The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

Replace on-prem AD while retaining current Azure AD/Exchange Online accounts/mailboxes RRS feed

  • Question

  • Hi,

    I'm planning on doing the following and is seeking the forums expertise on whether it will work or not.

    Background: Small customer (15 users) with existing AD synced to O365-tenant and using Exchange Online.

    Mission: Replace existing on-prem AD with new AD + changing username-standard while retaining all O365 data.

    My theory is that the following should work:

    1. Create new on-prem AD and manually create new users with new username-standard.

    2. Detach O365-tenant from old AD Dirsync client.

    3. Rename AAD-users to match new AD-standard. User-mapping (UPN + ProxyAddresses - SMTP: matched)

    4. Attach new AD to O365 with Azure AD Connect. (On-prem AD will sync new passwords to AAD.)

    Anyone done this before or see any issues with my plan?

    Best regards!

    Thursday, November 7, 2019 10:13 AM

All replies

  • Hi, 

    This plan would, not as is and needs to be modified. The problem will be caused by the Immutable ID attribute in Azure AD which is populated with MS-DSConsistency GUID attribute (This by default uses Object GUID). 

    For the matching to happen based on UPN + proxy address, the Immutable ID has to be blank in the cloud. 

    So, in your action plan, I would add the following steps between step 2 and 3

    a) Disable the sync at the tenant level. (This will convert the users to managed users and can take up to 72 hours depending on the environment)

    b) Set the Immutable ID attribute to null for all the users.

    After this, when you enable the sync by running AD Connect in the new AD environment, the match will happen based on UPN and Proxy address.

    Note: Generally, Microsoft recommends using the AD migration tool to migrate users from old AD to new AD. This prevents a lot of issues that can occur during manual creation. If you use the ADMT tool, then all you have to do is populate the MSDS consistency GUID attribute of the user in the new environment with the Object GUID of the user from the old environment and then your action plan will work without any problem. 

    You can use either method depending on familiarity with the tools. Hope this helps.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, November 7, 2019 12:00 PM
  • Hi Manoj,

    Thanks for your reply.

    Okey, I will look in to the AD Migration Tool method.
    If using ADMT I don't need to wait the (upto) 72 hours?

    I just had a look in the "old" AD and mS-DS-ConsistencyGUID is empty right now, that's correct right?
    After I have migrated with ADMT I guess it will still be empty and I just enter the old Object GUID as the mS-DS-ConsistencyGUID? Just to confirm.

    Thanks and best regards!

    Thursday, November 7, 2019 12:31 PM
  • Hi, 

    Yes, you wouldn't have to disable sync so you will not have much delay in the process. 

    You can use the ADMT tool to create a simple rule which copies Object GUID from old AD to the mS-DS-ConsistencyGUID in the new AD. (You can do it manually as well)

    While running the AD Connect in the new AD, ensure that you are selecting the mS-DS-ConsistencyGUID as the Source Anchor when prompted. 

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Friday, November 8, 2019 5:55 AM
  • Hi,

    Okey awesome.

    You say I don't need to disable sync - so basically I don't need to do anything on the AAD-side? Not remove sync or anything?
    Just turn off the old dirsync-service on-prem and reconnect with new AD Connect? There won't be any conflicts since AAD is already syncing to old AD?

    Best regards

    Saturday, November 9, 2019 1:47 PM
  • Hi,

    Yes, you are correct. When you just stop the sync from your old server. Azure AD will be waiting for the next sync to run and it will assume that you just moved to a new server when you run AD connect again(this time with new AD environment)

    IMP: Do not forget that you have to use MS-DS-ConsistencyGUID as your source anchor when you run the AD Connect in your new environment.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, November 11, 2019 9:11 AM
  • Hi Hallberg,

    Just checking to see if Manoj's reply was helpful to you. If so, please remember to "mark as answer" so that others in the community who may have similar questions can more easily find a solution.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 13, 2019 10:34 PM
  • Please let us know if you were able to resolve the issue from the replies before. If you still have more questions please let us know with some additional information regarding your question and we'll try to resolve it. It may require additional support escalation if we are unable to resolve this on this msdn thread. 

    If there's no more follow ups in regards to this, I will be marking an answer as answer. If you feel your question has not been answered please let us know anymore pending asks and we can try to follow up accordingly. 


    - Frank H.

    Tuesday, November 26, 2019 7:50 PM
  • Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Also please remember to post future questions on the new Q&A Forums here : Thanks

    Wednesday, December 11, 2019 7:06 PM