Cross Forest AD migration and AADConnect

Rahul Neelam 21 Reputation points

Hi Guys,

Over the last few weeks i've been reading a lot around Cross Migration, I have some doubts and information required around migrating AD User/Computer Objects and standing up a new AADConnect server in a new environment but still syncing into the SAME Azure AD & O365 tenant.
(NOT a new tenant. Same tenant, but Source of Authority is now a new AD Forest and a new AADConnect Server)


Current Set up:
· On-Premise Active Directory (AD users) in Forest A
· All users are synced via AAD Connect server in Forest A
· Hybrid with Exchange 2010/2016 co-existence in Forest A
· Only 12 mailboxes are migrated to Exchange Online, rest in progress or on hold

Target Set up:

Due to Business reasons (new acquirement), we want to continue to use the existing O365 Tenant and Azure subscription, but need to migrate AD Objects (Source of Authority) and stand up a new AAD Connect server to sync the AD objects. Migration also includes File server Migrations and some applications

The Target environment would look like this:
· All AD Users (source of authority) are migrated to Forest B (We will set up a Two-Way trust with Forest A)
· The AADConnect server to sync all objects to the O365 tenant will also need to be stood up in Forest B
· Hybrid 2019 Exchange server for room mailbox
· The EXO mailboxes in O365 (should not be impacted during the migration)
· The UPN's will not change for the users

There is limited documentation around this online, but if anyone has any experience around this, have used any articles, please help

I know it will require an AD Migration cross-forest (maybe ADMT/3rd party like Quest) and the UPN's will not change for the users, but more around planning (coexistence/phased vs. cutover). etc.

Need for AD computer objects, GPOs, DHCP, to be migrated.

Suggestion is required to migrate from mail box from Forest A to O365 or Forest B, , Autodiscover DNS points to on prem now - Therefore, I need help in the migration approach, steps involved and precautions, also please let me know if any further information is required


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,221 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,496 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,614 questions
{count} votes

Accepted answer
  1. KyleXu-MSFT 26,241 Reputation points

    @Rahul Neelam

    Based on your organization, I would suggest you migrate all mailboxes to Exchange online first, then decommission the forest A from hybrid.

    After that, you could create new Exchange server and AAD Connect on forest B. Then write AAD account back to forest B (About this step, you could confirm with the AAD team).

    I think this way this way will be less downtime than cross-forest migration. Migrate mailboxes to Exchange online is more easier than cross-forest migration.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,626 Reputation points


    This kind of migration is complicated and depend of number of mailbox and users.
    You can start by migrate the accounts and mailbox,once the migration is completed ,you can clean accounts in old domain then cut the synchronization with Azure AD ,then you install new azure AD connect server to synchronize new domain with Azure AD.
    If you want keep the same tenant , you can install only one Azure AD connect server.

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  2. Limitless Technology 39,501 Reputation points


    For organizations that are using synchronized identities for Office 365, the directory synchronization tool of choice these days is Azure AD Connect. To keep AAD Connect running you may eventually have the need to move it to another server. There are a variety of scenarios where this need arises, for example migrating to a new server provides the opportunity to safely upgrade to a newer underlying operating system without the risk of a lengthy outage.

    In addition you can look at the guidance discussed here in the techexperts community:

    Same users but new domain with AD Connect...

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments