AD Forest Merger

  • 31 Views
  • Last Post 4 weeks ago
Anthony.Vandenbossche posted this 4 weeks ago

Hi Guys, Me again J. This time a question concerning an AD Forest migration. A customer wants to migrate his environment towards a Green Field AD Forest, Great! However, I am wondering about the following. The source Forest contains an ADFS farm that is used for, among other things, federation of Azure AD and Office365. When we would migrate a user, and his PC, towards this new Forest, how would the authentication flow work? As we have Windows Authentication enabled, what would happen?  Kind regards, 
ANTHONY VAN DEN BOSSCHE
 

Order By: Standard | Newest | Votes
barkills posted this 4 weeks ago

At the heart of this are the documented concepts (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts) where the UPN or anchor (or proxyAddresses) need to match for an existing AAD user to be linked/matched with an on-premises AD user. Getting your anchor attribute configured so you can manage the transition will be one key. AAD Connect has switched from recommending the objectGUID to msDS-ConsistencyGuid as the anchor, and the rationale behind this change is so it can support scenarios like the one you have.

Brian

show

cduers posted this 4 weeks ago

Yes the UPN question is trickier, but it can be accommodated, when the destination forest has a different UPN suffix. The trick with Azure is how you handle the forest transition re: AADConnect.

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

show

Anthony.Vandenbossche posted this 4 weeks ago

Even when there is a shared UPN namespace? Or will we need to transition with another UPN suffix?

show

cduers posted this 4 weeks ago

If there is a two way trust, that will work. Without having to immediately move the farm.

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

On Oct 25, 2017, at 7:32 AM, Anthony Van den bossche <>> wrote:

Hi Guys,

Me again ☺. This time a question concerning an AD Forest migration. A customer wants to migrate his environment towards a Green Field AD Forest, Great! However, I am wondering about the following. The source Forest contains an ADFS farm that is used for, among other things, federation of Azure AD and Office365. When we would migrate a user, and his PC, towards this new Forest, how would the authentication flow work? As we have Windows Authentication enabled, what would happen?

Kind regards,


ANTHONY VAN DEN BOSSCHE

show

Close