Azure AD Connect when moving users from one AD to a new AD

stoff75 6 Reputation points
2020-06-10T09:05:43.67+00:00

Hello,
Today we have one AD forest with two domains with users in them. They are synced to Azure AD with Azure AD Connect matching with msDS-consistencyguid as per MSFT recommendations. We use an AD attribute to filter which should be synced to AAD - if the attribute doesn't match exactly it's not synced.

We plan to move to a new AD forest with only one domain for all users. The plan is move them in phases, most likely depending on their department or function in the company.

Anyone have a good "this is the best way to do it" write-up on this or has any advice?
The process I'm thinking is

  • use the same Azure AD Connect for the move, just add a connection to the new forest.
  • when a user is moved - pause the sync schedule, remove the sync flag on the original AD object, copy the consistencyguid from the old to the new, clear the consistencyguid from the old, then set the sync flag on the new object, start sync.

It sounds almost too simple to be this easy and I'm betting on there being atleast something I'm not aware of? Can both the objects have the same UPN, or do I need to switch the UPN on the objects when the user is moved? I'm pushing for using a new UPN in the new forest but not sure how that'll go, but that should solve the other problem of authentication.

An alternate plan I'm thinking is

  • set up a second Azure AD Connect in the new forest (this has to be done eventually anyway!)
  • when a user is moved - remove the sync flag on the original AD object, let the old AADC sync the change and delete the user, then restore the AAD user and then set the sync flag on the new object in the new AD and let the new AADC match it with the restored AAD user.

But that sounds like more work and more risk?

Anyone got advice or history of doing this?

Regards // Kris

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-06-10T21:47:24.847+00:00

    You can use ADMT to migrate objects between forests. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974332(v%3dws.10)

    The potential issue that I see is duplicate Object IDs. Also, it will be a somewhat manual effort since user writeback is not supported.

    I don't have as much expertise with on premises migration since I support mostly cloud migrations, but I have reached out to ask for a good guide.

    There's a similar thread from a couple of years ago about this: https://social.msdn.microsoft.com/Forums/azure/en-US/b37ce646-9902-46c3-b6d3-928abfd22a01/ad-migration-to-a-new-forest-office-365-has-been-implemented-in-both-forests?forum=WindowsAzureAD

    0 comments