Today we have one AD forest with two domains with users in them. They are synced to Azure AD with Azure AD Connect matching with msDS-consistencyguid as per MSFT recommendations. We use an AD attribute to filter which should be synced to AAD - if the attribute doesn't match exactly it's not synced.
We plan to move to a new AD forest with only one domain for all users. The plan is move them in phases, most likely depending on their department or function in the company.
Anyone have a good "this is the best way to do it" write-up on this or has any advice?
The process I'm thinking is
- use the same Azure AD Connect for the move, just add a connection to the new forest.
- when a user is moved - pause the sync schedule, remove the sync flag on the original AD object, copy the consistencyguid from the old to the new, clear the consistencyguid from the old, then set the sync flag on the new object, start sync.
It sounds almost too simple to be this easy and I'm betting on there being atleast something I'm not aware of? Can both the objects have the same UPN, or do I need to switch the UPN on the objects when the user is moved? I'm pushing for using a new UPN in the new forest but not sure how that'll go, but that should solve the other problem of authentication.
An alternate plan I'm thinking is
- set up a second Azure AD Connect in the new forest (this has to be done eventually anyway!)
- when a user is moved - remove the sync flag on the original AD object, let the old AADC sync the change and delete the user, then restore the AAD user and then set the sync flag on the new object in the new AD and let the new AADC match it with the restored AAD user.
But that sounds like more work and more risk?
Anyone got advice or history of doing this?
Regards // Kris