AD Migration UPN Conflict RRS feed

  • Question

  • Hey guys,

    I've got an interesting question around ADMT, UPN suffixes and ADFS for O365 applications. I've got an advisory request open for this too, however, it is taking time for Microsoft to come back with an answer, so whilst that is happening I thought I would post the question here too.

    We are moving from 2012 R2 on premise 'single label' domain to a new 2012 R2 on premise domain, reason for which is single label domains are not very well supported, we have had to put in a number of script fixes from Microsoft to get our domain working properly on 2012 R2, Dir Sync goes EOL next year and Azure AD connect does not support single label domains. We use ADFS and O365 for Office applications, Skype, One Drive for business and Exchange online which need to be migrated over to the target domain. A new ADFS infrastructure with the latest Azure AD connect will be present in the target domain.

    Our plan is to use ADMT to migrate our groups, users and computers to a new target domain, on our source domain we have UPN suffixes in place which are tied to our O365 applications through ADFS. From what we understand the UPN suffix can only exist in one of the domains at any one time, so when we migrate the users and computers to the new domain, to keep O365 authentication working, we will at that point need to migrate the UPN suffix, as well as deactivating our current source DirSync and re-activating Azure AD connect on the target domain. We understand the latest version of Azure AD connect to perform a ‘soft lock’ on the primary email address, which will match our target forest objects and will re-sync OK.

    The above scenario makes sense to us, however, because the UPN can only exist in one or the other domain at any one time, we are concerned that we will need to migrate all users in bulk at once in order to keep O365 applications working. This creates logistical challenges as we have hundreds of users and computers both inside and outside the organisation.

    Is there any way to have the UPN suffix co-exist in both domains, so we can migrate users in smaller batches and still provide authentication to O365 applications from both source and target domains until we migrate all users and computers? When we enter the UPN suffix into both, we get a conflict in AD Domains and Trusts and experience cross forest authentication issues. For example we can no longer resolve objects from the target forest or vice versa, ACLs break down and become non-resolvable - i.e show up as unmatched SIDs.

    This is both an ADFS and AD question, I don't seem to be able to post in both but seeing as this relates to O365 and ADFS I thought I'd post it in the ADFS forum first.

    Monday, November 7, 2016 8:34 AM

All replies

  • Of course, this reply is 3 year late, but maybe this will help someone else.  You can't have the UPN co-exist in both domains.   We just went through EXACTLY what you're going through "now" (technically, in 2016), and we had to migrate all users of a particular UPN over to the destination domain in bulk, at once.  Only then, were we able to decommission the old UPN in the old domain and use it in the new. 
    Thursday, October 17, 2019 2:54 PM