When companies talk about M&A IT costs, they model server migration, network cutover, and the labor for data migration. Almost nobody models the cost of maintaining two AD forests in coexistence.
It doesn’t show up in the integration plan as a line item. But it shows up every month in operational costs, every quarter in security audit findings, and every time a user forgets which password to use for which system.
The Annual Cost Model
Here’s what two forests actually cost, per year, for a 2,500-user acquired company in coexistence:
| Cost Driver | Annual Cost | Notes |
|---|---|---|
| Additional Azure AD P2 licenses (conditional access for 2 tenants) | $75,000 | Both companies’ Entra ID tenants need P2 for full CA coverage |
| Extra help desk FTE (password issues, access confusion) | $85,000 | ~0.5 FTE dedicated to cross-forest identity issues |
| VPN / network overhead for cross-forest authentication | $40,000 | Additional network infrastructure for forest trust traffic |
| Security tool licensing (2x endpoint, 2x SIEM) | $60,000 | Security posture can’t be managed from single console |
| Identity governance tool licensing (2x tenants) | $45,000 | Access reviews must run in both directories |
| Compliance audit labor | $30,000 | Annual SOC 2 / ISO 27001 audit covers both forests separately |
| Total Annual | $335,000 |
That number compounds. Year 1: $335K. Year 2: $335K plus 3% license increases. Year 3: the security tool vendors have raised prices because you’re running two separate environments. Year 4: you’re still doing this because the integration project keeps getting deprioritized.
By year 5, you’ve spent $1.7M maintaining two forests instead of $800K consolidating them. And you’re still in the same position you were in on Day 1 — two forests, two identities, twice the attack surface.
The Help Desk Multiplier
The most visible cost is help desk load. In a coexistence environment, users in the acquired company have to remember:
- Which system uses which credentials
- Which password to use for which application (source forest vs. target forest vs. M365)
- How to submit access requests when an application in the other forest is needed
- Which IT team to contact depending on which forest the issue is in
The average help desk ticket for a user in a coexistence environment takes 23% longer to resolve than in a single-forest environment, because the agent has to determine which forest the user’s identity lives in before they can even begin troubleshooting.
For a 2,500-user acquired company, this adds approximately 0.5 help desk FTE worth of capacity — permanently, as long as coexistence continues.
The Security Drift Problem
When you have two AD forests, you have two Group Policy environments. Over time, these diverge.
The acquiring company’s security team updates the password policy (complexity, history, max age). The acquired company’s security team, operating independently, doesn’t adopt the change. Six months later, the acquired company’s users are on a 90-day password rotation and the acquiring company’s users are on a 30-day rotation — and nobody can explain why.
This sounds minor. It isn’t. Password policy divergence means your identity security posture is inconsistent across your own merged environment. A pentester who compromises the weaker forest’s AD has a pivot point into resources that trust the stronger forest.
The same applies to:
- Patch management policies — different servers in different forests get patched on different schedules
- BitLocker policies — encryption compliance status can differ between forests
- Privileged access management — the acquired company’s privileged group membership policy may be less restrictive
ACQI’s security posture module runs a continuous GPO analysis across both forests, flagging policy divergences that create security inconsistency.
The User Experience Problem Nobody Talks About
When a user in the acquired company gets a new laptop, the imaging process has to know which forest the machine will join. If the user moves between offices (headquarters vs. acquired company’s site), the network configuration may route them to a different forest’s resources.
For an organization with significant remote work, this becomes a daily friction point. Users report that they have to “switch” between systems, which really means disconnecting and reconnecting to resources that are in different forests.
This friction has a real productivity cost. McKinsey estimates knowledge worker productivity loss from IT-related friction at 15-20% of time. In a coexistence environment, that friction is concentrated in the first 12-18 months post-merger — the period when integration velocity matters most for capturing deal synergies.
The Consolidation Break-Even Analysis
If your coexistence annual cost is $335K (from the model above), and your forest consolidation project costs $1.2M (including application remediation, user migration, and testing), the break-even is 3.6 years.
After that, consolidation saves money every year. And it gives you a single security posture, a single identity store, and a single set of compliance evidence — all of which have value that doesn’t show up in the direct cost model.
The calculation changes for PE firms with high deal velocity. If you’re doing 2-3 acquisitions per year and each acquired company stays in coexistence for 12-18 months, the ongoing operational overhead of managing multiple forests simultaneously becomes a tax on deal execution speed. The cost isn’t just financial — it’s the integration team’s attention that gets consumed by coexistence operational issues instead of deal-synergy work.
The Right Question
The question is not “can we afford to consolidate?” It’s “can we afford not to?”
And the answer, for any organization that has completed two or more acquisitions in five years with no consolidation: the cost of not consolidating is already being paid. It’s just being paid invisibly — in help desk tickets, security findings, and integration delays that never get charged to the M&A project.