Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Sync questions

Copper Contributor

So interesting scenario here. I have a domain controller that is older Windows 2012R2 essentials domain controller with one domain which we will call "widgets".  We also have O365 and used the native sync tools at the time to sync to Azure AD.  We want to get over to a new 2016 domain controller, but have the new domain called "widgets.corp". What is the best way to migrate to the new DC without breaking the Azure sync stuff?  Would it simply be installing AD Connect on new DC? 

8 Replies

Hi Francis,

 

The best practice is to migrate your Windows 2012R2 to 2016 within the same domain to avoid issues, because your on-premises AD in your scenario is different.

 

Is possible but it's a complex migration and is advised to contact a partner with experience with your scenario.

the complexity comes from the fact our current AD pushes up to AzureAD (using a deprecated mechanism). We also need the new DC to do the same – push up to Azure AD using whatever the most up-to-date syncing mechanism is(I assume AD Connect). The problem is the all of our laptops are joined to the AzureAD, and trying to figure out if there was a way to do the migration without breaking that.

best response confirmed by Francis Lam (Copper Contributor)
Solution

Hi Francis,

 

Migrate your active directory to a new Domain Controller in the same domain.

  • Install AD Connect on the new domain controller (Is not advised, but if it's the only one) in staged mode.
  • Uninstall the sync mechanism.
  • Disable the Stage mode on the AD Connect.
  • Demote the old DC.

With this process you will not breaking nothing.

 

Read more about staging mode here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-oper...

 

That looks feasible, but are you saying that migrating that DC to a different domain and domain controller is going to cause issues or is an entirely different set of steps?

Adding a new domain is the problem. You setup s 2nd domain controller in same domain. It replicates. You get it all setup move very server dns etc. it’s a lot of steps involved but it keeps you on the same domain. If you try adding another domain and sync your asking for major headache and even more steps :p

Hi Francis,

 

Has Christopher said also, is different type of migration, steps, risks among others. 

Okay understood about the migrating domain and controllers at the same time. Let me ask this though: what if the old 2012 domain controller is really flat and no systems are joined to the domain, etc. basically its just being used to sync to Azure and maybe some users and groups.  In that scenario, could I just build the new DC(2016) with the new domain name from scratch and simply install Azure AD connect? Would i still have to do "staged mode" and deprecate the old sync or is that no longer necessary since its a different domain.  BTW, thank you for all your help; definitely learning a lot.

Hi Francis,

 

If it is your source, is the best way to migrate the domain controller. You will need to do the staged mode to do not have issues and big downtime without staging mode. It's just a few more steps.

1 best response

Accepted Solutions
best response confirmed by Francis Lam (Copper Contributor)
Solution

Hi Francis,

 

Migrate your active directory to a new Domain Controller in the same domain.

  • Install AD Connect on the new domain controller (Is not advised, but if it's the only one) in staged mode.
  • Uninstall the sync mechanism.
  • Disable the Stage mode on the AD Connect.
  • Demote the old DC.

With this process you will not breaking nothing.

 

Read more about staging mode here https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-oper...

 

View solution in original post