none
AD Migration: Target domain will share the same name as an existing Primary DNS zone and UPN in the source domain RRS feed

  • Question

  • Ok I have a client that has a .local domain that is currently using ad connect with a upn that matches their external domain name.  They want to migrate to an internal domain that matches the external domain name however this name will be the same as the UPN currently in use AND they have an ad integrated primary dns zone that matches the upn.

    I.E existing domain is .local  - the existing UPN and ad integrated primary DNS zone is something.com which will be the name of the target domain

    1st question - what should i do about the existing primary domain name so that i can replace it with a conditional dns forwarder to the new domain and create my trust relationship.

    2nd question - what should i do about the existing upn since it is configured in Active Directory Domains and Trusts and it is in use on all the user accounts?

    • Edited by jpcapone Sunday, October 13, 2019 4:16 AM
    Sunday, October 13, 2019 4:13 AM

Answers

  • Once your migration is completed you ADD UPN suffix via domain.msc that is "target.com", then u can simply run a powershell script to replace the current UPN, "internal.target.com" with target.com.

    This should not have any impact as most of the domain users just use the domain\SamAccountName to login,

    Regards - Reza,

    Kindly Mark the Response as Answer :-)

    • Proposed as answer by Hasan Reza Sunday, October 13, 2019 9:37 PM
    • Marked as answer by jpcapone Sunday, October 13, 2019 9:48 PM
    Sunday, October 13, 2019 9:37 PM

All replies

  • I have been doing some research and it seems that best practice dictates that I migrate to a sub domain name of the external domaikn instead of using the same dns name internally and externally.  That makes sense to me.  If I choose to go this route I am trying to envision how I would change the user logon names to match the external parent domain name so the users can use the same login name for the internal domain and O365. 

    I.E. the internal AD domain will be migrated to internal.target.com and the users will go from logging in as user@domain.local to user@target.com for both AD and O365.

    Sunday, October 13, 2019 1:34 PM
  • Hi,

    Can you please let me know how many services integrated with current active directory and how many users are their. So accordingly someone can approach you suggestion. 

    Regards,

    Deepak

    Sunday, October 13, 2019 3:33 PM
  • Thank you.  We are talking roughly 300 AD accounts, 311 groups and 280 computers.  There are also about 10 file servers.  We are going from windows 2008 R2 to Windows 2019.  AD Connect is in use and there are no Exchange servers on prem.  Services include SCCM, Fortigate, VEAM Backup, Solarwinds and 2 citrix provisioning servers.  The target domain will have 4 AD Sites with two sites having two domain controllers a piece and two sites having one domain controller a piece.  
    Sunday, October 13, 2019 4:42 PM
  • Dear Jpcapone,

    What you are trying to do will have a lot issues, how are u planning to do the DNS forwarding, there will be even issue that I have faced with UPN suffix routing in Trust,

    Some Details: https://www.microsoftpressstore.com/articles/article.aspx?p=2217267&seqNum=3

    Below is my suggestion 

    1- Create a new forest with different Name

    2-Enable SID history Migration

    3-Migrates Groups with SID (Empty Groups_

    4-Migrate the users

    5-Migrate Computers

    All during this time let the users migrated connect to old domain for resources , this should not be an issue as you have migrated the SID as well.

    6-SCCM server does not support cross forest migration (in either case)

    7-Migrate application that allow cross forest move (Any application which is no schema Agnostic should technically be migrated)

    8-once all is done rename the AD Domain , this supported and straight forward process compared to trying to migrate with same domain name at both end,

    I hope the answer has helped,

    Thanks and regards,

    Hasan Reza

    KINDLY MARK THE RESPONSE AS ANSWER IF YOU FOUND IF HELPFUL FOR OTHER WITH SIMILAR ISSUE TI BENEFIT FROM IT.

    • Proposed as answer by Hasan Reza Sunday, October 13, 2019 8:38 PM
    Sunday, October 13, 2019 8:38 PM
  • Ok I may have not been clear.  The current source domain is source.local while UPN of this domain is target.com.  I want to do the following:

    deploy a new domain named internal.target.com

    create DNS forwarding between the source.local and internal.target.com domains

    Migrate groups/users/computer

    My goal is to have the migrated users be able to login to the internal.target.com domain with username@target.com.  This username@target.com will match the current upn used by the source domain (which will go away after the migration is complete) and the O365 user login and email address.  Does that make sense?

    Sunday, October 13, 2019 9:06 PM
  • Yes this is possible , and makes sense, 

    As far as they same UPN suffix does no co-exist in both the domains at the same time , it should be fine and workable.

    • Proposed as answer by Hasan Reza Sunday, October 13, 2019 9:10 PM
    Sunday, October 13, 2019 9:10 PM
  • Ok so in the source domain the UPN is target.com and there is a primary dns zone called target.com.  since the new target domain will be internal.target.com do i have to be worried about the existing primary dns zone of target.com in the source domain?  I would think not but I just want to clarify.  

    My other question is how can I make it so users login with username@target.com in the new internal.target.com domain?  I want the users to have the same login for O365 and the internal domain.

    Sunday, October 13, 2019 9:17 PM
  • in the source domain the AD DNS is Target.com and in the target it is "internal.target.com" , now the AD DNS consider each of this as complete domain name, A zone is not created in heirarchy eg Target.com and then within that internal , that you would think would conflict,

    Regards - Reza

    Please dont forger to Mark the response asnwer if it has helped

    • Proposed as answer by Hasan Reza Sunday, October 13, 2019 9:25 PM
    Sunday, October 13, 2019 9:25 PM
  • Ok I got it.  So I don't have to worry about a conflict between the primary dns and UPN of target.com in the source (domain.local) domain and forwarding DNS requests to internal.target.com of the target domain. GREAT!

    Now what extra work do I have to do to make the user login in internal.target.com match the upn used for O365?

    Sunday, October 13, 2019 9:29 PM
  • Once your migration is completed you ADD UPN suffix via domain.msc that is "target.com", then u can simply run a powershell script to replace the current UPN, "internal.target.com" with target.com.

    This should not have any impact as most of the domain users just use the domain\SamAccountName to login,

    Regards - Reza,

    Kindly Mark the Response as Answer :-)

    • Proposed as answer by Hasan Reza Sunday, October 13, 2019 9:37 PM
    • Marked as answer by jpcapone Sunday, October 13, 2019 9:48 PM
    Sunday, October 13, 2019 9:37 PM
  • you definitely answered my question.  Theoretically, if I wanted to go with the domain name of target.com in the new domain can't i just delete the current primary dns of target.com in the source domain and remove the upn as well.  Then deploy the new domain with target.com - create the dns forwarder to target.com and then migrate from source to target?
    Sunday, October 13, 2019 9:54 PM
  • GLAD I was able to help :-)
    Sunday, October 13, 2019 9:56 PM