Disable Azure AD connect
First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.
Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:
Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:
Disable directory synchronization. So to do this, type the following cmdlet, and then press Enter:
Set-MsolDirSyncEnabled –EnableDirSync $false
Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:
*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.
Install the new Azure AD connect
When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.
The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:
When Hybrid you need the above and attributes below
What does the attributes do
- The UserPrincipalName (UPN) of the users is the login name to Office 365.
- ProxyAddresses are all your email addresses, both primary and alias.
- The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
- msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
- msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
- msExchRecipientDisplayType sets the type of account that is used (List of references)
Match Immutable ID
The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.
*note if you have used something else please make sure this part is covert.
Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us, you can use the Command below.
Set-msolUser -UserprincipalName “firstname.lastname@example.org” -immutableID “$null”
Enable AzureAD sync and reinstall Azure AD connect
The next step is to enable Azure AD connect in the Office 365 tenant.
Set-MsolDirSyncEnabled –EnableDirSync $true
Check if it is enabled:
After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.
When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match a new ImmutableID is created and written to Azure AD.