How To: Set up AAD Connect multi-forest sync with untrusted forests – Part 1, DNS

I ran in to a problem with AAD Connect this week where I had a customer with two completely separate forests – the main forest had ~400 users and was based in the UK and one with ~50 users in Australia. Before we started there was not even network connectivity between the networks so we really were starting from scratch.

Having had a look around the internet there are lots of blogs explaining how to set up multi-forest sync if the networks are already talking, but not from the start, so I have outlined my findings below.

Connecting the Two Forests

As a starting point a site2site VPN needs to be configured between the two forests to enable them to contact each other. You then need to set up a Secondary Zone in each for the other (i.e ForestA.local’s DNS Server must have a Secondary Lookup Zone for ForestB.local and vice versa). To get this working you must first allow Zone Transfer to the other Forest’s DNS Servers using the following steps:

Configuring source DNS to allow Zone Transfers

  1. Open the DNS console
  2. Right-click  Forward Look Zone you are transferring to the other Forest and click Properties.zonetransfer1
  3. Open the Zone Transfers tab.zonetransfer2
  4. Select the Allow zone transfers check box. Then choose one of the following :
    1. To allow zone transfers to any server, click To any server.
    2. To allow zone transfers only to specified DNS servers on your list of Name Servers click Only to servers listed on the Name Servers tab. Use this setting if you have configured Authoritative Name Servers for this zone in the Names Servers tab.
    3. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.  Use this setting if you have not configured Authoritative Name Servers for this zone in the Name Servers tab or you desire to allow zone transfers with Name Servers.
  5. In this demonstration I will be using the last option, click Only to the following servers.zonetransfer3
  6. Click Edit, enter the IP Address of the DNS Server in the other Forest that will be requesting the zone transfer, press enter.  After the FQDN has resolved click OK.zonetransfer4
  7. Click OK on the DNS Properties sheet, DNS is now configured to allow zone transfers.

It is recommended that you complete this process in both DNS Forests although it is only required to enable Zone Transfer in the Forest where you are not installing AAD Connect.

Configuring a Secondary Zone

Once you have allowed Zone Transfers you need to set up the Secondary Zone in each Forest. To do this

  1. Open the DNS console.
  2. Right Click Forward Lookup Zones and select New Zone.


3. Select Secondary Zone from the Zone Type page and click Next.


4. Under Zone Name enter the domain name that you are transferring from and click Next.


5. Next on the Zone File page.

6. Under Master DNS Servers enter the IP address of the primary DNS server in the zone you are transferring from. Click Next.

7. Complete the Wizard and then expand your new Secondary Zone. Within a few minutes you should see the DNS records from the other Forest populate (you will need to refresh to show the new details.

It is recommended that you complete the above steps for both Forests, although it is only necessary to transfer DNS into the Forest where you are installing AAD Connect.

At this point you are ready to begin the installation of AAD Connect.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s