Hello,
I have a question. We are about to migrate parts of our Active Directory synchend to AzureAD (via AADConnect) into another Azure AD.
Therefor, for testing purposes I have created a new Azure Tenant + Domain (in a test environment) from where I successfully can synch users fro that new AD to AZure.
Now I tried to connect, from same AzureAD Service, to my productive AD in order to specifically sync a few users into this new AzrueAD. When I try to add this forest it tells me something mentioned here https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#adding-new-directories-to-existing-deployment (unique ms-DS-ConsistencyGuid)
The very same error message. Now it is true that the source AD in charge is also synched to my yet productive Azure Tenant. But I actually wanted to take a few users out of the sync and later on synch them into the new AzrueAD. I have to mention yet there is no Domain Trust established between the two on-prem ADs, is this required?
So, should it be possible to do the following:
- add a verified domain from my new target AzureAD to my productive AD.
- add the above mentioned AD as second source into my AADConnect, while parts of that AD are still synched with another AADConnect into a different Azure Tenant. That domain is already configured for Sync with a different AADConnect - that's probably why it gives the error "The forest xxx cannot be added because the attribute used to uniquely identity your users an Azure-AD (mS-DS-ConsistencyGUI) is already in use."
- modify UPN for some users (my test users) in order to match domain from new target Azrue Tenant. IN the same time take these users out from original sync
- configure newly added domain in order to synch e.g. a certain OU only with users matching UPN for new Azure Tenant
- as a bonus I'd still could restore these deleted users (Restore-MsolUser) in the old tenant (they have a different UPN there) and can still use their identity like for certain Enterprise Apps etc... This would only be a temporary step.
Basically I want to sync from one Active Directory into 2 Azure Tenants at the same time, not the same users obviously.
kind regards,
Dieter