Forum Discussion

LIT-RS's avatar
LIT-RS
Copper Contributor
Nov 04, 2020

Migrate AD User and AADConnect to new Forest (Same O365 tenant)

Hi guys,    Over the last few weeks i've been reading a lot around Tenant-to-tenant migration, and we've been playing around with the new features and it's been pretty cool.  However, I have a que...
exchange online
Exchange Server
hybrid
LIT-RS's avatar
LIT-RS
Copper Contributor
Feb 06, 2021

saifs19802210  Hi Saifs, 

Thank you so much for your response.

So instead of using ADMT, we have created brand new users in Forest C. So at the moment, they are ForestA.Local UPNs. But these are not being synced YET.

In our New AADConnect in Forest C, we have added the Forest A users into the scope to be synced. At the moment, new AADconnect server is in Staging mode.

 

So the plan is: 

1. Add the users from Forest A OU's into Scope onto my new Forest C AADConnect in Staging Mode

2. Make the staging mode server in Forest C as Primary Server. Hopefully no change to users at this stage

3. Add a test number of users to Sync from Forest C. This should mean they are synced but not matching the cloud users YET. 

4. So I need to then manually change the UPN of the Forest A users from mailto:username@externaldomain.com to  mailto:username@tenantname.onmicrosoft.com and then change the Forest C synced users' UPN to mailto:username@externaldomain.com - If that doesn't work automatically, I will need to manually hardmatch the Forest C user to the cloud user by setting the Immutable ID

 

 

That should work hopefully.

My only concern is if Azure doesn't like the same custom domain name (Externaldomain.com) coming from 2 Forests - i don't think that should be an issue?

 

steve_elliott's avatar
steve_elliott
Brass Contributor
Feb 07, 2021

LIT-RS - I'm not sure the matching will work as each sync'd user account from Forest A will have an immutable ID on the Azure side.

 

You'll need to clear that for each user in Azure before it'll connect to another on prem sync'd account.

  • LIT-RS's avatar
    LIT-RS
    Copper Contributor
    Feb 08, 2021

    steve_elliott  Hi Steve,

    Agreed - So plan is: Set-msoluser -UserPrincipalName mailto:user1@customdomain.com -ImmutableID "$null"

     

    ^ this will be performed on the user that is synced from Forest A. This will then make it "cloud only".

     

    Immediately after that:

    Set-msoluser -UserPrincipalName mailto:user1@customdomain.com -ImmutableID "%immutableID of the Forest C user's ObjectGuid converted"

     

    ^ this will then force (hard match) the cloud account to the Forest C AD user. 

     

    Is that would you meant?  

    • steve_elliott's avatar
      steve_elliott
      Brass Contributor
      Feb 08, 2021

      LIT-RS  - Yep. You just need to clear the immutable ID for the user.

       

      Then when you bring Forest C sync online (assuming it's going to be the same UPN) - matching will  happen automatically.

       

      If you are keeping the same UPN's the approach I've personally take would be something like :

       

      Forest A - Disable AD Connect tenant wide using powershell - All accounts will convert to cloud only

      Disconnect / Uninstall AD Connect on Forest A

      Run MSOL command against all users in tenant, again using PS

      Bring AD Connect online in Forest C

      Sync - UPN's will match up and sync

       

Resources