization.
Also, be careful about duplicate UPNs: if you are syncing from more than one forest and duplicate UPN exist, this will lead to synchronization conflicts.
Addendum: if you are migrating users between AD forests, or if you have duplicate user accounts in different forests because they are actually the same users, you need to take extra steps in order for ADConnect to correctly match them.