Migrating / merging two domains in azure AD

Question

Hello,&nbsp;We are looking to bring together two separate domains. The client has managed to end up with two domains. One of the domains contains all of the workstations, servers, and user accounts to access them. There is a separate domain that has the email accounts and O365 tenancy.&nbsp;We are looking to migrate the onsite domain which holds the workstations and server accounts into the email and O365 Azure AD.&nbsp;We would like to end up with an environment that is just using a single domain. It would be great if you have any idea on how this can be done without the pain of re-joining all the pc's to the new domain and having to change all of the permissions on files and folders. We also have an issue where there could be old email information in the old domain accounts, so we may need to remove any attributes from the domain with the servers.&nbsp;Any ideas or advice would be great.Thanks&nbsp;&nbsp;

hidmov · Answer

Hi&nbsp;james00000007&nbsp;&nbsp;Just so I'm understanding correctly - are there are two on-prem domains and one AzureAD/365 domain or one on-prem domain and one Azure AD/365 domain?&nbsp;If it's the latter, then it's tricky but it can be done. You would look to make sure that the user object on the on-prem domain and the user object in AzureAD have a attribute that is unique to both domains, so that when it synchronises it up knows which user is attached to which mailbox.&nbsp;This article has a bit more information on soft/hard matching&nbsp;https://docs.microsoft.com/en-gb/archive/blogs/praveenkumar/how-to-do-hard-match-part-2&nbsp;When both domains are ready, run Azure AD Connect so they both sync up. The user object on the on-prem AD will be synchronised up with AzureAD so will have the same UPN, Password and attributes. Note that when this is done the source of authority will be the on-prem Active Directory unless you have a write-back enabled.

james00000007 · Answer

HidMov&nbsp;&nbsp;Hello and thanks for the reply. There only 2 domains. 1 on-premise and one in Azure AD. The one onsite domain contains workstations, servers, and user accounts to access them (these accounts have probably got old email attributes). The AzureAD domain contains the o365 and email accounts and corresponding user accounts.&nbsp;The users currently use two sperate accounts to access their resources. We would like to merge these two domains so that they only have the one user account which can access all resources.&nbsp;I think your correct in the fact that they will need a unique identifier. Are you suggesting that I will need the user account names to be the same e.g. usera@domain1 will need to have a corresponding usera@domain2 and they will somehow merge upon syncing? I'm not sure how the adsync tool will handle that outcome?&nbsp;I don't believe the user account names match on the two domains. Obviously the domain names are different but the actual user name may also be different. Are you saying that these need to be the same?&nbsp;Do you know what will happen to the old email attributes and which one will take precedence? I have read that this information will need to be removed before sync and I was wondering how this could be done?&nbsp;Sorry for all the questions. As you can see it early and this is something that is hard to find examples of and is introducing problems that I don't think many people have to overcome. I'm still trying to figure out if we can test this before a live migration&nbsp;Thanks for any reply.&nbsp;

hidmov · Answer

Hi&nbsp;james00000007&nbsp;&nbsp;Thanks for the additional information.&nbsp;In that case, AzureAD Sync is the way to go. Changes made on your on-prem domain (passwords/attributes etc) will be synchronised to AzureAD so everything lines up. Users then have the same username/password for logging onto domain resources as well as email.&nbsp;When I have done this before, the process has been to prep the on prem AD by adding in UPN and ensuring attributes are correct, then setting up a pilot with a couple of test accounts, then rolling out when satisfied that everything is set up correctly.&nbsp;Let's say the on prem AD domain is company.local and the primary domain is on 365 is company.com - users are logging onto their local machine with user1@company.local&nbsp;and log onto their email with user1@company.com. You will want to add company.com as an addition UPN suffix in AD and change the users UPN to company.com so it matches. This is a soft match.&nbsp;For 365, the UPN is the username, so where the username itself is different between AD and AzureAD (user.1@company.local and u1@company.com&nbsp;for example) then I've had to amend the username so they match - this was communicated with users well in advance to let them know that their email address is their new username.&nbsp;I've always done a hard match as highlighted in the link in my last post - this makes sure that existing objects are lined up with the corresponding user object in Azure AD. Further information is here&nbsp;https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant&nbsp;Existing attributes in AD will overwrite attributes in AzureAD - AD becomes the source of authority so you will need to sanitize AD before synchronising otherwise these will be changed in 365 - off the top my head, email alias' is something that I've had to amend in the past to make sure it all lines up. Some of the stuff I could automate through powershell, but for other bits I've had to spend some time in ADSI&nbsp;This also has a bit more information&nbsp;https://www.2azure.nl/2019/05/02/sync-existing-office-365-tenant-with-local-active-directory/&nbsp;Hope this helps,&nbsp;

james00000007 · Answer

HidMov&nbsp;&nbsp;Thanks for the reply. I've been speaking to some other people and this is going to involve quite a few projects, as we are going to need to move towards the single domain. I wasn't sure whether it would be easier to switch the 0365/emaik azure ad or the on-site domain. Look like this needs a lot of planning with things like an exchange management server, scripts to remove old AD attributes. &nbsp; Then some testing using ou filtering. Then we will need to look into moving all the devices and servers into the new domain, this includes an entire AWS environment. It's a lot of work as you can imagine.&nbsp;&nbsp;

hidmov · Answer

Hi&nbsp;james00000007&nbsp;&nbsp;Absolutely - I apologise if I gave the impression that it was a quick tickbox and done - certainly wasn't my intent! I'm sure you can appreciate that I'm unaware of the details of your infrastructure so can only offer fairly generalised advice - unfortunately this is the limitation of web forums.&nbsp;Best of luck with your migration project - it sounds like you have your work cut out, but it's also a superb opportunity to get you're environments in top shape!&nbsp;&nbsp;

Forum Discussion

Migrating / merging two domains in azure AD

6 Replies

Resources