What should you do if you have multiple separate Active Directory Forests?

If you maintain multiple Active Directory Forests or have recently inherited a new Active Directory Domain from an acquisition, you have a few things to think about:

  • Is it important for you to try to centralize and simplify your IT where possible?
  • Is it important for your business to allow users to better collaborate and more easily move around between business units?

Cross-Forest Trusts

You could create a “cross-forest Trust”. This is a network-centric approach and has been around since Windows Server 2003. For organisations still heavily invested in their internal networking infrastructure this can work well, but there are a number of possible pitfalls you need to be vigilant about. Ultimately, this is a strong but rigid approach. So if you choose this route, you need to be confident it’s not going to end up hamstringing your future options.

Active Directory Migration

Another option could be to consolidate the Forests by migrating one into the other. This has a lot of pros. It avoids the added complexity and pitfalls associated with the cross-forest trusts. It makes management easier and streamlines downstream processes, such as identity sync to the cloud.

These are great wins. And, by the way if you want any help we provide an AD migration service, so feel free to contact us. But – they are all conditional on you fully centralizing your IT. This can often have “political” ramifications. If you have recently merged with or acquired another organization, taking control of their Active Directory is a tricky subject.

Every merger and acquisition is different. Full “takeovers” may have no problem with the Active Directory consolidation approach. But it’s probably not viable where both parties are still expecting to maintain some independence.

How keep multiple separate Active Directory Forests in sync without setting up a Trust or consolidating ADs

There is some middle ground here. It is possible to get the benefits of centralisation and collaboration without the complexities of a Trust, while at the same time maintaining local control of the ADs. The answer to this is: IDx (The Identity Exchange).

IDx is a cloud-based (SaaS) identity management solution that specializes in identity integration, automation and synchronization. For those familiar with the IDM field, it’s essentially a next-generation SaaS version of Microsoft Identity Manager (formerly FIM).

Microsoft Identity Manager (MIM) is a great product in many ways, but it is an unwieldy beast. It’s very complex, and that comes with a major overhead both for setting it up and for maintaining it. You need to host it on your own infrastructure, and you have all the normal responsibilities around back-ups, failover and disaster recover should anything go wrong. There is also no support for MIM, so any support you need either from Microsoft or a third-party identity specialist will come at a hefty price.

In the engine room, IDx has more out-and-out power and capability than MIM. But most of that is abstracted away to make the experience of deploying and using IDx to be as easy as possible. That is a balance we try to reach with all our products: simple on the surface, powerful under the hood.

How IDx syncs Active Directory domains

IDx comes with an secure sync agent that typically runs on a domain controller and integrates with AD. The sync agent handles highly-secure bi-directional traffic between the AD and the IDxVault – an identity vault hosted in the MS Azure cloud. Once your identities are synced to IDx, there is practically an unlimited amount of logic and processing capability. But for this basic scenario, simple rules governing directionality of data flows will probably be sufficient. And, if you didn’t want to do this cross-AD user sync for all the users in an AD, IDx has a simple-yet-powerful classification system that gives you all the granularity you need.

Simply deploy the sync agent to your separate ADs, sync the users to IDx, classify them as required, set-up the data flow rules and that’s pretty much it. You’ve just created a nice flexible way of achieving a “best of both worlds” approach to this problem. And better yet, IDx is affordable and includes full enterprise support from a team of identity experts. We’ve clocked up decades of experience in this space and worked with thousands of different companies and IT set-ups.

IAM Cloud is a Microsoft Gold Partner, GDPR compliant, ethical when it comes to privacy and business practices, and ISO27001 certified for information security.

Next steps



Hunting bugs.