Multi-forest Active Directory hierarchy spanning ext.local and grange.local forests with redundant domain controllers across HQ, Branch-A, and Branch-B sites, synchronized to Azure AD via Azure AD Connect. Each forest maintains a root domain and child domains (agent.ext.local, agentmdl.ext.local, gmcc.grange.local) with paired domain controllers ensuring high availability and disaster recovery. Forest Trust (External) enables cross-forest authentication and resource sharing while Azure AD Connect Sync Service bridges on-premises identity to cloud tenants. This architecture demonstrates enterprise-grade hybrid identity management with site-aware replication, multi-tier domain structure, and cloud synchronization for organizations requiring federated access control. Fork this diagram to customize domain names, add additional sites, or adjust replication topology for your hybrid deployment. Consider adding Azure AD Conditional Access policies and MFA enforcement at the Azure AD Tenant layer for zero-trust security posture.