ADDS trusted forests.domains A. OnPrem EX2013 B.Office 365 into new ADDS and New 0365 Tenant?

Brass Contributor

Greetings.
We have two company's (each with their own forest and single domain) that have operated in a trusted ADDS forest configuration. Each forest contains their own respective mail system. One has on-premise Exchange 2013. The other ADDS forest has O365 and uses Azure AD Connect to sync on-premise ADDS users to o365. These mail systems are utilizing Galsync (enow) to support cross forest GAL's.
We are not (yet) using o365 SharePoint, one drive, or other 0365 services other than email. *We will later in the new named entity.
We are now going to merge these two environments (ADDS forest(s) / domain(s)) into a new named ADDS entity (forest and domain) - and new o365 tenant. This new named entity will utilize many of the o365 offerings.
I have migrated/merged trusted forests, and Exchange on-premise 2010/2013 systems together via ADMT and mailbox moves. This looks to be a bit more challenging.
Has anyone performed a similar migration/merge? Would they be willing to share how they did it?
Any insight, links, or thoughts are very much appreciated.
I found something similar in a forum on reddit -https://www.reddit.com/r/Office365/comments/93f4oq/cross_forest_office_365_migration/
Thanks in advance,

7 Replies

Hey @Floyds_on_Greenwood ,

Couple of questions here, Are you planning to keep on-premises exchange post merger ? or is it just going to be office 365 with objects being synchronized from on-premises active directory with AADConnect ? are there plans to consolidate on-premises active directory as well ( like AD user migration from one on-premises active directory to another) ? AADconnect does support synchronizing objects from two different on-premises active directories via single AADconnect server ( There are a few prerequisites though). 

Howdy @harveer singh Thank you for the response. To answer your questions: 1) We do NOT plan to keep any on-premise exchange post merger. 2) It will be office 365 with objects being synchronized from on-premises active directory with AADConnect. 3) YES - The plan is to consolidate on-premises (both forests) active directory as well ( like AD user migration from one on-premises active directory to another) Would you please tell me more re: AADconnect does support synchronizing objects from two different on-premises active directories via single AADconnect server ( There are a few prerequisites though). Thanks again for your help :)

Hey @Floyds_on_Greenwood ,

 

Here is an article which explains about adding an additional directory in AADConnect : https://www.mustbegeek.com/setup-azure-ad-connect-to-synchronize-multiple-active-directory-forests/

There are other links in the article talking about prerequisites like Trust between the forests, conditional forwarder etc. You can achieve the configuration without trust as well, the article is a bit old (and has a few ads now agggh) but still works well. Will drop response to your other query in some time a bit occupied right now.

 

Thanks

Hey @Floyds_on_Greenwood ,

 

Sorry to keep you waiting, a few more question for you, are you planning to migrate both the ADs ( one with exchange 2013 and the other with Dirsync) to a new forest all together, or are you simply merging the two forests ? Going with merge would certainly remove quite some complexity and would make the plan a bit simpler.  Also is it a compliance requirement to move away from the office 365 tenant you already have? If you can stick to the same tenant and simply add the new domain in the same tenant , it would again ease your work and you wont have to perform a tenant to tenant mailbox migration ( I am assuming you have mailboxes in office 365 for the other forest). 

 

Hello @harveer singh 

I don't believe we could rename the existing tenant - correct?

We will migrate both into a new forest - yes.  It will be a new company name.  We need a new tenant name to follow the name for the new company. 

companya.local

companyb.local

into mynewcompany.org

 

 

 

Yup, a tenant can't be renamed as of now. Okay, there a few ways to achieve the target state, In my opinion the simplest one would be using a third party migration tool like Bittitan etc. Lets say your forest setup is A-F-B where A is forest with exchange 2013, B is forest with office 355 and F is the final forest. The high level approach incase of 'third party' migration tool would be:
1. Install Aadconnect in forest F with new tenant. FILTER OUT masexchmailboxguid from synchronization. Add the new domain in new tenant.
2. Migrate(copy) users on-premises from Forest A and B to new forest F using ADMT/other, preserve the object guid but project the users with new upn user1@newdomain.com in the target forest F.
3. Now once you have users in Forest F, sync them to office 365 without mailbox guid, next when you assign a license in office 365, mailbox would be provisioned and office 365 mailboxes will be ready for data to be imported.
4. Now use third party tool to pull data directly into mailboxes from exchange and office 365 forest. Using a third party tool would allow you to do an incremental migration as well, so the users in exchange and old office 365 remain in production to the very last day, incase the migration runs for a few weeks. Lastly you will have to remove the old domain from old tenant and add it into the new tenant.
As i said this is one of the methods to achieve this, I suggest using a third party tool as one of your sources is office 365 and for migrating out of office 365 thirdy party tools serve better.

If you want to take the hybrid route there is added complexity, approach from forest B with office 365 remains the same as above, things would change for exchange forest though, high level overview:
Install Aadconnect in forest F, add forest A as remote directory(article previously shared), once users are synced, setup hybrid, move all mailboxes to office 365, decom exchange on-premises, move users from forest A to destination forest deleting source, so that Aadconnect sees only one instance of user object. Please note that with this approach you will also have to manage mailbox guids for two forests seperately, as exchangemailbox guid must be synced to office 365 for hybrid migration, but for office 365 to office 365 migration you don't want to sync mailbox guid from on-premises.
This is just a high level overview to get you started, a lot more can go into this discussion to fill out any gaps.