locked
AD Connect behavior when removing UPN suffix? RRS feed

  • Question

  •                Greetings all. I have a client with an existing O365 tenant which is synced to their local AD. That legacy AD is being migrated to a new one however the UPN suffix on the legacy domain happens to exactly match the domain name of the new domain to which everyone will be migrated. Thus, UPN suffix routing in the trust is broken.

                   I would like to remove the UPN suffix from the legacy domain as well as remove that suffix from all users via powershell.  I do not believe this will have any impact on their current use of the legacy domain on premise. However, my concern is that AD Connect was configured to use the UPN as the login for O365 and currently all UPN’s and primary SMTP addresses match and have been synced to Azure AD.

                   I was hoping to re-install the latest version of AD Connect, stipulate email address as the login name, and perform  a full sync. After which, I would remove the conflicting UPN suffix from AD with the hope that their logins to O365 would be unaffected.

                   Has anyone performed a similar operation with positive results? The legacy domain is non-routable hence their need for the UPN suffix in the first place. I’d like to avoid a case where after the UPN suffix is removed the next sync results in either duplicate users or renamed users with a onmicrosoft.com address.

    Thanks in advance for any help offered

     
    Monday, June 1, 2020 10:43 PM

All replies

  • Hi GCHamby,

    Do you want to migrate AAD connect from a legacy AD to a new one which has the same domain name?

    If so, I think will need to remove AAD connect and HCW from legacy AD, keep all users on Azure AD. Then you could remove the attributes from legacy AD as you want. After that, you could create new AAD connect with your new AD and sync users back with Soft-match.

    Actually, your question is about AAD connect cross forest migration, you could get a more suitable support from the AAD connect forum.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 3, 2020 2:36 AM
  • Thanks Kyle. No, AAD Connect is already installed and syncing the old domain as well as the new. The issue is that the old domain has a conflicting UPN suffix interfering with ADMT and we want to remove that. We'd like to be able to use the email address as the sign-in to AAD or at least not have AD Connect mess up the existing UPN when it re-syncs after we remove the old UPN. Does that make sense?
    Thursday, June 4, 2020 2:11 PM
  • Thanks Kyle. No, AAD Connect is already installed and syncing the old domain as well as the new. The issue is that the old domain has a conflicting UPN suffix interfering with ADMT and we want to remove that. We'd like to be able to use the email address as the sign-in to AAD or at least not have AD Connect mess up the existing UPN when it re-syncs after we remove the old UPN. Does that make sense?

    I would suggest you try remove syncing with the old domain. Then change the UPN for old users from the "domain.com" to "domain2.com", then try to do a cross-forest migration from old forest to new forest. In this way, there will not exist the conflicts.

    Regards, 

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 5, 2020 8:19 AM
  • Hi GCHamby,

    I am writing here to confirm with you how thing going now?

    If the above suggestion helps, please be free to mark it as an answer for helping more people.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, June 8, 2020 7:51 AM
  • Thanks Kyle but removing the UPN suffix from the old domain and turning off sync from that domain isn't an option for us. I appreciate the offer though.
    Monday, June 8, 2020 7:00 PM
  • Thanks Kyle but removing the UPN suffix from the old domain and turning off sync from that domain isn't an option for us. I appreciate the offer though.

    It just a temporary operation, after migration, every thing will back to normal, you can choose the time when the server is idle to operate.

    Regards, 

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, June 9, 2020 6:08 AM
  • Hi GCHamby,

    Any update about this thread now?

    Regards, 

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, June 16, 2020 1:54 AM
  • No, not really. We will be scripting a movement of the users from the old domain to the new by exporting their properties and then creating new domain users with those same settings. We will plan to make the ms-ds-consistencyguid identical when the new user is created thus ensuring that AD Connect matches them up in the tenant. Feel free to close this thread.
    Tuesday, June 16, 2020 2:58 PM
  • No, not really. We will be scripting a movement of the users from the old domain to the new by exporting their properties and then creating new domain users with those same settings. We will plan to make the ms-ds-consistencyguid identical when the new user is created thus ensuring that AD Connect matches them up in the tenant. Feel free to close this thread.

    Ok, hope you could migrate successfully. You can also sharing it at here when it complete.

    Regards, 

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, June 18, 2020 5:07 AM