Consolidating 2 AD's and Office 365

-

we looking consolidate our user accounts across 2 active directory’s , office 365. our current setup is:

internal office/lan ad: user names in format firstname.lastname@internal.company.com. sam account name in format of 3 letter company acronym domain name, followed firstname.lastname e.g. com\firstname.lastname

private cloud ad: we have private cloud hosted external vendor hosts number of servers hosting client systems. additionally, holds our company’s sharepoint 2013 portal, , other infrastructure services. has domain controller has user accounts of our internal users have accounts on our internal office lan (in addition user accounts external users needing access cloud servers). usernames in format firstname.lastname@company.com , sam account name same internal lan e.g. com\firstname.lastname . full usernames match users company email address.

office 365: we have user accounts our users in office 365 have subscription office desktop apps. user names match users email address/cloud usernames.

the end goal users have 1 account , password works across of these environments, ideally manage within office lan , sync across other environments e.g. changed password internally replicates office 365/the cloud ad. point use ibm notes/domino email long term goal migrate office 365/exchange host our email, syncing our office lan/office 365 accounts match pre-requisite sort out prior longer term migration o365.

i’ve looked lot azure ad connect tool think achieve want, i’m not entirely clear on how best approach this.

  • i’ve identified change upn in ad on our internal user accounts match users email address, , hence should sync seamlessly office 365 accounts. cause problems when try access cloud servers, such via rdp or logging onto sharepoint, given usernames match have different user sids?
  • for approach, whilst can set azure ad connect on our lan sync office 365, possible sync passwords o365 cloud ad e.g. password sync lan -> o365 -> cloud ad. have adfs set on our cloud infrastructure if using adfs sync 2 ads , o365 best approach i’m happy route
  • or, more suitable away user accounts in cloud ad internal lan users managed in 1 ad, , these accounts are  sync’d o365? mentioned these users need setup have rdp access servers in cloud , need able access sharepoint portal connected cloud ad authentication. internal users need able access sharepoint portal , still need keep cloud ad external users permissioned sharepoint portal/some of cloud servers (but don’t want have access internal lan systems)
  • my colleague looked setting ad trust between our internal lan , cloud ad idea use internal accounts on cloud servers via trust relationship, weren’t able working. not sure if because our internal lan child/sub domain of our cloud ad domain , assume it’s inherently trusted virtue of being child domain?

my current thinking need change upn of our internal ad users match email address/cloud usernames allow happily sync our internal accounts o365 work our future o365 email migration. it’s part of having 1 user name based on email address continue work our cloud servers , sharepoint portal and/or syncing internal ad users passwords cloud accounts bit of sticking point.

hope provides sufficient information on our current set , we’re trying accomplish. if able assist identifying suitable solution appreciated. again reading , apologies long post j

hi,

i don't think it's possible synchronize account passwords between ad forests, if want achieve single sign on, suggest deploy adfs.

if there specific queries regarding office 365, here dedicated office 365 forum below you:

https://community.office365.com/en-us/f

best regards,

amy

please remember mark replies answers if help.
if have feedback technet subscriber support, contact tnmff@microsoft.com.



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Edit Group Policy

-
i have pc has power settings pushed out default domain policy in ad environment. of course on local machine "some settings managed system adminstrator". the machine temporarily no longer in contact domain controller (it's been physically moved , not on same network now) can't updated gpo settings. i believe if edit local group policy won't make difference because of group policy processing , precedence. since it's temporary away ad network, still want use settings of ad user. is there somewhere in registry stored can edit power plan manually until can sync domain? (i need prevent sleeping while plugged in - it's set 1 hour) thanks! allen crist i found site: http://gpsearch.azurewebsites.net/#7916 i able add policy to hkey_local_machine\software\policies\microsoft\power using specs found on site. looks solved issue. i'll report if didn't. thanks! allen crist ...
Read more

Hyper-V VM not reaching OS 'Logon' screen

-
i trying migrate vm vmware hyper-v. so far have done following (seemingly successfully): prepare vmware vm conversion hyper-v format (vhd) within vmware workstation 8.0 environment following steps guide: http://social.technet.microsoft.com/forums/en/winserverhyperv/thread/ef8c12f7-c45d-442e-9a30-c43cd87df3b3   (i.e. remove vm tools, add new ide hard disk…) use vmdk2vhd application convert individual vmdk files vhd ones create new vm in hyper-v exporting in 3 newly converted vhd files at point have checked settings , powered on vm in hyper-v find although windows begins load expected manages reach screen prior login screen saying either of following messages: “windows starting up…” “the active directory rebuilding indices… please wait” to knowledge, albeit limited in area, vm should present me login screen since appears in vmware. if start vm in safe mode can login not desired affect. below details of vm: operating system: windows server 2003 (enterprise edit...
Read more

DNS question...

-
i new setting dns server....my domain name expl. "domain.com"....i set "a" record in forward lookup for  www.domain.com itself...."server's local ip"....i've added no other zones , i seem able resolve names except own....www.domain.com.....also, do i put my isp's dns ip's....for external dns's server can't resolve?....forwarding or in nic setup?......i want setup in my dns server don't have include them on client side..... thanks mark     not put isp dsn server address in settings on nic dc or clients. should point local dns server on dc. set dns forward public dns, such isp. bill Windows Server  >  Network Infrastructure Servers
Read more