Forum Discussion
Migrating / merging two domains in azure AD
Hello and thanks for the reply. There only 2 domains. 1 on-premise and one in Azure AD. The one onsite domain contains workstations, servers, and user accounts to access them (these accounts have probably got old email attributes). The AzureAD domain contains the o365 and email accounts and corresponding user accounts.
The users currently use two sperate accounts to access their resources. We would like to merge these two domains so that they only have the one user account which can access all resources.
I think your correct in the fact that they will need a unique identifier. Are you suggesting that I will need the user account names to be the same e.g. mailto:usera@domain1 will need to have a corresponding mailto:usera@domain2 and they will somehow merge upon syncing? I'm not sure how the adsync tool will handle that outcome?
I don't believe the user account names match on the two domains. Obviously the domain names are different but the actual user name may also be different. Are you saying that these need to be the same?
Do you know what will happen to the old email attributes and which one will take precedence? I have read that this information will need to be removed before sync and I was wondering how this could be done?
Sorry for all the questions. As you can see it early and this is something that is hard to find examples of and is introducing problems that I don't think many people have to overcome. I'm still trying to figure out if we can test this before a live migration
Thanks for any reply.
Thanks for the additional information.
In that case, AzureAD Sync is the way to go. Changes made on your on-prem domain (passwords/attributes etc) will be synchronised to AzureAD so everything lines up. Users then have the same username/password for logging onto domain resources as well as email.
When I have done this before, the process has been to prep the on prem AD by adding in UPN and ensuring attributes are correct, then setting up a pilot with a couple of test accounts, then rolling out when satisfied that everything is set up correctly.
Let's say the on prem AD domain is company.local and the primary domain is on 365 is company.com - users are logging onto their local machine with user1@company.local and log onto their email with user1@company.com. You will want to add company.com as an addition UPN suffix in AD and change the users UPN to company.com so it matches. This is a soft match.
For 365, the UPN is the username, so where the username itself is different between AD and AzureAD (user.1@company.local and u1@company.com for example) then I've had to amend the username so they match - this was communicated with users well in advance to let them know that their email address is their new username.
I've always done a hard match as highlighted in the link in my last post - this makes sure that existing objects are lined up with the corresponding user object in Azure AD. Further information is here
Existing attributes in AD will overwrite attributes in AzureAD - AD becomes the source of authority so you will need to sanitize AD before synchronising otherwise these will be changed in 365 - off the top my head, email alias' is something that I've had to amend in the past to make sure it all lines up. Some of the stuff I could automate through powershell, but for other bits I've had to spend some time in ADSI
This also has a bit more information
https://www.2azure.nl/2019/05/02/sync-existing-office-365-tenant-with-local-active-directory/
Hope this helps,
Thanks for the reply. I've been speaking to some other people and this is going to involve quite a few projects, as we are going to need to move towards the single domain. I wasn't sure whether it would be easier to switch the 0365/emaik azure ad or the on-site domain. Look like this needs a lot of planning with things like an exchange management server, scripts to remove old AD attributes. Then some testing using ou filtering. Then we will need to look into moving all the devices and servers into the new domain, this includes an entire AWS environment. It's a lot of work as you can imagine.
Absolutely - I apologise if I gave the impression that it was a quick tickbox and done - certainly wasn't my intent! I'm sure you can appreciate that I'm unaware of the details of your infrastructure so can only offer fairly generalised advice - unfortunately this is the limitation of web forums.
Best of luck with your migration project - it sounds like you have your work cut out, but it's also a superb opportunity to get you're environments in top shape!
Thanks for the reply. I don't know if you have ever had to remove AD attributes, old mail users or DL’s? Are there any tools or scripts that you are aware of? If not I guess I would need an exchange server for hybrid and manually remove then. I did find this
https://community.spiceworks.com/topic/2034414-remove-on-premise-mailbox-properties-from-ad-account-to-allow-365-mailbox-setup
Thanks