Forum Discussion
Migrating / merging two domains in azure AD
Hello,
We are looking to bring together two separate domains. The client has managed to end up with two domains. One of the domains contains all of the workstations, servers, and user accounts to access them. There is a separate domain that has the email accounts and O365 tenancy.
We are looking to migrate the onsite domain which holds the workstations and server accounts into the email and O365 Azure AD.
We would like to end up with an environment that is just using a single domain. It would be great if you have any idea on how this can be done without the pain of re-joining all the pc's to the new domain and having to change all of the permissions on files and folders. We also have an issue where there could be old email information in the old domain accounts, so we may need to remove any attributes from the domain with the servers.
Any ideas or advice would be great.
Thanks
- HidMovSteel Contributor
Just so I'm understanding correctly - are there are two on-prem domains and one AzureAD/365 domain or one on-prem domain and one Azure AD/365 domain?
If it's the latter, then it's tricky but it can be done. You would look to make sure that the user object on the on-prem domain and the user object in AzureAD have a attribute that is unique to both domains, so that when it synchronises it up knows which user is attached to which mailbox.
This article has a bit more information on soft/hard matching
https://docs.microsoft.com/en-gb/archive/blogs/praveenkumar/how-to-do-hard-match-part-2
When both domains are ready, run Azure AD Connect so they both sync up. The user object on the on-prem AD will be synchronised up with AzureAD so will have the same UPN, Password and attributes. Note that when this is done the source of authority will be the on-prem Active Directory unless you have a write-back enabled.
- james00000007Copper Contributor
Hello and thanks for the reply. There only 2 domains. 1 on-premise and one in Azure AD. The one onsite domain contains workstations, servers, and user accounts to access them (these accounts have probably got old email attributes). The AzureAD domain contains the o365 and email accounts and corresponding user accounts.
The users currently use two sperate accounts to access their resources. We would like to merge these two domains so that they only have the one user account which can access all resources.
I think your correct in the fact that they will need a unique identifier. Are you suggesting that I will need the user account names to be the same e.g. usera@domain1 will need to have a corresponding usera@domain2 and they will somehow merge upon syncing? I'm not sure how the adsync tool will handle that outcome?
I don't believe the user account names match on the two domains. Obviously the domain names are different but the actual user name may also be different. Are you saying that these need to be the same?
Do you know what will happen to the old email attributes and which one will take precedence? I have read that this information will need to be removed before sync and I was wondering how this could be done?
Sorry for all the questions. As you can see it early and this is something that is hard to find examples of and is introducing problems that I don't think many people have to overcome. I'm still trying to figure out if we can test this before a live migration
Thanks for any reply.
- HidMovSteel Contributor
Thanks for the additional information.
In that case, AzureAD Sync is the way to go. Changes made on your on-prem domain (passwords/attributes etc) will be synchronised to AzureAD so everything lines up. Users then have the same username/password for logging onto domain resources as well as email.
When I have done this before, the process has been to prep the on prem AD by adding in UPN and ensuring attributes are correct, then setting up a pilot with a couple of test accounts, then rolling out when satisfied that everything is set up correctly.
Let's say the on prem AD domain is company.local and the primary domain is on 365 is company.com - users are logging onto their local machine with user1@company.local and log onto their email with user1@company.com. You will want to add company.com as an addition UPN suffix in AD and change the users UPN to company.com so it matches. This is a soft match.
For 365, the UPN is the username, so where the username itself is different between AD and AzureAD (user.1@company.local and u1@company.com for example) then I've had to amend the username so they match - this was communicated with users well in advance to let them know that their email address is their new username.
I've always done a hard match as highlighted in the link in my last post - this makes sure that existing objects are lined up with the corresponding user object in Azure AD. Further information is here
Existing attributes in AD will overwrite attributes in AzureAD - AD becomes the source of authority so you will need to sanitize AD before synchronising otherwise these will be changed in 365 - off the top my head, email alias' is something that I've had to amend in the past to make sure it all lines up. Some of the stuff I could automate through powershell, but for other bits I've had to spend some time in ADSI
This also has a bit more information
https://www.2azure.nl/2019/05/02/sync-existing-office-365-tenant-with-local-active-directory/
Hope this helps,