question

LITRS-5211 avatar image
0 Votes"
LITRS-5211 asked ·

Migrate AD User and AADConnect to new Forest (Same O365 tenant)

Hi guys,


Over the last few weeks i've been reading a lot around Tenant-to-tenant migration, and we've been playing around with the new features and it's been pretty cool.

BUT, I have a question around migrating AD User Objects and standing up a new AADConnect server in a new environment but still syncing into the SAME Azure AD & O365 tenant.

(NOT a new tenant. Same tenant, but Source of Authority is now a new AD Forest and a new AADConnect Server)

So in summary:


Current Set up:

  • On-Premise Active Directory (AD users) in Forest A

  • All users are synced via AAD Connect server in Forest A

  • Hybrid with Exchange 2016 in Forest B (two-way trust with Forest A)

  • All mailboxes are migrated to Exchange Online


Target Set up:

Due to Business reasons (change in datacentre/supplier), we want to continue to use the existing O365 Tenant and Azure subscription, but need to migrate AD Objects (Source of Authority) and stand up a new AAD Connect server to sync the AD objects to the migrated mailboxes in the environment.


So the Target environment would look like this:


  • All AD Users (source of authority) are in Forest C (We will set up a Two-Way trust with Forest A)

  • The AADConnect server to sync all objects to the O365 tenant will also need to be stood up in Forest C

  • The EXO mailboxes in O365 should not be impacted.


AFAIK, there is limited documentation around this online, but if anyone has any experience around this, have used any articles, or can think of any gotchas, would be good to get your views.

I've done something similar with a few previous customers so have a high-level idea but would be good to see if anyone has done this - I know it will require an AD Migration cross-forest (maybe ADMT/3rd party like Quest) and I guess the UPN's will change for the users, but more around planning (coexistence/phased vs. cutover). etc.


Thanks

Ron




azure-active-directoryoffice-exchange-online-itproazure-ad-connectoffice-exchange-hybrid-itproazure-ad-hybrid-identity
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

0 Votes 0 ·
NiklasN avatar image
1 Vote"
NiklasN answered ·

Hi Ron,

just high level but should work:

  1. Create Domain for Forest C in O365

  2. decomission Hybrid in Forest B, set MX and Autodiscover to Cloud if not done already

  3. Migrate AD Accounts to Forest C (ADMT prefered in case you just need to do a "silly" User migration)

  4. Stop AD Connect on Forest A

  5. Ensure you have "Cloud only" accounts in O365

  6. Switch only UPN in O365 to newly created domain from forest C (in case Email should be also switched to new Domain, prepare youre AD Objects and edit "e-mail" Attribut

  7. Install AD Connect on Forest C

  8. Start Syncing

  9. AD Connect should do a softmatch then

  10. install minimal Hybrid on Forest C (just in case you need GUI for administration) (i know, administration via Attribut Editor is not supported by MS but works very well, so maybe a Exchange is not needed)

  11. be happy :)

iam not quite sure, but when you migrate Users they normally got devices (AD Computer Objects) which need also be migrated. So i guess you will do a coexistance szenario: in that case i would do it in a staged migration: Move users in Forest A to a OU which is not synced to O365. They will be deleted in O365 and you can recover them from recycle bin and then they will be a "cloud only" user. For faster restoring you could use PS Script (additionally in this script you could also change the UPN to the Forest C domain) for that. Meanwhile you can migrate this users with ADMT to new domain and let them sync with the newly installed AD Connect in Forest C


Best
Niklas











· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KhurramRahim avatar image
0 Votes"
KhurramRahim answered ·
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KhurramRahim avatar image
1 Vote"
KhurramRahim answered ·
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LydiaZhou-MSFT avatar image
3 Votes"
LydiaZhou-MSFT answered ·

@LITRS-5211

Do you mean forest A is the account forest, and mailboxes migrated to O365 are linked mailboxes in forest B?

The steps provided by NiklasN should be correct. However, if you just want to manage mailboxes from on-premises and hybrid features are not needed, we don't have to deploy the hybrid configuration. Also, we have to extend AD schema for Exchange in forest C for some Exchange attributes.
For your reference: To disable directory synchronization and uninstall Exchange hybrid.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LITRS-5211

Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

@LITRS-5211

Any updates so far?
If you have solved your problem, could you share with us? Maybe it will help more people with similar problems.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
LITRS-5211 avatar image
0 Votes"
LITRS-5211 answered ·

Do you mean forest A is the account forest, and mailboxes migrated to O365 are linked mailboxes in forest B?

@LydiaZhou-MSFT
Hi Lydia, Thanks for your reply. Correct - They've got their Enabled AD User objects in Forest A and have the Exchange Hybrid set up in Forest B, therefore linked mailboxes which have (99% or all) been migrated to Exchange Online.

I appreciate that we can only have one primary AADConnect server per Azure tenant, so do you have any thoughts on how we would go about configuring a new AADConnect Server in Forest C (the new forest) and connected to sync to the same Azure O365 tenant? I was thinking maybe something like:

  • 2-way Trust in place between Forest A and Forest C

  • Install a new AADC instance as a Staging Server in Forest C

  • Replicate the in-scope OU's and Security Groups that are in AADC in Forest A (Active) to AADC in Forest C (Staging)

  • Switchover Staging in Forest C as Primary

  • Later on, remove the Forest A (now Staging) AADC server from farm?

Thoughts?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In general, we suggest to use ADMT to migrate AD accounts. We don't have to install AAD Connector in forest A and C at the same time.

We can remove hybrid configuration in forest B and remove AAD connector in forest A, make sure all mailboxes and accounts are only in O365. Then migrate AD accounts from forest A to C. After that, install AAD connector to do the softmatch.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·