Forum Discussion

Marco_Miano's avatar
Marco_Miano
Copper Contributor
Sep 01, 2022

Local AD to AAD, post merge

Hi all,

that'll be a lengthy request...

I have experience in managing AD and AAD (including O365 etc.). But I'm in a situation where I'm not that comfortable.

I recently got a job to manage and modernize all the O365 and AAD related things for a company let's say Contoso (contoso.local and contoso.com).

Our goal is to go full cloud and scratch the old local AD domain.

The current situation is:

  • local AD is not synchronized with anything
  • no SSCM no WSUS no anything. Very basic deployment.
  • O365 (mailboxes, SharePoint, teams, etc.).
  • AAD has an AAD premium p1 license on it.

 

We also are going to merge with another company, acme (acme.com). They are full cloud on AAD so no local AD or anything.

 

After the merge, all the users from Acme will be on the Contoso tenant. We are going to use a 3rd party tool to merge mailboxes and SharePoint sites across tenants and I've done it before so I'm ok with that.

 

The problem arises when I try to plan the migration from local AD to AAD only.

I see two main roads:

  • Local AD -> hybrid AAD -> AAD only - to synchronize password attributes and groups for the user. And devices wise probably just a reset with autopilot for groups of users to go on AAD join only (we have a lot of mobile users that use a lot of different software so I know that if I impose a full reset they will at least scream some profanity at us). Slower but more careful in the long run.
  • Local AD -> AAD only - literally we'll scratch everything over a weekend and just force users to come by "waves" to the office for a reset of their devices. Probably a stupid idea but very fast.

I can't find any way to migrate from a hybrid join (local ad + aad) to aad only (maybe by stopping the AD connect before removing the local domain from the devices, probably will delete all the states and profile from the devices regardless)

 

Do you have any more educated suggestions?

 

Thanks a lot in advance,

Marco Miano

 

ps: I talk about devices but what I mean is just PC, all the servers and services are going in the cloud so no worry in that department at least.

 

  • Marco_Miano Are you moving the servers, DCs etc into the Azure using IAAS? Logically speaking from an an hybrid identity perspective that is still on premises or are you investigating Azure AD Domain Services?

    • Marco_Miano's avatar
      Marco_Miano
      Copper Contributor

      PeterTJohnsonZA no we want to remove as many servers/vms as possible. When not possible they’ll be on azure IaaS but we’ll use AAD sso for the login and not LDAP/kerberos/AD/ADFS. 


      The goal is to use very few “legacy” (i know DC’s are not legacy) as possible and loose any hardware except for networking. In the not distant future for some users we’ll try azure virtual desktop. 

      My biggest concern is that I don’t want to loose time and waste time of my users resetting their PCs when i remove them from the DCs to migrate with AAD only joins. Or at least doing it in most efficient ways. 

      User identity wise I’m fairly confident. 


Resources