user migration and sync to AAD

subglo 1 Reputation point

We have simple scenario:
on-premises Active Directory in domain A and AD Connect server that synchronizes users to Azure AD tenant.

We have a situation where we need to migrate our users from Active Directory in domain A to different server and Active Directory in domain B (separate infrastructures) , but the AD tenant stays the same.

My idea was to:

  1. Migrate users between Active directories with passwords and attributes ADMT (Active Directory Migration Tool version).
  2. Install new AD Connect server in new domain B in staging mode.
  3. Put old AD Connect server in staging mode.
  4. Take new AD Connect server from the staging mode, let it sync.
  5. Decommission the old AD server.

Is this scenario supported? Do i need the first step or the new AD connect server will read the passwords and attributes in the 2nd step? My goal is that users in AD tenant stays the same as we heavily rely on resources, Azure AD etc.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,605 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 20,431 Reputation points Microsoft Employee

    As long as there are no duplicate objects, then I believe you should be able to accomplish this.

    No comments

  2. ShashiShailaj-MSFT 7,411 Reputation points Microsoft Employee

    Hello @subglo ,

    In addition to what Marilee has proposed I agree that you can use the plan you have mentioned above. You can use the Password Export Service by setting up Password Export Server along with ADMT to migrate users with the passwords. There is nothing within your sequence which is not supported. However, If you have any issue , you may have to engage different teams within Microsoft.

    If you already have User synchronization Setup already from Domain A to your Office 365 tenant then that means you would need to setup attribute synchronization in a different way because the same user is already setup on the cloud. But the ObjectID of the use would have changed. I am not sure which attribute you have used in the current AD connect server. If it is ms-DS-ConsistencyGuid or ObjectGUid . Whichever it is , it will change once you migrate the user from domain A to Domain B. So you may have to do a soft match on the basis of SMTP/UPN.

    I would suggest you to continue the existing setup and migrate user objects with passwords and setup the New Azure AD connect server in Domain B in staging Mode. The user can be tested in the staging mode before stopping sync on the other server and enabling full sync on this server. Also you may need to buy some time within your organization because there it can take up to 72 hours once you disable Azure AD synchronization on one AAD server.

    I hope the above helps. Please do mark one of the post as answer if the information provided helped you so that it is helpful for other members of the community searching for similar answers.

    Thank you .

    No comments