locked
Migrate user from forest that uses dirsync to office 365 tot new forest without usermails RRS feed

  • Question

  • Hello,

    I have one 2008 R2 Forest with domain name abc.local. (for personnel +- 400 and 300 domain Pc's )

    In the users AD attribute the mail parameter and SMTP point to companyname.be

    This Forest is with Dirsync in sync with office 365. (I cannot use AD FS because the domain name is not valid, so if I reset a password I have to do it 2 time (AD and Office 365)

    I Also have an existing 2008 R2 forest with companyname.be (for the students ) without Dirsync. ( +- 1500 users and 300 domain pc's ) without mail.

    The old sever hardware are going to be replaced by new hardware, and I want to clean up this duplicated Forrest situation (2 time administrative work, software deployment, ..... )
    with one Forest and domain 2012 servers.

    I want to migrate the abc.local users to the forest of companyname.be without losing their office 365 mail.

    So that I have 1 forest left and AD FS configured so there is only 1 password left, and if the users change there password on AD local or online in office 365 it stays in sync. (I can delete the pc's of de abc.local forest and make them member of companyname.be

    Sunday, January 19, 2014 9:26 PM

All replies

  • Hi,

    When it comes to migration to a new root domain and forest, take a look at the ADMT guide.

    http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx

    Guess that could help you a lot, but note that it's not supported for Windows Server 2012 yet. There is an update on its way though. http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx

    In the new versions of DirSync you also have the option to synchronize password to the cloud. It's not really you password, but a hash of the hash from your password. There is plenty of blog posts online explaining that part. The most important thing is that you don't need to maintain two sets of passwords. This also means that you don't need to implements ADFS, as you would get the Same Sign On experience that you want :)

    Your next step is to plan the Office 365 migration. If you follow the next steps it should be OK

    Before you continue, make sure that you have added the UPN that the Office 365 users have today to the destination AD. The users need to get the same name and UPN in the new forest, as they had in the old one. This is how we are able to map the new AD account to the Office 365 account. After the migration, and Office 365 synchronization have been moved to the new forest, you can change UPN.

    1. Install DirSync in the new forest, but configure it so only a specific empty the OU that will contain the migrated users. Also, do not start the synchronization yet.
    2. Before you migrate users form the old forest to the new one, stop DirSync in your old forest, and uninstall it. Then go to Office 365 admin center and deactivate Active Directory syncronization. This turns all your users into In cloud account. Then Activate it again. Notice that this could take up to 72 hours. In my experience it's over in a few minutes.
    3. Migrate the users to the new forest, and make sure that the proxyAddresses and mail attribute matches the user in WAAD. Read more about SMTP matching at http://support.microsoft.com/kb/2641663/en
    4. Run Start-OnlineCoexistenceSync -FullSync in the new forest.
    5. The on-prem user should now be matched with the online user, and you are good to go.
       
      Note that if the on-prem objectGUID changes, you have to reset the immutableID, as these accounts have been synchronized with an AD earlier. Steve Halligan have created a nice powershell script for converting objectGUID to immutableID. You can download it from http://gallery.technet.microsoft.com/office/Covert-DirSyncMS-Online-5f3563b1. Recreate the immutableID and set it using Set-MsolUser. DirSync should then be happy.

    I have done this a few times in lab, but have not been lucky enough to try it in a production environment, so make sure to take all the precautions that you can. Valid backups is one of them :)


    /Anders Eide


    • Edited by Anders EideMVP Thursday, January 23, 2014 6:36 AM Added some on password sync and ADFS
    Thursday, January 23, 2014 6:29 AM