How to Move or Migrate On-Premises AD Account between Domain/Forest without losing the Azure AD Data

By | July 2, 2020
0 Comment

If you are moving on-prem Active Directory user from root domain and child domain or one forest to another forest, Azure AD application like OneDrive, office 365, exchange online data will be missing when the user logged back into the account, the user also lose all the chats the user had in his Teams application, why we are seeing this behavior and how to fix this?

Also Read: Understand how On-Premises Active Directory object get synchronized to Azure AD (Run Profiles Explained)

Why Switching Azure Synced AD accounts between Domain causing this issue?

While moving the user account from one domain/Forest to other, Azure AD Connect (AADC) will delete the old identity of the users from Azure AD and create a new Azure AD identity, will deleting old Azure account will also delete the application data related to the users

Force Active Directory Sync through Azure AD Connect to Office 365/Azure with console and Powers-hell Commands

How to fix this? Without affecting the user experience 

You can’t just delete the account from the source domain and re-create the same account in destination Domain, you have to migrate the users to new Domain with below steps to avoid the issue and data loss

Also Read: Compare primary and staging Azure AD connect (AADC) sync servers

Migrate users between On-Premises Active Directory

  • Create a new user account in the destination domain in an OU that is not in AADC sync scope (So that this account won’t sync to Azure AD)
  • Get the ms-DS-ConsistencyGuid value from the old legacy user account in source Domain and set the same value to ms-DS-ConsistencyGuid attribute in the new user account in the destination domain
  • Delete or move the old user object to non-sync OU
  • Move the new user object into the OU that is in AADC Sync scope
  • Wait for AADC delta sync

Also Read: Azure Synchronization failed with “sync-rule-error-function-triggered” error and InnerException says sourceanchor attribute has changed

If you are not using ms-DS-ConsistencyGuid as a sourceAnchor attribute for the User objects then the above procedure won’t work, you may consider changing the sourceAnchor attribute from ObjectGUID to ms-DS-ConsistencyGuid, then you can switch the value of ms-DS-ConsistencyGuid attribute of old user with the new user without losing the data.

If you are still using ObjectGUID as a sourceAnchor the use below steps:

  • Disable the user object from the source Domains
  • Move the user object to Non-Sync OU to delete the object from Azure AD
  • Create a new user account in the destination domain
  • Get the ObjectGUID of the newly created On-Premises user object
  • Restore the Azure AD account previously deleted (using restore-msoluser PowerShell command)
  • Set the restored user object cloud-only (using set-msoluserprincipalname)
  • Convert the ObjectGUID value from newly created user object to Base64Encode
  • Set immutable ID of the restored cloud-only user object to the value of the ObjectGUID from the newly created user object (Using set-msoluser command with -ImmutableId), use the Base64Encode which we previously converted
  • Change the UPN of the cloud only to the newly created user object

Hope this will help you to migrate the users object without creating a new identity and losing the old identity of the user

Also Read: Awaiting Export Confirmation Error on Azure AD Connect

Also Read: Active Directory Real Time Interview Questions and Answers

Related posts:

Active Directory Types: Difference between Active Directory Vs Azure Active Directory Vs Hybrid Azure AD and AAD DS Different Types of Azure AD Device Join/Registered How to Re-enable device accidentally disabled by the user Default ThumbnailCan I restore a schema partition? Default ThumbnailHow to troubleshoot workstation Trust relationship issues on Domain

Leave a Reply

Your email address will not be published. Required fields are marked *