Azure AD Connect - Multiple AD Forests and two tenants (tenant migration)

Question

Our company recently bought another company. The bought company already has it's own AD forest and it's own Azure tenant. We want now to bring everyone on the same tenant.

The current setup is like this:

The request is to have everyone on Tenant A. Everything from Tenant B will be migrated to Tenant A. We have already done this process in the past. Usually we created new user accounts in Forest A, which got synced to Tenant A and thus we had objects on Tenant A onto which migrate all the stuff from the other tenant.

But this time instead of creating new user accounts on Tenant A, the managements wants to use the ability to sync one AD Forest to multiple tenants thus creating the accounts and having exactly the same credentials and keeping the other companies access to their AD forest.

So the next step would be like this:

And once everything is migrated onto Tenant A it will be like this:

So the questions are:

1. In the "One AD to multiple tenants" scenario only one tenant can have the Exchange hybrid. In our case the Agent A (syncing Forest A and Forest B) has the Exchange Hybrid Deployment enabled. Can we use the same agent to have Forest C synced to Tenant A, but without Exchange Hybrid? Or do we need to create a third agent that sync Forest C to Tenant A, but without Exchange Hybrid?
2. Since DomainC.com will be moved from Tenant C to Tenant A during migration it will not be a verified domain on Tenant A before that. So every user we sync from Forest C will be as @TenantA.onmicrosoft.com even though on the forest they are @DomainC.com. Once DomainC.com becomes verified on Tenant A, will the UPN suffix for these users change from @TenantA.onmicrosoft.com to @DomainC.com automatically with the first sync after the domain is verified or will it remain @TenantA.onmicrosoft.com? If it remains that way - how could be manually change that afterwards?
3. Could there be any issues with mailboxes once the Exchange Hybrid sync is disabled from Forest C to Tenant C and enabled from Forest C to Tenant A? The mailboxes would have already been migrated from Tenant C to Tenant A.

Answer 1

Hi @Artūrs Zvārgulis

Correct, once your domain trusts are in place, sync DomainC through AgentA. You'll need to disable the sync from DomainC to TenantC first though.

For question 2, this is as much about continuity of mailflow as the identity piece. For me, the steps here would be:

• Create new Cloud identities for all DomainC.com users in TenantA using TenantA.onmicrosoft.com addresses
• Stop AzureAD Connect on TenantC
• Create forwarding for all DomainC.com emails to the users corresponding TenantA.onmicrosoft.com emails accounts.
• Release DomainC from TenantC and register in TenantA
• Update MX records to reflect that DomainC is now in TenantA
• Once DomainC is verified in TenantA, run the PowerShell commands for UPN Matching (as per the link I posted above) to update all DomainC users UPN's with DomainC.com addresses.
• Once that completes, only then should you import the DomainC domain into AgentA for directory synchronization into TenantA.
• This will then run the UPN matching and update the immutable IDs so that DomainC users get SSO and Password Hash Sync working into TenantA

So in reality, you're flipping this and doing the steps in Q2 first, and then finally doing the AzureAD Connect sync.

Hope this makes sense!

On the final point - your users can't sync to 2 tenants simultaneously. You'll need to disable AzureAD Connect from DomainC to TenantC before you set up the sync on AgentA from DomainC to Tenant A. Once that happens, your DomainC AD doesn't talk to TenantC, and the users on TenantC become Cloud-only identities. You may need to watch out for them getting disabled on TenantC, so if you need to re-enable you can do that from either the M365 portal or PowerS.hell

Thanks

Michael Durkan

• If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

Answer 2

Hi @Artūrs Zvārgulis

• You are using AgentA for the sync of DomainA and DomainB. Once your trust with DomainC is in place, you can just add DomainC to AgentA as thats the supported configuration for a multi-forest AzureAD Connect.

On the Exchange Hybrid question, is Exchange Hybrid aware of DomainB and vice-versa?

