• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 20 subscribers
  • Views 29097 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cross-forest migration in Exchange Hybrid with Azure AD connect enabled

Bobby Dore
over 6 years ago

Thanks in advance for the help.

I have two on premises Active Directory forests, ForestA and ForestB. Azure AD Connect is installed on a server in ForestB and has connectors synchronizing both ForestA and ForestB to Office 365. I also have an Exchange hybrid server in ForestA that is being used to manage mailboxes in Office 365 and one in ForestB. Each user in ForestA has a mailbox in O365 and is matched using ms-ds-consistencyGUID (there are no on-premises mailboxes).

I need to migrate all AD user accounts from ForestA to ForestB. When I do this, I need to be sure that the mailbox is not deleted and the migrated user account in ForestB is matched to the O365 mailbox via directory synchronization.

How do I do this? Please note that I need to migrate 5000+ accounts so it will need to be done in batches and I can't disable dirsync at any point. I will use Quest Migration Manager for AD.

  • 0 over 6 years ago
    By Using msDS-ConsistencyGuid as the sourceAnchor attribute for objects, this will allow you to control where source object is sync'ed from. The vaule will be migrated from source to target. You need to insure that only the source or target object is in scope of AD Connected based on you migration schedule.

    Today
    Source\Bob = msDS-ConsistencyGuid =123456789
    Target\Bob does not exist

    Staged
    Source\Bob = msDS-ConsistencyGuid =123456789
    Target\Bob = Exists, out of AD Connect Sync Scope

    Switched
    Source\Bob = Exists, out of AD Connect Sync Scope
    Target\Bob = msDS-ConsistencyGuid =123456789
  • 0 over 6 years ago
    Thanks, good idea. Some questions if I may:
    1. How do I make the quest tool do this?
    2. Does this also work for other ad object types the tool will migrate, including groups, contacts, etc. ?
  • 0 over 6 years ago

    The question is not how to make the Quest tool do it, it is about the MS Directory sync. The MS Dir Sync needs to see only the source or target object during you migration. So this means that the MS Dir Sync has to be scoped and not full domains. For example, do the following

    • Create an OU in the source and target OU=Excluded Objects
    • Reconfigure MS Dir Sync to be Scoped, and select all OUs and Containers except OU=Excluded Objects
    • Using your migration tool, migrate a Object from source to OU=Excluded Object,DC=Target. 
    • Now move the source object from their current OU to OU=Excluded Object,DC=Source 
    • AND move the Target object from OU=Excluded Object,DC=Target to Any other OU. 
    • Run the MS Dir Sync. 

    The Cloud object will now be associated with the Target Object.

    Quest Migration Manager for AD has a directory sync function that would allow you to cut all of the the MS Dir Sync functions to the target, while batching the actual migrating of the Workstation and Users form the source. ADMT is a session based tool and this will require you to run a session to update attributes, membership. Where QMM AD will maintain this through sync at an attribute level. 

    Yes, this will work for all supported object classes. You might want to setup a technical call with your sales rep. He will get a subject mater expert on the call that can explain the benefits of using QMM AD over ADMT.  

  • 0 over 6 years ago
    Thanks, Jeff. We've purchased the licenses and will be using Quest Migration Manager for AD and not ADMT. I appreciate your help, I've done a number of migrations between on-premises AD forests and am looking for any changes I need to make forests using Azure AD Connect (dirsync).

    Per your mention of this:

    "•Now move the source object from their current OU to OU=Excluded Object,DC=Source
    •AND move the Target object from OU=Excluded Object,DC=Target to Any other OU"

    Will Quest Migration Manager for AD do this for me or should I script it myself?


    Also, for this:

    "Quest Migration Manager for AD has a directory sync function that would allow you to cut all of the the MS Dir Sync functions to the target, has a directory sync function that would allow you to cut all of the the MS Dir Sync functions to the target"

    Are you saying I should create a directory synchronization job to sync objects from ForestA to ForestB and have dirsync operate only against ForestB? I plan to set up a directory sync job anyway as part of the migration so I can use that if so.
  • 0 over 6 years ago
    QMM AD can move the Target Object, but it can not move the source object. So that you are going to need to handle yourself.

    What I am saying about the sync, you could create all of the objects in the target and cut the MS Dir Sync over from source to target day one, allowing QMM AD sync to maintain those objects.