question

johnwilliams-4177 avatar image
0 Votes"
johnwilliams-4177 asked YiEWang-MSFT edited

AD domain migration With AAD connect passthrough authentication

What is the best way to migrate AAD connect to the new Active Directory domain when performing an AD migration? With password hash syncing it would be easy to perform the cutover but I am not sure how to do that when AADC is set to passthrough.

windows-active-directoryazure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

Hello @johnwilliams-4177

In case of Pass Through Authentication (PTA), PTA agents are used to facilitate the authentication from On-premises AD. So, once your migration is completed, you would need to install PTA Agents in the new domain and uninstall all the existing agents in the old domain. Once the agents are uninstalled, outbound connection to AAD won't exist from the old domain and the Agent status will become inactive. Inactive agents are removed automatically from the AAD tenant after 10 days of inactivity and can't be removed manually. However, authentication requests will only be sent to the Active Agents. So make there is no active PTA agent in old domain as after migration all authentication requests should go to the new domain.

I would strongly recommend you to test it in Dev environment before performing it in the production.

As a failover plan, you may consider configuring PHS as a backup through "Customize synchronization options" > connect to Azure and AD > Optional features > PHS.

Note: This will just act as a backup and PTA will remain your primary mode of authentication. Authentication will not fallback to PHS automatically and you would have to manually switch to PHS if needed.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonAlfredSmith-5004 avatar image
1 Vote"
JonAlfredSmith-5004 answered

You should change the authentication to password hash sync. With PTA you still need at least one local DC to authenticate your users. This won't work with a cutover.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

johnwilliams-4177 avatar image
0 Votes"
johnwilliams-4177 answered

Is that the only option we have for migrating Active Directory domains? If we were willing to live with the down time could we uninstall AAD connect in the source domain and reinstall it in the target domain?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.