For DomainC, you'll probably want to decommission Exchange Hybrid before adding DomainC to DomainA's AzureAD Connect, so the steps here probably suit your configuration best:

https://learn.microsoft.com/en-us/exchange/decommission-on-premises-exchange#scenario-two

• The UPN's won't be changed automatically after an Azure AD Connect. The article here describes how to do this:

https://www.vermasandeep.in/2021/10/how-to-change-upns-in-office-365-via.html

Once this is done, User Matching will kick in and the ImmutableID's will match the AD Users to their Cloud Identities.

• No impact once DomainC is released from TenantC and registered on TenantA, and your mailboxes migrate from TenantA to TenantC, then you can proceed with removal of both the Exchange Hybrid (which you'll have done as part of Answer 1) environment and removal of TenantC.

Hope this helps!

Thanks

Michael Durkan

• If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

Answer 3

Looks like this has already been answered, but to add a little info:

1. Yes, however, there are some caveats > https://learn.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-with-multiple-forests. As Michael said, disable hybrid sync on TenantC (making it on-prem only) then enable it with TenantA.
2. I believe that when you sync your users to AAD, you can set the UPN's something OTHER than your desired custom domain in Active Directory (so as expected it will receive the onmicrosoft domain, which would of happened anyway in AAD) . Then ensure the UPN sync feature is enabled in ADConnect (set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers-Enable $True), then once the custom domain has been moved to your new tenant, you can flip the UPN in Active Directory to your custom domain and it will automatically update in AAD. Otherwise you can mass change through the M365 GIU or PowerShell as Micael said.
3. No, should be fine as per point 1.

Answer 4

Sorry, you're right, you can sync the users to 2 different tenants.

But for me, there's too many caveats involved.

The big one for me (and I've seen this before) is you create DomainC in TenantA as a non-verified domain and then sync your users. Lets just say a user in DomainA needs to email a user in DomainC. Instead of going out to the internet and routing through the public MX, DomainC is now seen as an internal routable domain (even though its non-verified) and it fails because it thinks the users don't exist. Even if they do exist and you have licensed them with DomainC UPN's, they'll never get the mail as they're still routing through TenantC.

Answer 5

Hi @Michael Durkan and @!Daniel Bradley ,

Thank you both the replies.

1. Actually it seems that ForestC and TenantC are not using Exchange Hybrid only ForestA + ForestB on TenantA are using it (didn't have time to check the config on ForestC/TenantC, just assumed it has).
   So we can simply sync ForestC through AgentA and have two Forests with Exchange Hybrid and one without. Right?
2. The thing is that users already have the correct UPN suffix on ForestC (@DomainC.com), but since DomainC.com is not verified on TenantA, the users would be created as @TenantA.onmicrosoft.com. Which would be fine for now as the users will not really use TenantA until the migration is done. I was thinking that after we verify DomainC.com on TenantA and run a sync from ForestC it would update the UPN suffix. The thing is that we would need the newly migrated users to still have @DomainC.com as their UPN, while the users who were already on TenantA keep @DomainA.com.
   2a - If after DomainC.com is verified on TenantA we change the UPN suffix for everyone on ForestC to something else (for example @DomainZ.com) and then back to @DomainC.com, would that also update it on TenantA?
   2b - With that UPN transform (not sure how exactly that is called), would it be possible to have users created with an unverified domain? I guess not, since @DomainC.com would be used on TenantC and would cause login issues.
3. Question is no longer relevant. Thanks. :)

Another thing - during the migration process the users which would be synced from one AD Forest (ForestC) to both tenants will need to have a mailbox on each tenant. So @DomainC.com on TenantC would be the "main" mailbox and @DomainA.com on TenantA. Once the migration is completed @DomainC.com alias would be moved from TenantC to TenantA. It was done like that in the previous migrations (but previously the users were also from different AD Forests).
Would it even be possible for one AD user to have two mailboxes on two different tenants? Wouldn't it mess up the proxyAddress attribute in AD?