Tenant to Tenant Migration

Question

Hi There,

I have the below scenarios and need suggestions for the same.

1. Currently, 2 very small companies are part of one on-premises AD. This AD is synced to one tenant for O365 services. The tenant has two verified custom domains. Now these two companies wants their own tenant. What is the best possible way to do this?
   2. Is this an ideal solution to have a full domain controller in Azure Iaas VM in this separation scenario to avoid having any on-premises physical server with the DC role? Once we have a site-to-site VPN connection to Azure, I hope this DC can work as a print server as well to manage on-premises physical print devices.

Thanks,
NG

Answer 1

@NK
Answer to question 1 would vary on the basis of how you are separating objects of these 2 companies? However in both cases, you need to remove one of the verified domain from 1 tenant and add that to the other tenant.

Your scenario must fall under one of the below scenarios:

1. You have one forest for each company
2. Users are part of same forest but you are using different upn suffix to separate users of company 1 from users of company 2.

If you have separate forest for each tenant, you need to use 2 AD Connect Servers and sync users to their respective Tenant.

If you have single forest for both companies, you need to sync each object only once in an Azure AD tenant using AD Connect.

In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit.

A DNS domain can be registered in only a single Azure AD tenant. The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces. For example, in the preceding picture, three separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com, and wingtiptoys.com. The users in each on-premises Active Directory domain use a different namespace.

Refer to Topologies for Azure AD Connect for more details.

For the second question, it should be absolutely fine to have a DC as a print server on Azure IAAS VM provided you have a VPN connection with your on-prem environment.

Answer 2

Hi.

For the second question, I would highly recommend at least 1 local DC, and then another one in Azure. Local DC is much faster than the DC in Azure because it's local. And also in case of some outage of your internet connectivity, our users still have the DC available.

Answer 3

@NK You would need to perform below steps:

• Migrate required objects to the new Active Directory Forest. For this purpose you can refer to ADMT Guide
• Remove custom domain from current tenant and add add it to new tenant. Refer to Add your custom domain name using the Azure Active Directory portal
• Install Azure AD Connect for the new forest. Refer to Custom installation of Azure AD Connect
• For more understanding of how Azure AD Connect works, please refer to Azure AD Connect sync: Understanding Declarative Provisioning

-------------------------------------------------------------------------------------------------------------

Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.